Land rapid7#5181, Revert unwanted URI encoding

firefart · firefart · commit 3417c3f5ab41 · 2015-04-18T11:55:19.000+02:00
diff --git a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
@@ -81,6 +81,7 @@ def run_host(ip)
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
         },
+        'encode_params' => false,
         'vars_get' => {
           'sap-client'    => datastore['CLIENT'],
           'sap-language'  => 'EN'
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
@@ -123,6 +123,7 @@ def bruteforce(username,password,client)
       'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}",
       'ctype' => 'text/xml; charset=UTF-8',
       'authorization' => basic_auth(username, password),
+      'encode_params' => false,
       'headers' =>
         {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb
@@ -102,6 +102,7 @@ def exec_command(ip,data)
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
         },
+        'encode_params' => false,
         'vars_get' => {
           'sap-client'    => datastore['CLIENT'],
           'sap-language'  => 'EN'
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
@@ -103,6 +103,7 @@ def exec_command(ip,data)
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
         },
+        'encode_params' => false,
         'vars_get' => {
           'sap-client'    => datastore['CLIENT'],
           'sap-language'  => 'EN'
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
@@ -71,6 +71,7 @@ def run_host(ip)
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
         },
+        'encode_params' => false,
         'vars_get' => {
           'sap-client'    => client,
           'sap-language'  => 'EN'
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb
@@ -89,6 +89,7 @@ def exec(ip,fields)
         'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'ctype' => 'text/xml; charset=UTF-8',
+        'encode_params' => false,
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
         },
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb
@@ -75,6 +75,7 @@ def run_host(ip)
         'data' => data,
         'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers'  => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb
@@ -78,6 +78,7 @@ def run_host(ip)
         'data' => data,
         'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
@@ -78,6 +78,7 @@ def run_host(ip)
         'data' => data,
         'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' =>{
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb
@@ -94,6 +94,7 @@ def run_host(ip)
         'data' => data,
         'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' =>{
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
diff --git a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb
@@ -69,6 +69,7 @@ def run_host(ip)
         'data' => data,
         'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
diff --git a/modules/exploits/linux/http/openfiler_networkcard_exec.rb b/modules/exploits/linux/http/openfiler_networkcard_exec.rb
@@ -105,6 +105,7 @@ def exploit
       res = send_request_cgi({
         'uri'       => '/admin/system.html',
         'cookie'    => "usercookie=#{user}; passcookie=#{pass};",
+        'encode_params' => false,
         'vars_get'  => {
           'step'    => '2',
           'device'  => "lo#{cmd}"
diff --git a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb
@@ -102,6 +102,7 @@ def exploit
       login = send_request_cgi({
         'uri' => normalize_uri(target_uri.path, '/index.php'),
         'method' => 'POST',
+        'encode_params' => false,
         'vars_post' => post,
         'vars_get' => {
           'c' => 'login',
diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb
@@ -97,6 +97,7 @@ def exploit
       res = send_request_cgi({
         'uri'           => '/index.cgi',
         'authorization' => basic_auth(user, pass),
+        'encode_params' => false,
         'vars_get'      => {
           'nlines'  => lines,
           'action'  => 'See logs',
diff --git a/modules/exploits/multi/http/hyperic_hq_script_console.rb b/modules/exploits/multi/http/hyperic_hq_script_console.rb
@@ -66,6 +66,7 @@ def login(user, pass)
       'uri'       => normalize_uri(@uri.path, 'j_spring_security_check'),
       'method'    => 'POST',
       'cookie'    => @cookie,
+      'encode_params' => false,
       'vars_post' => {
         'j_username' => Rex::Text.uri_encode(user, 'hex-normal'),
         'j_password' => Rex::Text.uri_encode(pass, 'hex-normal'),
@@ -86,6 +87,7 @@ def get_nonce
     res = send_request_cgi({
       'uri' => normalize_uri(@uri.path, 'mastheadAttach.do'),
       'cookie' => @cookie,
+      'encode_params' => false,
       'vars_get' => {
         'typeId' => '10003'
       }
@@ -144,6 +146,7 @@ def http_send_command(java)
       'method'    => 'POST',
       'uri'       => normalize_uri(@uri.path, 'hqu/gconsole/console/execute.hqu?org.apache.catalina.filters.CSRF_NONCE=')+@nonce,
       'cookie'    => @cookie,
+      'encode_params' => false,
       'vars_post' => {
         'code' => java # java_craft_runtime_exec(cmd)
       }
diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb
@@ -184,6 +184,7 @@ def exploit
       'uri'     => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'),
       'method'  => 'POST',
       'data'    => data,
+      'encode_params' => false,
       'headers' => {
         'Content-Type'   => 'multipart/form-data; boundary=' + boundary,
         'Content-Length' => data.length,
@@ -202,6 +203,7 @@ def exploit
       print_status("Deleting plugin #{plugin_name} from the server")
       res = send_request_cgi({
         'uri'     => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'),
+        'encode_params' => false,
         'headers' => {
           'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
         },
diff --git a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb
@@ -71,6 +71,7 @@ def exploit
         'uri'		=> '/robohelp/server',
         'version'	=> '1.1',
         'method'	=> 'POST',
+        'encode_params' => false,
         'data'		=> file,
         'headers'	=> {
           'Content-Type'		=> 'multipart/form-data; boundary=---------------------------' + uid,
diff --git a/modules/exploits/windows/http/desktopcentral_file_upload.rb b/modules/exploits/windows/http/desktopcentral_file_upload.rb
@@ -54,6 +54,7 @@ def upload_file(filename, contents)
       'method'    => 'POST',
       'data'      => contents,
       'ctype'     => 'text/html',
+      'encode_params' => false,
       'vars_get'  => {
         'computerName'  => 'DesktopCentral',
         'domainName'    => 'webapps',
diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb
@@ -85,6 +85,7 @@ def exploit
     send_request_cgi({
       'uri'		  => '/OvCgi/ovalarm.exe',
       'method'	  => "GET",
+      'encode_params' => false,
       'headers'  => {
         'Accept-Language' => sploit
       },
diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb
@@ -70,6 +70,7 @@ def exploit
     res = send_request_cgi({
       'uri'       => normalize_uri(datastore['DIR'], 'Login.jsp'),
       'method'    => 'GET',
+      'encode_params' => false,
       'headers'   => {
         'Accept' => '*/*',
       },
diff --git a/modules/exploits/windows/http/zenworks_uploadservlet.rb b/modules/exploits/windows/http/zenworks_uploadservlet.rb
@@ -73,6 +73,7 @@ def exploit
       'headers'   => {
         'Content-Type' => 'application/octet-stream',
       },
+      'encode_params' => false,
       'vars_get'  => {
         'filename' => "../../webapps/#{app_base}.war"
       }
@@ -82,7 +83,7 @@ def exploit
 
     select(nil, nil, nil, 20)
 
-    if (res.code == 200)
+    if (res && res.code == 200)
       print_status("Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...")
         send_request_raw(
           {

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,7 @@ def bruteforce(username,password,client)`
`123`	`123`	`'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}",`
`124`	`124`	`'ctype' => 'text/xml; charset=UTF-8',`
`125`	`125`	`'authorization' => basic_auth(username, password),`
	`126`	`+ 'encode_params' => false,`
`126`	`127`	`'headers' =>`
`127`	`128`	`{`
`128`	`129`	`'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',`