Try to make a better check

jvazquez-r7 · jvazquez-r7 · commit 3538b84693ce · 2014-09-26T15:55:26.000-05:00
diff --git a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
@@ -58,9 +58,24 @@ def check_host(ip)
         :refs => self.references
       )
       Exploit::CheckCode::Vulnerable
+    elsif res
+      injected_res_code = res.code
     else
-      Exploit::CheckCode::Safe
+      Exploit::CheckCode::Unknown
     end
+
+    res = send_request_cgi({
+      'method' => datastore['METHOD'],
+      'uri' => normalize_uri(target_uri.path.to_s)
+    })
+
+    if res && injected_res_code == res.code
+      return Exploit::CheckCode::Safe
+    elsif res && injected_res_code != res.code
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Unknown
   end
 
   def run_host(ip)
diff --git a/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb b/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
@@ -69,10 +69,25 @@ def check
     res = req("echo #{marker}")
 
     if res && res.body.include?(marker * 3)
-      Exploit::CheckCode::Vulnerable
+      return Exploit::CheckCode::Vulnerable
+    elsif res
+      injected_res_code = res.code
     else
-      Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Unknown
     end
+
+    res = send_request_cgi({
+      'method' => datastore['METHOD'],
+      'uri' => normalize_uri(target_uri.path.to_s)
+    })
+
+    if res && injected_res_code == res.code
+      return Exploit::CheckCode::Safe
+    elsif res && injected_res_code != res.code
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Unknown
   end
 
   def exploit
