New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Follow 301 re-direct #8885

Merged
merged 2 commits into from Aug 24, 2017

Conversation

Projects
None yet
3 participants
@n00py
Copy link
Contributor

n00py commented Aug 24, 2017

I found that in some cases, the trigger URL cannot be accessed directly. For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example". It isn't until hitting "/example" that the php is executed. This small change will just allow the trigger to follow one 301 redirect.

Output from hitting a target URI with redirect:

GET /6VbRJ4Ie.php HTTP/1.1
Host: 172.16.155.198
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded

HTTP/1.1 301 Moved Permanently
Date: Wed, 23 Aug 2017 18:43:40 GMT
Server: Apache/2.4.10 (Debian)
Location: http://172.16.155.198/6VbRJ4Ie
Content-Length: 318
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://172.16.155.198/6VbRJ4Ie">here</a>.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at 172.16.155.198 Port 80</address>
</body></html>


Follow 301 re-direct
I found that in some cases, the trigger URL cannot be accessed directly.  For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example".  It isn't until hitting "/example" that the php is executed.  This small change will just allow the trigger to follow one 301 redirect.
'method' => 'GET',
'uri' => trigger_uri
}, redirect_depth = 1

This comment has been minimized.

@wvu-r7

wvu-r7 Aug 24, 2017

Contributor

The second arg is timeout, not redirect_depth, and the default is already 1.

@wvu-r7 wvu-r7 added bug module labels Aug 24, 2017

@wvu-r7 wvu-r7 self-assigned this Aug 24, 2017

Update phpmailer_arg_injection.rb
Removed second parameter as it was not necessary.  Only changed needed was to change "send_request_cgi" to "send_request_cgi!"

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request Aug 24, 2017

@wvu-r7 wvu-r7 merged commit 8f17d53 into rapid7:master Aug 24, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Aug 24, 2017

Thanks!

@tdoan-r7 tdoan-r7 added the rn-fix label Aug 30, 2017

@tdoan-r7

This comment has been minimized.

Copy link
Contributor

tdoan-r7 commented Aug 30, 2017

Release Notes

This fix allows a trigger to follow a 301 redirect in the phpmailer_arg_injection exploit module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment