Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Follow 301 re-direct #8885

Merged
merged 2 commits into from
Aug 24, 2017
Merged

Follow 301 re-direct #8885

merged 2 commits into from
Aug 24, 2017

Conversation

n00py
Copy link
Contributor

@n00py n00py commented Aug 24, 2017
edited
Loading

I found that in some cases, the trigger URL cannot be accessed directly. For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example". It isn't until hitting "/example" that the php is executed. This small change will just allow the trigger to follow one 301 redirect.

Output from hitting a target URI with redirect:

GET /6VbRJ4Ie.php HTTP/1.1
Host: 172.16.155.198
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded

HTTP/1.1 301 Moved Permanently
Date: Wed, 23 Aug 2017 18:43:40 GMT
Server: Apache/2.4.10 (Debian)
Location: http://172.16.155.198/6VbRJ4Ie
Content-Length: 318
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://172.16.155.198/6VbRJ4Ie">here</a>.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at 172.16.155.198 Port 80</address>
</body></html>

@n00py
Follow 301 re-direct
c49b72a 
I found that in some cases, the trigger URL cannot be accessed directly.  For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example".  It isn't until hitting "/example" that the php is executed.  This small change will just allow the trigger to follow one 301 redirect.
wvu
wvu reviewed Aug 24, 2017
View reviewed changes
modules/exploits/multi/http/phpmailer_arg_injection.rb Outdated
'method' => 'GET',
'uri' => trigger_uri
}, redirect_depth = 1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second arg is timeout, not redirect_depth, and the default is already 1.

@wvu wvu self-assigned this Aug 24, 2017
@n00py
Update phpmailer_arg_injection.rb
8f17d53 
Removed second parameter as it was not necessary.  Only changed needed was to change "send_request_cgi" to "send_request_cgi!"
wvu added a commit to wvu/metasploit-framework that referenced this pull request Aug 24, 2017
@wvu
Land rapid7#8885, phpmailer_arg_injection redirect fix
602a29a
@wvu wvu merged commit 8f17d53 into rapid7:master Aug 24, 2017
@wvu
Copy link
Contributor

wvu commented Aug 24, 2017

Thanks!

@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Aug 30, 2017
@tdoan-r7
Copy link
Contributor

tdoan-r7 commented Aug 30, 2017
edited by busterb
Loading

Release Notes

This fix allows a trigger to follow a 301 redirect in the phpmailer_arg_injection exploit module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

Assignees

@wvu wvu

Labels
bug module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@n00py @wvu @tdoan-r7