forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was tri-state because of an unrefactored return. Oops! :)
- Loading branch information
Showing
4 changed files
with
101 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
module Msf | ||
module Exploit::Remote::HTTP::Drupal | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
|
||
def initialize(info = {}) | ||
super | ||
|
||
register_options([ | ||
OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']) | ||
]) | ||
end | ||
|
||
def setup | ||
super | ||
|
||
# Ensure we don't hit a redirect (e.g., /drupal -> /drupal/) | ||
# XXX: Naughty datastore modification instead of send_request_cgi! | ||
datastore['TARGETURI'] = normalize_uri(datastore['TARGETURI'], '/') | ||
end | ||
|
||
def drupal_version | ||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path) | ||
) | ||
|
||
return unless res && res.code == 200 | ||
|
||
# Check for an X-Generator header | ||
version = version_match(res.headers['X-Generator']) | ||
|
||
return version if version | ||
|
||
# Check for a <meta> tag | ||
generator = res.get_html_document.at( | ||
'//meta[@name = "Generator"]/@content' | ||
) | ||
|
||
return unless generator | ||
|
||
version_match(generator.value) | ||
end | ||
|
||
def drupal_changelog(version) | ||
return unless version && Gem::Version.correct?(version) | ||
|
||
uri = Gem::Version.new(version) < Gem::Version.new('8') ? | ||
normalize_uri(target_uri.path, 'CHANGELOG.txt') : | ||
normalize_uri(target_uri.path, 'core/CHANGELOG.txt') | ||
|
||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => uri | ||
) | ||
|
||
return unless res && res.code == 200 | ||
|
||
res.body | ||
end | ||
|
||
def version_match(string) | ||
return unless string | ||
|
||
# Perl devs love me; Ruby devs hate me | ||
string =~ /^Drupal ([\d.]+)/ | ||
|
||
return unless $1 && Gem::Version.correct?($1) | ||
|
||
Gem::Version.new($1) | ||
end | ||
|
||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters