From c694bc08f97e5d319827a64b1392141fda8b46e2 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 19 Aug 2024 16:28:52 +0200 Subject: [PATCH] Add a mixin to get SPIP version and make use of it --- lib/msf/core/exploit/remote/http/spip.rb | 41 +++++++++++++++++++ .../exploits/unix/webapp/spip_connect_exec.rb | 22 +++------- modules/exploits/unix/webapp/spip_rce_form.rb | 41 ++++++------------- 3 files changed, 59 insertions(+), 45 deletions(-) create mode 100644 lib/msf/core/exploit/remote/http/spip.rb diff --git a/lib/msf/core/exploit/remote/http/spip.rb b/lib/msf/core/exploit/remote/http/spip.rb new file mode 100644 index 0000000000000..1b64fce20e4f0 --- /dev/null +++ b/lib/msf/core/exploit/remote/http/spip.rb @@ -0,0 +1,41 @@ +# -*- coding: binary -*- + +module Msf +module Exploit::Remote::HTTP::Spip + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super + + register_options([ + OptString.new('TARGETURI', [true, 'Path to Spip install', '/']) + ]) + end + + # Determine Spip version + # + # @return [Rex::Version] Version as Rex::Version + def spip_version + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "spip.php") + ) + + return unless res + + version = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text + + if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/ + version = ::Regexp.last_match(1) + end + + if version.nil? + return nil + end + + return Rex::Version.new(version) + end + +end +end diff --git a/modules/exploits/unix/webapp/spip_connect_exec.rb b/modules/exploits/unix/webapp/spip_connect_exec.rb index 6d3d517a35bbc..f4b9ba0371d4d 100644 --- a/modules/exploits/unix/webapp/spip_connect_exec.rb +++ b/modules/exploits/unix/webapp/spip_connect_exec.rb @@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HTTP::Spip def initialize(info = {}) super(update_info(info, @@ -49,30 +50,19 @@ def initialize(info = {}) end def check - version = nil - uri = normalize_uri(target_uri.path, "spip.php") - - res = send_request_cgi({ 'uri' => "#{uri}" }) - - if res and res.code == 200 and res.body =~ / uri.to_s }) return Exploit::CheckCode::Unknown('Target is unreachable.') unless res - return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200 - version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text - return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/ + rversion = spip_version + return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion - version = ::Regexp.last_match(1) + print_status("SPIP Version detected: #{rversion}") - if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/ - version = ::Regexp.last_match(1) - end - - return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version - - print_status("SPIP Version detected: #{version}") - - rversion = Rex::Version.new(version) - if rversion >= Rex::Version.new('4.2.0') - if rversion < Rex::Version.new('4.2.1') - return Exploit::CheckCode::Appears - end - elsif rversion >= Rex::Version.new('4.1.0') - if rversion < Rex::Version.new('4.1.18') - return Exploit::CheckCode::Appears - end - elsif rversion >= Rex::Version.new('4.0.0') - if rversion < Rex::Version.new('4.0.10') - return Exploit::CheckCode::Appears - end - elsif rversion >= Rex::Version.new('3.2.0') - if rversion < Rex::Version.new('3.2.18') - return Exploit::CheckCode::Appears - end + if rversion.between?(Rex::Version.new('4.2.0'), Rex::Version.new('4.2.1')) + return Exploit::CheckCode::Appears + elsif rversion.between?(Rex::Version.new('4.1.0'), Rex::Version.new('4.1.18')) + return Exploit::CheckCode::Appears + elsif rversion.between?(Rex::Version.new('4.0.0'), Rex::Version.new('4.0.10')) + return Exploit::CheckCode::Appears + elsif rversion.between?(Rex::Version.new('3.2.0'), Rex::Version.new('3.2.18')) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe