Enhance: Rollback to register_file_for_cleanup

- Verified that the CWD is the WSO2_SERVER_HOME, allowing the uploaded payload file to be registered for cleanup using register_file_for_cleanup. - Improved feedback by including the payload filename in the success message. - Removed redundant on_new_session cleanup logic, as file management is now handled by FileDropper.
rapid7 · Dec 11, 2024 · 41e7bf8 · 41e7bf8
1 parent f3f1c89
commit 41e7bf8
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb b/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb
@@ -6,6 +6,7 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
+  include Msf::Exploit::FileDropper
   include Msf::Exploit::Remote::HttpClient
   prepend Msf::Exploit::Remote::AutoCheck
 
@@ -357,7 +358,9 @@ def upload_payload(api_id, doc_id)
     )
     fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed') unless res&.code == 201
 
-    print_good('Payload uploaded successfully')
+    register_file_for_cleanup("repository/deployment/server/webapps/authenticationendpoint/#{jsp_filename}")
+
+    print_good("Payload uploaded successfully. File: #{jsp_filename}")
 
     return res
   end
@@ -393,12 +396,6 @@ def exploit
     end
   end
 
-  def on_new_session(session)
-    super
-    # Registering for cleanup doesn't work as the file is not placed in the CWD, and the WSO2_SERVER_HOME might vary
-    session.shell_command_token("rm -rf $WSO2_SERVER_HOME/repository/deployment/server/webapps/authenticationendpoint/#{jsp_filename}")
-  end
-
   def cleanup
     return unless session_created?