Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added module for WSO2 API Manager Documentation File Upload Remote Co… #19647

Merged
merged 14 commits into from
Dec 16, 2024
Merged

Added module for WSO2 API Manager Documentation File Upload Remote Co… #19647

Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
09d84ea
Added module for WSO2 API Manager Documentation File Upload Remote Co…
heyder Nov 14, 2024
0f969f1
Clean-up
heyder Nov 15, 2024
e772c7a
Apply suggestions from code review
heyder Nov 22, 2024
dc445ed
Apply suggestions from code review
heyder Nov 22, 2024
c1c74a0
Do not fail on document creation
heyder Nov 26, 2024
fabced5
Apply suggestions from code review
heyder Dec 4, 2024
9642612
Fix: Handle full-location redirects in `send_request_cgi`
heyder Dec 4, 2024
d5f0c61
Fix: Ensure api_list returns a list even when created during execution
heyder Dec 5, 2024
7c9bddc
Added use of send_request_cgi!
jheysel-r7 Dec 6, 2024
f720b51
Lint
jheysel-r7 Dec 6, 2024
edb9fdc
Merge
heyder Dec 7, 2024
c953601
Fix: it needs at least 2 follows redirect
heyder Dec 7, 2024
f3f1c89
Added cleanup method
heyder Dec 8, 2024
41e7bf8
Enhance: Rollback to register_file_for_cleanup
heyder Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix: Handle full-location redirects in send_request_cgi 
- Resolved an issue where redirects with full-location URLs were not properly handled by `send_request_cgi`.
- Implemented a quick solution for now; open to suggestions for a more robust approach.
- Tested behavior without proxy interference, as Burp previously masked the issue.
  • Loading branch information
@heyder
heyder committed Dec 4, 2024
commit 964261283b34d069c0a5df50d72055896f46fe40
7 changes: 5 additions & 2 deletions modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,19 +160,22 @@ def authenticate
while res.redirect?
loop_dectector += 1
res = send_request_cgi(
'uri' => res.redirection.to_s,
'uri' => "#{res.redirection.path}?#{res.redirection.query}",
'method' => 'GET',
'headers' => {
'Connection' => 'keep-alive'
},
'keep_cookies' => true
)

if res&.get_cookies && res.get_cookies.match(/sessionNonceCookie-(.*)=/)
heyder marked this conversation as resolved.
Show resolved Hide resolved
vprint_status('Got session nonce')
nounce = ::Regexp.last_match(1)
end
break if nounce

fail_with(Failure::UnexpectedReply, 'Loop detected') if loop_dectector > 3

end

auth_data = {
Expand All @@ -192,7 +195,7 @@ def authenticate
while res.redirect?
loop_dectector += 1
res = send_request_cgi(
'uri' => res.redirection.to_s,
'uri' => "#{res.redirection.path}?#{res.redirection.query}",
'method' => 'GET',
'headers' => {
'Connection' => 'keep-alive'
Expand Down
Loading