2010-06-06 03:53:07 +00:00
|
|
|
#
|
2010-06-09 18:41:58 +00:00
|
|
|
# Web assessment for the metasploit framework
|
2011-02-04 05:57:26 +00:00
|
|
|
# Efrain Torres - et[ ] metasploit.com 2011
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2010-06-09 18:41:58 +00:00
|
|
|
# $Id$
|
|
|
|
# $Revision$
|
|
|
|
#
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
require 'rabal/tree'
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
class Plugin::Wmap < Msf::Plugin
|
|
|
|
class WmapCommandDispatcher
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
attr_accessor :targets
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
include Msf::Ui::Console::CommandDispatcher
|
|
|
|
|
|
|
|
def name
|
|
|
|
"Wmap"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# The initial command set
|
|
|
|
#
|
|
|
|
def commands
|
|
|
|
{
|
2011-02-04 05:57:26 +00:00
|
|
|
"wmap_targets" => "Manage targets",
|
|
|
|
"wmap_sites" => "Manage sites",
|
|
|
|
"wmap_run" => "Test targets"
|
2010-06-06 03:53:07 +00:00
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def cmd_wmap_targets(*args)
|
|
|
|
args.push("-h") if args.length == 0
|
|
|
|
|
|
|
|
while (arg = args.shift)
|
|
|
|
case arg
|
2011-02-04 05:57:26 +00:00
|
|
|
when '-c'
|
|
|
|
self.targets = {}
|
|
|
|
when '-l'
|
|
|
|
view_targets
|
|
|
|
return
|
|
|
|
when '-t'
|
|
|
|
process_urls(args.shift)
|
2010-06-06 03:53:07 +00:00
|
|
|
when '-h'
|
|
|
|
print_status("Usage: wmap_targets [options]")
|
|
|
|
print_line("\t-h Display this help text")
|
2011-02-04 05:57:26 +00:00
|
|
|
print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ")
|
|
|
|
print_line("\t-c Clean target sites list")
|
|
|
|
print_line("\t-l List all target sites")
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
print_line("")
|
|
|
|
return
|
2011-02-04 05:57:26 +00:00
|
|
|
else
|
|
|
|
print_error("Unknown flag.")
|
|
|
|
return
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
def cmd_wmap_sites(*args)
|
2010-06-06 03:53:07 +00:00
|
|
|
args.push("-h") if args.length == 0
|
|
|
|
|
|
|
|
while (arg = args.shift)
|
|
|
|
case arg
|
2011-02-04 05:57:26 +00:00
|
|
|
when '-a'
|
|
|
|
s = add_web_site(args.shift)
|
|
|
|
if s
|
|
|
|
print_status("Site created.")
|
|
|
|
else
|
|
|
|
print_error("Unable to create site")
|
|
|
|
end
|
|
|
|
when '-l'
|
|
|
|
view_sites
|
|
|
|
return
|
|
|
|
when '-s'
|
|
|
|
u = args.shift
|
|
|
|
l = args.shift
|
|
|
|
s = args.shift
|
|
|
|
|
|
|
|
if l == nil or l.empty?
|
|
|
|
l = 200
|
|
|
|
s = true
|
|
|
|
else
|
|
|
|
l = l.to_i
|
|
|
|
s = false
|
|
|
|
end
|
|
|
|
|
|
|
|
view_site_tree(u,l,s)
|
|
|
|
return
|
2010-06-06 03:53:07 +00:00
|
|
|
when '-h'
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status("Usage: wmap_sites [options]")
|
2010-06-06 03:53:07 +00:00
|
|
|
print_line("\t-h Display this help text")
|
2011-02-04 05:57:26 +00:00
|
|
|
print_line("\t-a [url] Add site (vhost,url)")
|
|
|
|
print_line("\t-l List all available sites")
|
|
|
|
print_line("\t-s [urls] (level) Display site structure (vhost,url)")
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
print_line("")
|
|
|
|
return
|
2011-02-04 05:57:26 +00:00
|
|
|
else
|
|
|
|
print_error("Unknown flag.")
|
|
|
|
return
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
def cmd_wmap_run(*args)
|
2011-02-04 05:57:26 +00:00
|
|
|
# Run exploit check
|
|
|
|
wmap_check = true
|
|
|
|
# Run exploit if vulnerable
|
|
|
|
wmap_runexpl = false
|
|
|
|
# Exit wmap if session is created
|
|
|
|
wmap_exitifsess = true
|
|
|
|
|
|
|
|
# Formating
|
|
|
|
sizeline = 60
|
|
|
|
|
|
|
|
wmap_show = 2**0
|
|
|
|
wmap_expl = 2**1
|
|
|
|
|
|
|
|
# Exclude files can be modified by setting datastore['WMAP_EXCLUDE']
|
|
|
|
wmap_exclude_files = '.*\.(gif|jpg|png*)$'
|
|
|
|
|
|
|
|
run_wmap_ssl = true
|
|
|
|
run_wmap_server = true
|
|
|
|
run_wmap_dir_file = true
|
|
|
|
run_wmap_query = true
|
|
|
|
run_wmap_unique_query = true
|
|
|
|
run_wmap_generic = true
|
|
|
|
|
|
|
|
# If module supports datastore['VERBOSE']
|
|
|
|
moduleverbose = false
|
|
|
|
|
|
|
|
showprogress = false
|
|
|
|
|
|
|
|
if not run_wmap_ssl
|
|
|
|
print_status("Loading of wmap ssl modules disabled.")
|
|
|
|
end
|
|
|
|
if not run_wmap_server
|
|
|
|
print_status("Loading of wmap server modules disabled.")
|
|
|
|
end
|
|
|
|
if not run_wmap_dir_file
|
|
|
|
print_status("Loading of wmap dir and file modules disabled.")
|
|
|
|
end
|
|
|
|
if not run_wmap_query
|
|
|
|
print_status("Loading of wmap query modules disabled.")
|
|
|
|
end
|
|
|
|
if not run_wmap_unique_query
|
|
|
|
print_status("Loading of wmap unique query modules disabled.")
|
|
|
|
end
|
|
|
|
if not run_wmap_generic
|
|
|
|
print_status("Loading of wmap generic modules disabled.")
|
|
|
|
end
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
stamp = Time.now.to_f
|
|
|
|
mode = 0
|
|
|
|
|
|
|
|
eprofile = []
|
|
|
|
using_p = false
|
2011-02-06 20:35:27 +00:00
|
|
|
using_m = false
|
|
|
|
mname = ''
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
args.push("-h") if args.length == 0
|
|
|
|
|
|
|
|
while (arg = args.shift)
|
|
|
|
case arg
|
|
|
|
when '-t'
|
2011-02-04 05:57:26 +00:00
|
|
|
mode |= wmap_show
|
2010-06-06 03:53:07 +00:00
|
|
|
when '-e'
|
2011-02-04 05:57:26 +00:00
|
|
|
mode |= wmap_expl
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
profile = args.shift
|
|
|
|
|
|
|
|
if profile
|
|
|
|
print_status("Using profile #{profile}.")
|
|
|
|
|
|
|
|
begin
|
|
|
|
File.open(profile).each do |str|
|
|
|
|
if not str.include? '#'
|
|
|
|
# Not a comment
|
|
|
|
modname = str.strip
|
|
|
|
if not modname.empty?
|
|
|
|
eprofile << modname
|
|
|
|
end
|
|
|
|
end
|
|
|
|
using_p = true
|
|
|
|
end
|
|
|
|
rescue
|
|
|
|
print_error("Profile not found or invalid.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_status("Using ALL wmap enabled modules.")
|
|
|
|
end
|
2011-02-06 20:35:27 +00:00
|
|
|
when '-m'
|
|
|
|
mode |= wmap_expl
|
|
|
|
|
|
|
|
mname = args.shift
|
|
|
|
|
|
|
|
if mname
|
|
|
|
print_status("Using module #{mname}.")
|
|
|
|
end
|
|
|
|
using_m = true
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
when '-h'
|
|
|
|
print_status("Usage: wmap_run [options]")
|
2011-02-06 20:35:27 +00:00
|
|
|
print_line("\t-h Display this help text")
|
|
|
|
print_line("\t-t Show all enabled modules")
|
|
|
|
print_line("\t-m [regex] Launch only modules that name match provided regex.")
|
|
|
|
print_line("\t-e [/path/to/profile] Launch profile modules against all matched targets.")
|
|
|
|
print_line("\t No file runs all enabled modules.")
|
2010-06-06 03:53:07 +00:00
|
|
|
print_line("")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if self.targets == nil
|
|
|
|
print_error("Targets have not been selected.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
if self.targets.keys.length == 0
|
|
|
|
print_error("Targets have not been selected.")
|
2010-06-06 03:53:07 +00:00
|
|
|
return
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
self.targets.each_with_index do |t, idx|
|
|
|
|
selected_host = t[1][:host]
|
|
|
|
selected_port = t[1][:port]
|
|
|
|
selected_ssl = t[1][:ssl]
|
|
|
|
selected_vhost = t[1][:vhost]
|
|
|
|
|
|
|
|
print_status ("Testing target:")
|
|
|
|
print_status ("\tSite: #{selected_vhost} (#{selected_host})")
|
|
|
|
print_status ("\tPort: #{selected_port} SSL: #{selected_ssl}")
|
|
|
|
puts '='* sizeline
|
|
|
|
print_status("Testing started. #{(Time.now )}")
|
|
|
|
|
|
|
|
|
|
|
|
if not selected_ssl
|
|
|
|
run_wmap_ssl = false
|
|
|
|
#print_status ("Target is not SSL. SSL modules disabled.")
|
|
|
|
end
|
|
|
|
|
|
|
|
# WMAP_DIR, WMAP_FILE
|
|
|
|
matches = {}
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# WMAP_SERVER
|
|
|
|
matches1 = {}
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# WMAP_QUERY
|
|
|
|
matches2 = {}
|
|
|
|
|
|
|
|
# WMAP_SSL
|
|
|
|
matches3 = {}
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# WMAP_UNIQUE_QUERY
|
|
|
|
matches5 = {}
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# WMAP_GENERIC
|
|
|
|
matches10 = {}
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# EXPLOIT OPTIONS
|
|
|
|
opt_str = nil
|
|
|
|
bg = false
|
|
|
|
jobify = false
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
[ [ framework.auxiliary, 'auxiliary' ], [framework.exploits, 'exploit' ] ].each do |mtype|
|
|
|
|
# Scan all exploit modules for matching references
|
|
|
|
mtype[0].each_module do |n,m|
|
|
|
|
e = m.new
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Only include wmap_enabled plugins
|
|
|
|
if e.respond_to?("wmap_enabled")
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
penabled = e.wmap_enabled
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if penabled
|
2011-02-06 20:35:27 +00:00
|
|
|
#if ( not using_p or eprofile.include? n.split('/').last ) or (using_m and n.match(mname))
|
|
|
|
if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p)
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# First run the WMAP_SERVER plugins
|
|
|
|
#
|
|
|
|
case e.wmap_type
|
|
|
|
when :WMAP_SERVER
|
|
|
|
if run_wmap_server
|
|
|
|
matches1[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
|
|
|
|
end
|
|
|
|
when :WMAP_QUERY
|
|
|
|
if run_wmap_query
|
|
|
|
matches2[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
|
|
|
|
end
|
|
|
|
when :WMAP_UNIQUE_QUERY
|
|
|
|
if run_wmap_unique_query
|
|
|
|
matches5[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
|
|
|
|
end
|
|
|
|
when :WMAP_GENERIC
|
|
|
|
if run_wmap_generic
|
|
|
|
matches10[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
|
|
|
|
end
|
|
|
|
when :WMAP_DIR, :WMAP_FILE
|
|
|
|
if run_wmap_dir_file
|
|
|
|
matches[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
|
|
|
|
end
|
|
|
|
when :WMAP_SSL
|
|
|
|
if run_wmap_ssl
|
|
|
|
matches3[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
|
|
|
|
end
|
|
|
|
else
|
|
|
|
# Black Hole
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server.
|
|
|
|
# :WMAP_SSL
|
|
|
|
#
|
|
|
|
|
|
|
|
puts "\n=[ SSL testing ]="
|
|
|
|
puts "=" * sizeline
|
|
|
|
|
|
|
|
if not selected_ssl
|
|
|
|
print_status ("Target is not SSL. SSL modules disabled.")
|
|
|
|
end
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
matches3.each_key do |xref|
|
|
|
|
idx += 1
|
|
|
|
|
|
|
|
begin
|
|
|
|
mod = nil
|
|
|
|
|
|
|
|
#Carefull with the references on this one
|
|
|
|
if ((mod = framework.modules.create(xref[4])) == nil)
|
|
|
|
print_status("Failed to initialize #{xref[4]}")
|
|
|
|
next
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Loaded #{xref[4]} ...")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# The code is just a proof-of-concept and will be expanded in the future
|
|
|
|
#
|
|
|
|
if (mode & wmap_expl != 0)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# For modules to have access to the global datastore
|
|
|
|
# i.e. set -g DOMAIN test.com
|
|
|
|
#
|
|
|
|
self.framework.datastore.each do |gkey,gval|
|
|
|
|
mod.datastore[gkey]=gval
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# For exploits
|
|
|
|
#
|
|
|
|
payload = mod.datastore['PAYLOAD']
|
|
|
|
encoder = mod.datastore['ENCODER']
|
|
|
|
target = mod.datastore['TARGET']
|
|
|
|
nop = mod.datastore['NOP']
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parameters passed in hash xref
|
|
|
|
#
|
|
|
|
mod.datastore['RHOST'] = xref[0]
|
|
|
|
mod.datastore['RHOSTS'] = xref[0]
|
|
|
|
mod.datastore['RPORT'] = xref[1].to_s
|
|
|
|
mod.datastore['SSL'] = xref[2]
|
|
|
|
mod.datastore['VHOST'] = xref[3].to_s
|
|
|
|
mod.datastore['VERBOSE'] = moduleverbose
|
|
|
|
mod.datastore['ShowProgress'] = showprogress
|
|
|
|
|
|
|
|
#
|
|
|
|
# Run the plugins that only need to be
|
|
|
|
# launched once.
|
|
|
|
#
|
|
|
|
|
|
|
|
wtype = mod.wmap_type
|
|
|
|
|
|
|
|
if wtype == :WMAP_SSL
|
|
|
|
puts "Module #{xref[4]}"
|
|
|
|
|
|
|
|
# To run check function for modules that are exploits
|
|
|
|
if mod.respond_to?("check") and wmap_check
|
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
|
|
|
|
if session
|
|
|
|
stat = '[*]'
|
|
|
|
|
|
|
|
if (session == Msf::Exploit::CheckCode::Vulnerable)
|
|
|
|
stat = '[+]'
|
|
|
|
end
|
|
|
|
|
|
|
|
print_line(stat + ' ' + session[1])
|
|
|
|
|
|
|
|
#
|
|
|
|
# Exploit if wmap_runexpl
|
|
|
|
#
|
|
|
|
|
|
|
|
if (session == Msf::Exploit::CheckCode::Vulnerable) and wmap_runexpl
|
|
|
|
print_status("Exploiting...")
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = mod.exploit_simple(
|
|
|
|
'Encoder' => encoder,
|
|
|
|
'Payload' => payload,
|
|
|
|
'Target' => target,
|
|
|
|
'Nop' => nop,
|
|
|
|
'OptionStr' => opt_str,
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => jobify)
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("Exploit failed: #{e.class} #{e}")
|
|
|
|
if(e.class.to_s != 'Msf::OptionValidateError')
|
|
|
|
print_error("Call stack:")
|
|
|
|
e.backtrace.each do |line|
|
|
|
|
break if line =~ /lib.msf.base.simple/
|
|
|
|
print_error(" #{line}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# If we were given a session, let's see what we can do with it
|
|
|
|
if (session)
|
|
|
|
|
|
|
|
# If we aren't told to run in the background and the session can be
|
|
|
|
# interacted with, start interacting with it by issuing the session
|
|
|
|
# interaction command.
|
|
|
|
if (bg == false and session.interactive?)
|
|
|
|
print_line
|
|
|
|
|
|
|
|
driver.run_single("sessions -q -i #{session.sid}")
|
|
|
|
# Otherwise, log that we created a session
|
|
|
|
else
|
|
|
|
print_status("Session #{session.sid} created in the background.")
|
|
|
|
end
|
|
|
|
# If we ran the exploit as a job, indicate such so the user doesn't
|
|
|
|
# wonder what's up.
|
|
|
|
|
|
|
|
if wmap_exitifsess
|
|
|
|
return
|
|
|
|
end
|
|
|
|
elsif (jobify)
|
|
|
|
print_status("Exploit running as background job.")
|
|
|
|
# Worst case, the exploit ran but we got no session, bummer.
|
|
|
|
else
|
|
|
|
print_status("Exploit completed, but no session was created.")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
else
|
|
|
|
print_error("Check failed: The state could not be determined.")
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
else
|
2011-02-04 05:57:26 +00:00
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Handle modules that need to be run before all tests, once usually again the web server.
|
|
|
|
# :WMAP_SERVER
|
|
|
|
#
|
|
|
|
puts "\n=[ Web Server testing ]="
|
|
|
|
puts "=" * sizeline
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
matches1.each_key do |xref|
|
|
|
|
idx += 1
|
|
|
|
|
|
|
|
begin
|
|
|
|
mod = nil
|
|
|
|
|
|
|
|
#Carefull with the references on this one
|
|
|
|
if ((mod = framework.modules.create(xref[4])) == nil)
|
|
|
|
print_status("Failed to initialize #{xref[4]}")
|
|
|
|
next
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Loaded #{xref[4]} ...")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# The code is just a proof-of-concept and will be expanded in the future
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_expl != 0)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# For modules to have access to the global datastore
|
|
|
|
# i.e. set -g DOMAIN test.com
|
|
|
|
#
|
|
|
|
self.framework.datastore.each do |gkey,gval|
|
|
|
|
mod.datastore[gkey]=gval
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# For exploits
|
|
|
|
#
|
|
|
|
payload = mod.datastore['PAYLOAD']
|
|
|
|
encoder = mod.datastore['ENCODER']
|
|
|
|
target = mod.datastore['TARGET']
|
|
|
|
nop = mod.datastore['NOP']
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Parameters passed in hash xref
|
|
|
|
#
|
|
|
|
mod.datastore['RHOST'] = xref[0]
|
|
|
|
mod.datastore['RHOSTS'] = xref[0]
|
|
|
|
mod.datastore['RPORT'] = xref[1].to_s
|
|
|
|
mod.datastore['SSL'] = xref[2]
|
|
|
|
mod.datastore['VHOST'] = xref[3].to_s
|
|
|
|
mod.datastore['VERBOSE'] = moduleverbose
|
|
|
|
mod.datastore['ShowProgress'] = showprogress
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Run the plugins that only need to be
|
|
|
|
# launched once.
|
|
|
|
#
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
wtype = mod.wmap_type
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if wtype == :WMAP_SERVER
|
|
|
|
puts "Module #{xref[4]}"
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# To run check function for modules that are exploits
|
|
|
|
if mod.respond_to?("check") and wmap_check
|
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if session
|
|
|
|
stat = '[*]'
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (session == Msf::Exploit::CheckCode::Vulnerable)
|
|
|
|
stat = '[+]'
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
print_line(stat + ' ' + session[1])
|
|
|
|
|
|
|
|
#
|
|
|
|
# Exploit if wmap_runexpl
|
|
|
|
#
|
|
|
|
|
|
|
|
if (session == Msf::Exploit::CheckCode::Vulnerable) and wmap_runexpl
|
|
|
|
print_status("Exploiting...")
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = mod.exploit_simple(
|
|
|
|
'Encoder' => encoder,
|
|
|
|
'Payload' => payload,
|
|
|
|
'Target' => target,
|
|
|
|
'Nop' => nop,
|
|
|
|
'OptionStr' => opt_str,
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => jobify)
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("Exploit failed: #{e.class} #{e}")
|
|
|
|
if(e.class.to_s != 'Msf::OptionValidateError')
|
|
|
|
print_error("Call stack:")
|
|
|
|
e.backtrace.each do |line|
|
|
|
|
break if line =~ /lib.msf.base.simple/
|
|
|
|
print_error(" #{line}")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# If we were given a session, let's see what we can do with it
|
|
|
|
if (session)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# If we aren't told to run in the background and the session can be
|
|
|
|
# interacted with, start interacting with it by issuing the session
|
|
|
|
# interaction command.
|
|
|
|
if (bg == false and session.interactive?)
|
|
|
|
print_line
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
driver.run_single("sessions -q -i #{session.sid}")
|
|
|
|
# Otherwise, log that we created a session
|
|
|
|
else
|
|
|
|
print_status("Session #{session.sid} created in the background.")
|
|
|
|
end
|
|
|
|
# If we ran the exploit as a job, indicate such so the user doesn't
|
|
|
|
# wonder what's up.
|
|
|
|
|
|
|
|
if wmap_exitifsess
|
|
|
|
return
|
|
|
|
end
|
|
|
|
elsif (jobify)
|
|
|
|
print_status("Exploit running as background job.")
|
|
|
|
# Worst case, the exploit ran but we got no session, bummer.
|
2010-06-06 03:53:07 +00:00
|
|
|
else
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status("Exploit completed, but no session was created.")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
else
|
|
|
|
print_error("Check failed: The state could not be determined.")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
else
|
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Handle modules to be run at every path/file
|
|
|
|
# WMAP_DIR, WMAP_FILE
|
|
|
|
#
|
|
|
|
puts "\n=[ File/Dir testing ]="
|
|
|
|
puts "=" * sizeline
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
matches.each_key do |xref|
|
|
|
|
idx += 1
|
|
|
|
|
|
|
|
begin
|
|
|
|
mod = nil
|
|
|
|
|
|
|
|
#Carefull with the references on this one
|
|
|
|
if ((mod = framework.modules.create(xref[4])) == nil)
|
|
|
|
print_status("Failed to initialize #{xref[4]}")
|
|
|
|
next
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Loaded #{xref[4]} ...")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# The code is just a proof-of-concept and will be expanded in the future
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_expl != 0)
|
|
|
|
#
|
|
|
|
# For modules to have access to the global datastore
|
|
|
|
# i.e. set -g DOMAIN test.com
|
|
|
|
#
|
|
|
|
self.framework.datastore.each do |gkey,gval|
|
|
|
|
mod.datastore[gkey]=gval
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Parameters passed in hash xref
|
|
|
|
#
|
|
|
|
mod.datastore['RHOST'] = xref[0]
|
|
|
|
mod.datastore['RHOSTS'] = xref[0]
|
|
|
|
mod.datastore['RPORT'] = xref[1].to_s
|
|
|
|
mod.datastore['SSL'] = xref[2]
|
|
|
|
mod.datastore['VHOST'] = xref[3]
|
|
|
|
mod.datastore['VERBOSE'] = moduleverbose
|
|
|
|
mod.datastore['ShowProgress'] = showprogress
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Run the plugins that only need to be
|
|
|
|
# launched once.
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
wtype = mod.wmap_type
|
|
|
|
|
|
|
|
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
|
|
|
|
s = h.services.find_by_port(selected_port)
|
|
|
|
w = s.web_sites.find_by_vhost(selected_vhost)
|
|
|
|
|
|
|
|
puts "Module #{xref[4]}:"
|
|
|
|
|
|
|
|
test_tree = load_tree(w)
|
|
|
|
test_tree.each do |node|
|
|
|
|
|
|
|
|
p = node.current_path
|
|
|
|
testpath = Pathname.new(p)
|
|
|
|
strpath = testpath.cleanpath(false).to_s
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Fixing paths
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
if node.is_leaf? and not node.is_root?
|
|
|
|
#
|
|
|
|
# Later we can add here more checks to see if its a file
|
|
|
|
#
|
2010-06-06 03:53:07 +00:00
|
|
|
else
|
2011-02-04 05:57:26 +00:00
|
|
|
if node.is_root?
|
|
|
|
strpath = "/"
|
|
|
|
else
|
|
|
|
strpath = strpath.chomp + "/"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
strpath = strpath.gsub("//", "/")
|
|
|
|
#print_status("Testing path: #{strpath}")
|
|
|
|
|
|
|
|
#
|
|
|
|
# Launch plugin depending module type.
|
|
|
|
# Module type depends on main input type.
|
|
|
|
# Code may be the same but it depend on final
|
|
|
|
# versions of plugins
|
|
|
|
#
|
|
|
|
|
|
|
|
case wtype
|
|
|
|
when :WMAP_FILE
|
|
|
|
if node.is_leaf? and not node.is_root?
|
|
|
|
#
|
|
|
|
# Check if an exclusion regex has been defined
|
|
|
|
#
|
|
|
|
if self.framework.datastore['WMAP_EXCLUDE']
|
|
|
|
excludefilestr = self.framework.datastore['WMAP_EXCLUDE']
|
|
|
|
else
|
|
|
|
excludefilestr = wmap_exclude_files
|
|
|
|
end
|
|
|
|
|
|
|
|
if not strpath.match(excludefilestr)
|
|
|
|
mod.datastore['PATH'] = strpath
|
|
|
|
print_status("Path: #{strpath}")
|
|
|
|
|
|
|
|
# To run check function for modules that are exploits
|
|
|
|
if mod.respond_to?("check") and wmap_check
|
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
|
|
|
end
|
|
|
|
else
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
when :WMAP_DIR
|
|
|
|
if not node.is_leaf? or node.is_root?
|
|
|
|
mod.datastore['PATH'] = strpath
|
|
|
|
print_status("Path: #{strpath}")
|
|
|
|
|
|
|
|
# To run check function for modules that are exploits
|
|
|
|
if mod.respond_to?("check") and wmap_check
|
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
|
|
|
end
|
|
|
|
else
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception from #{xref[4]}: #{$!}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Run modules for each request to play with URI with UNIQUE query parameters.
|
|
|
|
# WMAP_UNIQUE_QUERY
|
|
|
|
#
|
|
|
|
puts "\n=[ Unique Query testing ]="
|
|
|
|
puts "=" * sizeline
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
matches5.each_key do |xref|
|
|
|
|
idx += 1
|
|
|
|
|
|
|
|
begin
|
|
|
|
mod = nil
|
|
|
|
|
|
|
|
#Carefull with the references on this one
|
|
|
|
if ((mod = framework.modules.create(xref[4])) == nil)
|
|
|
|
print_status("Failed to initialize #{xref[4]}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Loaded #{xref[4]} ...")
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# The code is just a proof-of-concept and will be expanded in the future
|
|
|
|
#
|
|
|
|
if (mode & wmap_expl != 0)
|
|
|
|
#
|
|
|
|
# For modules to have access to the global datastore
|
|
|
|
# i.e. set -g DOMAIN test.com
|
|
|
|
#
|
|
|
|
self.framework.datastore.each do |gkey,gval|
|
|
|
|
mod.datastore[gkey]=gval
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Parameters passed in hash xref
|
|
|
|
#
|
|
|
|
mod.datastore['RHOST'] = xref[0]
|
|
|
|
mod.datastore['RHOSTS'] = xref[0]
|
|
|
|
mod.datastore['RPORT'] = xref[1].to_s
|
|
|
|
mod.datastore['SSL'] = xref[2]
|
|
|
|
mod.datastore['VHOST'] = xref[3]
|
|
|
|
mod.datastore['VERBOSE'] = moduleverbose
|
|
|
|
mod.datastore['ShowProgress'] = showprogress
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Run the plugins for each request that have a distinct
|
|
|
|
# GET/POST URI QUERY string.
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
wtype = mod.wmap_type
|
|
|
|
|
|
|
|
utest_query = {}
|
|
|
|
|
|
|
|
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
|
|
|
|
s = h.services.find_by_port(selected_port)
|
|
|
|
w = s.web_sites.find_by_vhost(selected_vhost)
|
|
|
|
|
2011-02-13 04:36:00 +00:00
|
|
|
w.web_forms.each do |form|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
|
|
|
|
#
|
2011-02-13 04:36:00 +00:00
|
|
|
|
|
|
|
datastr = ""
|
|
|
|
typestr = ""
|
|
|
|
|
|
|
|
temparr = []
|
|
|
|
|
|
|
|
#puts "---------"
|
|
|
|
#puts form.params
|
|
|
|
#puts "+++++++++"
|
|
|
|
|
|
|
|
form.params.each do |p|
|
|
|
|
pn, pv, pt = p
|
|
|
|
temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s)
|
|
|
|
end
|
|
|
|
|
|
|
|
datastr = temparr.join("&") if (temparr and not temparr.empty?)
|
|
|
|
|
|
|
|
if (utest_query.has_key?(mod.signature(form.path,datastr)) == false)
|
|
|
|
|
|
|
|
mod.datastore['METHOD'] = form.method.upcase
|
|
|
|
mod.datastore['PATH'] = form.path
|
|
|
|
mod.datastore['QUERY'] = form.query
|
|
|
|
if form.method.upcase == 'GET'
|
|
|
|
mod.datastore['QUERY'] = datastr
|
|
|
|
mod.datastore['DATA'] = ""
|
|
|
|
end
|
|
|
|
mod.datastore['DATA'] = datastr if form.method.upcase == 'POST'
|
|
|
|
mod.datastore['TYPES'] = typestr
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# TODO: Add headers, etc.
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if wtype == :WMAP_UNIQUE_QUERY
|
|
|
|
puts "Module #{xref[4]}"
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
# To run check function for modules that are exploits
|
2011-02-04 05:57:26 +00:00
|
|
|
if mod.respond_to?("check") and wmap_check
|
2010-06-06 03:53:07 +00:00
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Unique query tested, actually the value does not matter
|
|
|
|
#
|
2011-02-13 04:36:00 +00:00
|
|
|
#print_status("sig: #{mod.signature(form.path,varnarr.join(','))}")
|
|
|
|
|
|
|
|
utest_query[mod.signature(form.path,datastr)]=1
|
|
|
|
else
|
|
|
|
#print_status("Already tested")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Run modules for each request to play with URI query parameters.
|
|
|
|
# This approach will reduce the complexity of the Tree used before
|
|
|
|
# and will make this shotgun implementation much simple.
|
|
|
|
# WMAP_QUERY
|
|
|
|
#
|
|
|
|
puts "\n=[ Query testing ]="
|
|
|
|
puts "=" * sizeline
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
matches2.each_key do |xref|
|
|
|
|
idx += 1
|
|
|
|
|
|
|
|
begin
|
|
|
|
mod = nil
|
|
|
|
|
|
|
|
#Carefull with the references on this one
|
|
|
|
if ((mod = framework.modules.create(xref[4])) == nil)
|
|
|
|
print_status("Failed to initialize #{xref[4]}")
|
|
|
|
next
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Loaded #{xref[4]} ...")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# The code is just a proof-of-concept and will be expanded in the future
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_expl != 0)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# For modules to have access to the global datastore
|
|
|
|
# i.e. set -g DOMAIN test.com
|
|
|
|
#
|
|
|
|
self.framework.datastore.each do |gkey,gval|
|
|
|
|
mod.datastore[gkey]=gval
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
#
|
|
|
|
# Parameters passed in hash xref
|
|
|
|
#
|
|
|
|
mod.datastore['RHOST'] = xref[0]
|
|
|
|
mod.datastore['RHOSTS'] = xref[0]
|
|
|
|
mod.datastore['RPORT'] = xref[1].to_s
|
|
|
|
mod.datastore['SSL'] = xref[2]
|
|
|
|
mod.datastore['VHOST'] = xref[3].to_s
|
|
|
|
mod.datastore['VERBOSE'] = moduleverbose
|
|
|
|
mod.datastore['ShowProgress'] = showprogress
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Run the plugins for each request that have a distinct
|
|
|
|
# GET/POST URI QUERY string.
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
wtype = mod.wmap_type
|
|
|
|
|
|
|
|
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
|
|
|
|
s = h.services.find_by_port(selected_port)
|
|
|
|
w = s.web_sites.find_by_vhost(selected_vhost)
|
|
|
|
|
|
|
|
w.web_forms.each do |req|
|
2011-02-22 04:27:40 +00:00
|
|
|
|
|
|
|
datastr = ""
|
|
|
|
typestr = ""
|
|
|
|
|
|
|
|
temparr = []
|
|
|
|
|
|
|
|
req.params.each do |p|
|
|
|
|
pn, pv, pt = p
|
|
|
|
temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s)
|
|
|
|
end
|
|
|
|
|
|
|
|
datastr = temparr.join("&") if (temparr and not temparr.empty?)
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
mod.datastore['METHOD'] = req.method.upcase
|
2010-06-06 03:53:07 +00:00
|
|
|
mod.datastore['PATH'] = req.path
|
2011-02-22 04:27:40 +00:00
|
|
|
if req.method.upcase == 'GET'
|
|
|
|
mod.datastore['QUERY'] = datastr
|
|
|
|
mod.datastore['DATA'] = ""
|
|
|
|
end
|
|
|
|
mod.datastore['DATA'] = datastr if req.method.upcase == 'POST'
|
|
|
|
mod.datastore['TYPES'] = typestr
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
|
|
|
# TODO: Add method, headers, etc.
|
|
|
|
#
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if wtype == :WMAP_QUERY
|
|
|
|
puts "Module #{xref[4]}"
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
# To run check function for modules that are exploits
|
2011-02-04 05:57:26 +00:00
|
|
|
if mod.respond_to?("check") and wmap_check
|
2010-06-06 03:53:07 +00:00
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Handle modules that need to be after all tests, once.
|
|
|
|
# Good place to have modules that analize the test results and/or
|
|
|
|
# launch exploits.
|
|
|
|
# :WMAP_GENERIC
|
|
|
|
#
|
|
|
|
puts "\n=[ General testing ]="
|
|
|
|
puts "=" * sizeline
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
matches10.each_key do |xref|
|
|
|
|
idx += 1
|
|
|
|
|
|
|
|
begin
|
|
|
|
mod = nil
|
|
|
|
|
|
|
|
#Carefull with the references on this one
|
|
|
|
if ((mod = framework.modules.create(xref[4])) == nil)
|
|
|
|
print_status("Failed to initialize #{xref[4]}")
|
|
|
|
next
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Loaded #{xref[4]} ...")
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# The code is just a proof-of-concept and will be expanded in the future
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_expl != 0)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# For modules to have access to the global datastore
|
|
|
|
# i.e. set -g DOMAIN test.com
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
self.framework.datastore.each do |gkey,gval|
|
|
|
|
mod.datastore[gkey]=gval
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Parameters passed in hash xref
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
mod.datastore['RHOST'] = xref[0]
|
|
|
|
mod.datastore['RHOSTS'] = xref[0]
|
|
|
|
mod.datastore['RPORT'] = xref[1].to_s
|
|
|
|
mod.datastore['SSL'] = xref[2]
|
|
|
|
mod.datatsore['VHOST'] = xref[3].to_s
|
|
|
|
mod.datastore['VERBOSE'] = moduleverbose
|
|
|
|
mod.datastore['ShowProgress'] = showprogress
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Run the plugins that only need to be
|
|
|
|
# launched once.
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
wtype = mod.wmap_type
|
|
|
|
|
|
|
|
if wtype == :WMAP_GENERIC
|
|
|
|
puts "Module #{xref[4]}"
|
2010-06-06 03:53:07 +00:00
|
|
|
|
|
|
|
# To run check function for modules that are exploits
|
2011-02-04 05:57:26 +00:00
|
|
|
if mod.respond_to?("check") and wmap_check
|
2010-06-06 03:53:07 +00:00
|
|
|
begin
|
|
|
|
session = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
else
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
begin
|
|
|
|
session = mod.run_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => false)
|
|
|
|
rescue ::Exception
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status(" >> Exception during launch from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
rescue ::Exception
|
|
|
|
print_status(" >> Exception from #{xref[4]}: #{$!}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if (mode & wmap_show != 0)
|
|
|
|
print_status("Analysis completed in #{(Time.now.to_f - stamp)} seconds.")
|
|
|
|
print_status("Done.")
|
2011-02-06 20:35:27 +00:00
|
|
|
puts "+" * sizeline
|
|
|
|
puts "\n"
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# EOM
|
|
|
|
end
|
|
|
|
|
|
|
|
def view_targets
|
|
|
|
if self.targets == nil or self.targets.keys.length == 0
|
|
|
|
print_status "No targets have been defined"
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
indent = ' '
|
|
|
|
|
|
|
|
tbl = Rex::Ui::Text::Table.new(
|
|
|
|
'Indent' => indent.length,
|
|
|
|
'Header' => 'Defined targets',
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
'Id',
|
|
|
|
'Vhost',
|
|
|
|
'Host',
|
|
|
|
'Port',
|
|
|
|
'SSL',
|
|
|
|
'Path',
|
|
|
|
])
|
|
|
|
|
|
|
|
self.targets.each_with_index { |t, idx|
|
|
|
|
tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], t[1][:path].to_s ]
|
|
|
|
}
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
puts tbl.to_s + "\n"
|
|
|
|
end
|
|
|
|
|
|
|
|
def view_sites
|
|
|
|
indent = ' '
|
|
|
|
|
|
|
|
tbl = Rex::Ui::Text::Table.new(
|
|
|
|
'Indent' => indent.length,
|
|
|
|
'Header' => 'Available sites',
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
'Id',
|
|
|
|
'Host',
|
|
|
|
'Vhost',
|
|
|
|
'Port',
|
|
|
|
'# Pages',
|
|
|
|
'# Forms',
|
|
|
|
])
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
self.framework.db.hosts.each do |bdhost|
|
|
|
|
bdhost.services.each do |serv|
|
|
|
|
serv.web_sites.each do |web|
|
|
|
|
c = web.web_pages.count
|
|
|
|
f = web.web_forms.count
|
|
|
|
tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, c.to_s, f.to_s ]
|
|
|
|
idx += 1
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
puts tbl.to_s + "\n"
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Reusing code from hdmoore
|
|
|
|
#
|
|
|
|
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
|
|
|
|
# should be used. This allows for things like:
|
|
|
|
# localhost,http://192.168.0.2/admin/
|
|
|
|
|
|
|
|
def add_web_site(url)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vhost = nil
|
|
|
|
|
|
|
|
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
|
|
|
|
# should be used. This allows for things like:
|
|
|
|
# localhost,http://192.168.0.2/admin/
|
|
|
|
|
|
|
|
if url !~ /^http/
|
|
|
|
vhost,url = url.split(",", 2)
|
|
|
|
if url.to_s.empty?
|
|
|
|
url = vhost
|
|
|
|
vhost = nil
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Prefix http:// when the URL has no specified parameter
|
|
|
|
if url !~ /^[a-z0-9A-Z]+:\/\//
|
|
|
|
url = "http://" + url
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
uri = URI.parse(url) rescue nil
|
|
|
|
if not uri
|
|
|
|
print_error("Could not understand URL: #{url}")
|
|
|
|
return
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if uri.scheme !~ /^https?/
|
|
|
|
print_error("Only http and https URLs are accepted: #{url}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
ssl = false
|
|
|
|
if uri.scheme == 'https'
|
|
|
|
ssl = true
|
|
|
|
end
|
|
|
|
|
|
|
|
site = self.framework.db.report_web_site(:wait => true, :host => uri.host, :port => uri.port, :vhost => vhost, :ssl => ssl)
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
return site
|
|
|
|
end
|
|
|
|
|
|
|
|
# Code by hdm. Modified two lines by et
|
|
|
|
#
|
|
|
|
def process_urls(urlstr)
|
|
|
|
|
|
|
|
target_whitelist = []
|
|
|
|
urls = urlstr.to_s.split(/\s+/)
|
|
|
|
|
|
|
|
urls.each do |url|
|
|
|
|
next if url.to_s.strip.empty?
|
|
|
|
vhost = nil
|
|
|
|
|
|
|
|
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
|
|
|
|
# should be used. This allows for things like:
|
|
|
|
# localhost,http://192.168.0.2/admin/
|
|
|
|
|
|
|
|
if url !~ /^http/
|
|
|
|
vhost,url = url.split(",", 2)
|
|
|
|
if url.to_s.empty?
|
|
|
|
url = vhost
|
|
|
|
vhost = nil
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Prefix http:// when the URL has no specified parameter
|
|
|
|
if url !~ /^[a-z0-9A-Z]+:\/\//
|
|
|
|
url = "http://" + url
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
uri = URI.parse(url) rescue nil
|
|
|
|
if not uri
|
|
|
|
print_error("Could not understand URL: #{url}")
|
|
|
|
next
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if uri.scheme !~ /^https?/
|
|
|
|
print_error("Only http and https URLs are accepted: #{url}")
|
|
|
|
next
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
target_whitelist << [vhost || uri.host, uri]
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2010-06-09 18:41:58 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Skip the DB entirely if no matches
|
|
|
|
return if target_whitelist.length == 0
|
|
|
|
|
|
|
|
self.targets = {}
|
|
|
|
|
|
|
|
target_whitelist.each do |ent|
|
|
|
|
vhost,target = ent
|
|
|
|
|
|
|
|
host = self.framework.db.workspace.hosts.find_by_address(target.host)
|
|
|
|
if not host
|
|
|
|
print_error("No matching host for #{target.host}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
serv = host.services.find_by_port_and_proto(target.port, 'tcp')
|
|
|
|
if not serv
|
|
|
|
print_error("No matching service for #{target.host}:#{target.port}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
#puts "aaa"
|
|
|
|
#puts framework.db.workspace.name
|
|
|
|
|
|
|
|
#sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address])
|
|
|
|
|
|
|
|
sites = serv.web_sites.find(:all)
|
|
|
|
|
|
|
|
sites.each do |site|
|
|
|
|
|
|
|
|
#site.web_forms.find_all_by_path(target.path).each do |form|
|
|
|
|
ckey = [ site.vhost, host.address, serv.port, target.path].join("|")
|
|
|
|
if not self.targets[ckey]
|
|
|
|
self.targets[ckey] = WebTarget.new
|
|
|
|
self.targets[ckey].merge!({
|
|
|
|
:vhost => site.vhost,
|
|
|
|
:host => host.address,
|
|
|
|
:port => serv.port,
|
|
|
|
:ssl => (serv.name == "https"),
|
|
|
|
:path => target.path
|
|
|
|
})
|
|
|
|
#self.targets[ckey][target.path] = []
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Store the form object in the hash for this path
|
|
|
|
#self.targets[ckey][target.path] << target.path
|
|
|
|
#end
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
def view_site_tree(urlstr, md, ld)
|
|
|
|
|
|
|
|
site_whitelist = []
|
|
|
|
urls = urlstr.to_s.split(/\s+/)
|
|
|
|
|
|
|
|
urls.each do |url|
|
|
|
|
next if url.to_s.strip.empty?
|
|
|
|
vhost = nil
|
|
|
|
|
|
|
|
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
|
|
|
|
# should be used. This allows for things like:
|
|
|
|
# localhost,http://192.168.0.2/admin/
|
|
|
|
|
|
|
|
if url !~ /^http/
|
|
|
|
vhost,url = url.split(",", 2)
|
|
|
|
|
|
|
|
if url.to_s.empty?
|
|
|
|
url = vhost
|
|
|
|
vhost = nil
|
|
|
|
end
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Prefix http:// when the URL has no specified parameter
|
|
|
|
if url !~ /^[a-z0-9A-Z]+:\/\//
|
|
|
|
url = "http://" + url
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
uri = URI.parse(url) rescue nil
|
|
|
|
if not uri
|
|
|
|
print_error("Could not understand URL: #{url}")
|
|
|
|
next
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
if uri.scheme !~ /^https?/
|
|
|
|
print_error("Only http and https URLs are accepted: #{url}")
|
|
|
|
next
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
site_whitelist << [vhost || uri.host, uri]
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
# Skip the DB entirely if no matches
|
|
|
|
return if site_whitelist.length == 0
|
|
|
|
|
|
|
|
vsites = {}
|
|
|
|
|
|
|
|
site_whitelist.each do |ent|
|
|
|
|
vhost,target = ent
|
|
|
|
|
|
|
|
host = self.framework.db.workspace.hosts.find_by_address(target.host)
|
|
|
|
if not host
|
|
|
|
print_error("No matching host for #{target.host}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
serv = host.services.find_by_port_and_proto(target.port, 'tcp')
|
|
|
|
if not serv
|
|
|
|
print_error("No matching service for #{target.host}:#{target.port}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
#puts "aaa"
|
|
|
|
#puts framework.db.workspace.name
|
|
|
|
|
|
|
|
sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address])
|
|
|
|
|
|
|
|
#sites = serv.web_sites.find(:all)
|
|
|
|
|
|
|
|
sites.each do |site|
|
|
|
|
#site.vhost
|
|
|
|
#site.web_forms.find_all_by_path(target.path).each do |form|
|
|
|
|
t = load_tree(site)
|
|
|
|
print_tree(t,md,ld)
|
|
|
|
print_line("\n")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Load website structure into a tree
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
def load_tree(s)
|
|
|
|
|
|
|
|
pathchr = '/'
|
|
|
|
|
|
|
|
wtree = Tree.new(s.vhost)
|
|
|
|
|
|
|
|
# Load site pages
|
|
|
|
s.web_pages.find(:all, :order => 'path').each do |req|
|
|
|
|
tarray = req.path.to_s.split(pathchr)
|
|
|
|
tarray.delete("")
|
|
|
|
tpath = Pathname.new(pathchr)
|
|
|
|
tarray.each do |df|
|
|
|
|
wtree.add_at_path(tpath.to_s,df)
|
|
|
|
tpath = tpath + Pathname.new(df.to_s)
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
# Load site forms
|
|
|
|
s.web_forms.each do |req|
|
|
|
|
tarray = req.path.to_s.split(pathchr)
|
|
|
|
tarray.delete("")
|
|
|
|
tpath = Pathname.new(pathchr)
|
|
|
|
tarray.each do |df|
|
|
|
|
wtree.add_at_path(tpath.to_s,df)
|
|
|
|
tpath = tpath + Pathname.new(df.to_s)
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
return wtree
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
# Print Tree structure. Still ugly
|
2010-06-06 03:53:07 +00:00
|
|
|
#
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
def print_tree(tree, maxlevel, limitlevel)
|
|
|
|
initab = " " * 4
|
|
|
|
indent = 6
|
|
|
|
if tree != nil and tree.depth <= maxlevel
|
|
|
|
print initab + (" " * indent * tree.depth)
|
|
|
|
if tree.depth > 0
|
|
|
|
print "|"+("-" * (indent-1))+"/"
|
|
|
|
end
|
|
|
|
if tree.depth >= 0
|
|
|
|
if tree.depth == 0
|
|
|
|
print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n"
|
|
|
|
|
|
|
|
else
|
|
|
|
c = tree.children.count
|
|
|
|
if c > 0
|
|
|
|
print tree.name + " (" + c.to_s+")\n"
|
|
|
|
else
|
|
|
|
print tree.name + "\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
tree.children.each_pair do |name,child|
|
|
|
|
print_tree(child,maxlevel,limitlevel)
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
|
|
|
|
#def print_tree(tree)
|
|
|
|
# if tree.is_leaf? and tree.depth > 0
|
|
|
|
# print_line(("|\t"*(tree.depth-1))+"+------"+tree.name)
|
|
|
|
# else
|
|
|
|
# print_line(("|\t"*tree.depth)+tree.name)
|
|
|
|
# end
|
|
|
|
# tree.children.each_pair do |name,child|
|
|
|
|
# print_tree(child)
|
|
|
|
# end
|
|
|
|
#end
|
|
|
|
|
|
|
|
end
|
2010-06-06 03:53:07 +00:00
|
|
|
|
2011-02-04 05:57:26 +00:00
|
|
|
class WebTarget < ::Hash
|
|
|
|
def to_url
|
|
|
|
proto = self[:ssl] ? "https" : "http"
|
|
|
|
"#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}"
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
def initialize(framework, opts)
|
|
|
|
super
|
2011-02-04 05:57:26 +00:00
|
|
|
|
|
|
|
wmapversion = '1.0'
|
|
|
|
wmapbanner = "[WMAP #{wmapversion}] === et [ ] metasploit.com 2011"
|
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
add_console_dispatcher(WmapCommandDispatcher)
|
2011-02-04 05:57:26 +00:00
|
|
|
print_status("#{wmapbanner}")
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def cleanup
|
|
|
|
remove_console_dispatcher('Wmap')
|
|
|
|
end
|
|
|
|
|
|
|
|
def name
|
|
|
|
"wmap"
|
|
|
|
end
|
|
|
|
|
|
|
|
def desc
|
|
|
|
"Web assessment plugin"
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
|
|
|
end
|
2011-02-04 05:57:26 +00:00
|
|
|
|
2010-06-06 03:53:07 +00:00
|
|
|
end
|