2015-11-19 09:16:32 +00:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Auxiliary::WmapScanServer
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'HTTP Git Scanner',
|
2015-11-24 16:50:21 +00:00
|
|
|
'Description' => %q(
|
2015-11-22 09:18:19 +00:00
|
|
|
This module can detect information disclosure vlnerabilities in
|
|
|
|
|
Git Repository. Git has some files that stores in Git Resitory,
|
|
|
|
|
ex: .git/config, .git/index. We can get a number of personal/
|
|
|
|
|
preferences settings from .git/config, and get source code,
|
|
|
|
|
account information from .git/index.
|
2015-11-24 16:50:21 +00:00
|
|
|
),
|
2015-11-22 09:18:19 +00:00
|
|
|
'Author' => [
|
|
|
|
|
'Nixawk', # module developer
|
|
|
|
|
'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
|
|
|
|
|
],
|
2015-11-19 09:16:32 +00:00
|
|
|
'References' => [
|
|
|
|
|
['URL', 'https://github.com/git/git/blob/master/Documentation/technical/index-format.txt']
|
|
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
2015-11-21 03:06:37 +00:00
|
|
|
OptString.new('TARGETURI', [true, 'The test path to .git directory', '/.git/']),
|
|
|
|
|
OptBool.new('GIT_INDEX', [true, 'Check index file in .git directory', true]),
|
2015-11-24 16:57:19 +00:00
|
|
|
OptBool.new('GIT_CONFIG', [true, 'Check config file in .git directory', true]),
|
|
|
|
|
OptString.new('UserAgent', [ true, 'The HTTP User-Agent sent in the request', 'git/1.7.9.5' ])
|
2015-11-21 03:06:37 +00:00
|
|
|
]
|
|
|
|
|
)
|
2015-11-19 09:16:32 +00:00
|
|
|
end
|
|
|
|
|
|
2015-11-21 03:06:37 +00:00
|
|
|
def req(filename)
|
|
|
|
|
send_request_cgi(
|
|
|
|
|
'uri' => normalize_uri(target_uri, filename)
|
|
|
|
|
)
|
2015-11-19 09:16:32 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def git_index_parse(resp)
|
|
|
|
|
return if resp.blank? || resp.length < 12 # A 12-byte header
|
|
|
|
|
signature = resp[0, 4]
|
2015-11-21 03:06:37 +00:00
|
|
|
return unless signature == 'DIRC'
|
2015-11-19 09:16:32 +00:00
|
|
|
|
2015-11-21 03:06:37 +00:00
|
|
|
version = resp[4, 4].unpack('N')[0].to_i
|
|
|
|
|
entries_count = resp[8, 4].unpack('N')[0].to_i
|
2015-11-19 09:16:32 +00:00
|
|
|
|
2015-11-21 03:06:37 +00:00
|
|
|
return unless version && entries_count
|
|
|
|
|
print_good("#{full_uri} (git repo version #{version}) - #{entries_count} files found")
|
2015-11-19 09:16:32 +00:00
|
|
|
|
|
|
|
|
report_note(
|
|
|
|
|
host: rhost,
|
|
|
|
|
port: rport,
|
|
|
|
|
proto: 'tcp',
|
|
|
|
|
type: 'git_disclosure',
|
2015-11-21 03:06:37 +00:00
|
|
|
data: { full_uri: full_uri, version: version, entries_count: entries_count }
|
2015-11-19 09:16:32 +00:00
|
|
|
)
|
|
|
|
|
end
|
|
|
|
|
|
2015-11-21 03:06:37 +00:00
|
|
|
def git_index
|
|
|
|
|
res = req('index')
|
2015-11-24 17:11:04 +00:00
|
|
|
index_uri = normalize_uri(full_uri, 'index')
|
2015-11-22 09:18:19 +00:00
|
|
|
unless res
|
2015-11-24 17:11:04 +00:00
|
|
|
vprint_error("#{index_uri} - No response received")
|
2015-11-22 09:18:19 +00:00
|
|
|
return
|
|
|
|
|
end
|
2015-11-24 17:11:04 +00:00
|
|
|
vprint_status("#{index_uri} (http status #{res.code})")
|
2015-11-22 09:18:19 +00:00
|
|
|
|
|
|
|
|
git_index_parse(res.body) if res.code == 200
|
2015-11-19 09:16:32 +00:00
|
|
|
end
|
|
|
|
|
|
2015-11-21 03:06:37 +00:00
|
|
|
def git_config
|
|
|
|
|
res = req('config')
|
2015-11-24 17:11:04 +00:00
|
|
|
config_uri = normalize_uri(full_uri, 'config')
|
2015-11-22 09:18:19 +00:00
|
|
|
unless res
|
2015-11-24 17:11:04 +00:00
|
|
|
vprint_error("#{config_uri} - No response received")
|
2015-11-22 09:18:19 +00:00
|
|
|
return
|
2015-11-21 03:06:37 +00:00
|
|
|
end
|
2015-11-24 17:11:04 +00:00
|
|
|
vprint_status("#{config_uri} - (http status #{res.code})")
|
2015-11-21 03:06:37 +00:00
|
|
|
|
2015-11-22 09:18:19 +00:00
|
|
|
return unless res.code == 200 && res.body =~ /\[(?:branch|core|remote)\]/
|
2015-11-24 17:11:04 +00:00
|
|
|
print_good("#{config_uri} (git disclosure - config file Found)")
|
2015-11-21 03:06:37 +00:00
|
|
|
|
2015-11-22 09:18:19 +00:00
|
|
|
report_note(
|
|
|
|
|
host: rhost,
|
|
|
|
|
port: rport,
|
|
|
|
|
proto: 'tcp',
|
|
|
|
|
type: 'git_disclosure',
|
|
|
|
|
data: { full_uri: full_uri }
|
|
|
|
|
)
|
2015-11-21 03:06:37 +00:00
|
|
|
|
2015-11-22 09:18:19 +00:00
|
|
|
path = store_loot('config', 'text/plain', rhost, res.body, full_uri)
|
|
|
|
|
print_good("Saved file to: #{path}")
|
2015-11-21 03:06:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_host(_target_host)
|
|
|
|
|
vprint_status("#{full_uri} - scanning git disclosure")
|
|
|
|
|
git_index if datastore['GIT_INDEX']
|
|
|
|
|
git_config if datastore['GIT_CONFIG']
|
2015-11-19 09:16:32 +00:00
|
|
|
end
|
|
|
|
|
end
|
