metasploit-framework/plugins/wmap.rb

2260 lines
52 KiB
Ruby
Raw Normal View History

#
# Web assessment for the metasploit framework
# Efrain Torres - et[ ] metasploit.com 2012
#
# $Id$
# $Revision$
#
require 'rabal/tree'
require 'msf/core/rpc/v10/client'
#require 'fileutils'
module Msf
class Plugin::Wmap < Msf::Plugin
class WmapCommandDispatcher
attr_accessor :wmapmodules # Enabled Wmap modules
attr_accessor :targets # Targets
attr_accessor :lastsites # Temp location of previously obtained sites
attr_accessor :rpcarr # Array or rpc connections
attr_accessor :njobs # Max number of jobs
attr_accessor :nmaxdisplay # Flag to stop displaying the same mesg
attr_accessor :runlocal # Flag to run local modules only
attr_accessor :masstop # Flag to stop everything
attr_accessor :killwhenstop # Kill process when exiting
include Msf::Ui::Console::CommandDispatcher
def name
"wmap"
end
#
# The initial command set
#
def commands
{
"wmap_targets" => "Manage targets",
"wmap_sites" => "Manage sites",
"wmap_nodes" => "Manage nodes",
"wmap_run" => "Test targets",
"wmap_modules" => "Manage wmap modules",
"wmap_vulns" => "Display web vulns",
}
end
def cmd_wmap_vulns(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-l'
view_vulns
return
when '-h'
print_status("Usage: wmap_vulns [options]")
print_line("\t-h Display this help text")
print_line("\t-l Display web vulns table")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_modules(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-l'
view_modules
return
when '-r'
load_wmap_modules(true)
return
when '-h'
print_status("Usage: wmap_modules [options]")
print_line("\t-h Display this help text")
print_line("\t-l List all wmap enabled modules")
print_line("\t-r Reload wmap modules")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_targets(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-c'
self.targets = Hash.new()
when '-l'
view_targets
return
when '-t'
process_urls(args.shift)
when '-d'
process_ids(args.shift)
when '-h'
print_status("Usage: wmap_targets [options]")
print_line("\t-h Display this help text")
print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ")
print_line("\t-d [ids] Define target sites (id1, id2, id3 ...)")
print_line("\t-c Clean target sites list")
print_line("\t-l List all target sites")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_sites(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-a'
s = add_web_site(args.shift)
if s
print_status("Site created.")
else
print_error("Unable to create site")
end
when '-l'
view_sites
return
when '-s'
u = args.shift
l = args.shift
s = args.shift
if not u
return
end
if l == nil or l.empty?
l = 200
s = true
else
l = l.to_i
s = false
end
if u.include? 'http'
# Parameters are in url form
view_site_tree(u,l,s)
else
# Parameters are digits
if !self.lastsites or self.lastsites.length == 0
view_sites
print_status ("Web sites ids. referenced from previous table.")
end
target_whitelist = []
ids = u.to_s.split(/,/)
ids.each do |id|
next if id.to_s.strip.empty?
if id.to_i > self.lastsites.length
print_error("Skipping id #{id}...")
else
target_whitelist << self.lastsites[id.to_i]
#print_status("Loading #{self.lastsites[id.to_i]}.")
end
end
# Skip the DB entirely if no matches
return if target_whitelist.length == 0
if not self.targets
self.targets = Hash.new()
end
target_whitelist.each do |ent|
view_site_tree(ent,l,s)
end
end
return
when '-h'
print_status("Usage: wmap_sites [options]")
print_line("\t-h Display this help text")
print_line("\t-a [url] Add site (vhost,url)")
print_line("\t-l List all available sites")
print_line("\t-s [id] Display site structure (vhost,url|ids) (level)")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_nodes(*args)
if not self.rpcarr
self.rpcarr=Hash.new()
end
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-a'
h = args.shift
r = args.shift
s = args.shift
u = args.shift
p = args.shift
res = rpc_add_node(h,r,s,u,p,false)
if res
print_status("Node created.")
else
print_error("Unable to create node")
end
when '-c'
idref = args.shift
if not idref
print_error("No id defined")
return
end
if idref.upcase == 'ALL'
print_status("All nodes removed")
self.rpcarr = Hash.new()
else
idx=0
self.rpcarr.each do |k,v|
if idx == idref.to_i
self.rpcarr.delete(k)
print_status("Node deleted #{k}")
end
idx += 1
end
end
when '-d'
host = args.shift
port = args.shift
user = args.shift
pass = args.shift
dbname = args.shift
res = rpc_db_nodes(host,port,user,pass,dbname)
if res
print_status("OK.")
else
print_error("Error")
end
when '-l'
rpc_list_nodes
return
when '-j'
rpc_view_jobs
return
when '-k'
node = args.shift
jid = args.shift
rpc_kill_node(node,jid)
return
when '-h'
print_status("Usage: wmap_nodes [options]")
print_line("\t-h Display this help text")
print_line("\t-c id Remove id node (Use ALL for ALL nodes")
print_line("\t-a host port ssl user pass Add node")
print_line("\t-d host port user pass db Force all nodes to connect to db")
print_line("\t-j View detailed jobs")
print_line("\t-k ALL|id ALL|job_id Kill jobs on node")
print_line("\t-l List all current nodes")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_run(*args)
# Stop everything
self.masstop = false
self.killwhenstop = true
trap("INT") {
print_error("Stopping execution...")
self.masstop = true
if self.killwhenstop
rpc_kill_node('ALL','ALL')
end
return
}
# Max numbers of concurrent jobs per node
self.njobs = 25
self.nmaxdisplay = false
self.runlocal = false
# Formating
sizeline = 60
wmap_show = 2**0
wmap_expl = 2**1
# Exclude files can be modified by setting datastore['WMAP_EXCLUDE']
wmap_exclude_files = '.*\.(gif|jpg|png*)$'
run_wmap_ssl = true
run_wmap_server = true
run_wmap_dir_file = true
run_wmap_query = true
run_wmap_unique_query = true
run_wmap_generic = true
# If module supports datastore['VERBOSE']
moduleverbose = false
showprogress = false
if not self.rpcarr
self.rpcarr = Hash.new()
end
if not run_wmap_ssl
print_status("Loading of wmap ssl modules disabled.")
end
if not run_wmap_server
print_status("Loading of wmap server modules disabled.")
end
if not run_wmap_dir_file
print_status("Loading of wmap dir and file modules disabled.")
end
if not run_wmap_query
print_status("Loading of wmap query modules disabled.")
end
if not run_wmap_unique_query
print_status("Loading of wmap unique query modules disabled.")
end
if not run_wmap_generic
print_status("Loading of wmap generic modules disabled.")
end
stamp = Time.now.to_f
mode = 0
eprofile = []
using_p = false
using_m = false
usinginipath = false
mname = ''
inipathname = '/'
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-t'
mode |= wmap_show
when '-e'
mode |= wmap_expl
profile = args.shift
if profile
print_status("Using profile #{profile}.")
begin
File.open(profile).each do |str|
if not str.include? '#'
# Not a comment
modname = str.strip
if not modname.empty?
eprofile << modname
end
end
using_p = true
end
rescue
print_error("Profile not found or invalid.")
return
end
else
print_status("Using ALL wmap enabled modules.")
end
when '-m'
mode |= wmap_expl
mname = args.shift
if mname
print_status("Using module #{mname}.")
end
using_m = true
when '-p'
mode |= wmap_expl
inipathname = args.shift
if inipathname
print_status("Using initial path #{inipathname}.")
end
usinginipath = true
when '-h'
print_status("Usage: wmap_run [options]")
print_line("\t-h Display this help text")
print_line("\t-t Show all enabled modules")
print_line("\t-m [regex] Launch only modules that name match provided regex.")
print_line("\t-p [regex] Only test path defined by regex.")
print_line("\t-e [/path/to/profile] Launch profile modules against all matched targets.")
print_line("\t (No profile file runs all enabled modules.)")
print_line("")
return
else
print_error("Unknown flag")
return
end
end
if (self.rpcarr.length == 0) and (mode & wmap_show == 0)
print_error("NO WMAP NODES DEFINED. Executing local modules")
self.runlocal = true
end
if self.targets == nil
print_error("Targets have not been selected.")
return
end
if self.targets.keys.length == 0
print_error("Targets have not been selected.")
return
end
execmod = true
if (mode & wmap_show != 0)
execmod = false
end
self.targets.each_with_index do |t, idx|
selected_host = t[1][:host]
selected_port = t[1][:port]
selected_ssl = t[1][:ssl]
selected_vhost = t[1][:vhost]
print_status ("Testing target:")
print_status ("\tSite: #{selected_vhost} (#{selected_host})")
print_status ("\tPort: #{selected_port} SSL: #{selected_ssl}")
print_line '='* sizeline
print_status("Testing started. #{(Time.now )}")
if not selected_ssl
run_wmap_ssl = false
#print_status ("Target is not SSL. SSL modules disabled.")
end
# wmap_dir, wmap_file
matches = Hash.new()
# wmap_server
matches1 = Hash.new()
# wmap_query
matches2 = Hash.new()
# wmap_ssl
matches3 = Hash.new()
# wmap_unique_query
matches5 = Hash.new()
# wmap_generic
matches10 = Hash.new()
# OPTIONS
opt_str = nil
jobify = false
# This will be clean later
load_wmap_modules(false)
self.wmapmodules.each do |w|
case w[2]
when :wmap_server
if run_wmap_server
matches1[w]=true
end
when :wmap_query
if run_wmap_query
matches2[w]=true
end
when :wmap_unique_query
if run_wmap_unique_query
matches5[w]=true
end
when :wmap_generic
if run_wmap_generic
matches10[w]=true
end
when :wmap_dir, :wmap_file
if run_wmap_dir_file
matches[w]=true
end
when :wmap_ssl
if run_wmap_ssl
matches3[w]=true
end
else
# Black Hole
end
end
# Execution order (orderid)
matches = sort_by_orderid(matches)
matches1 = sort_by_orderid(matches1)
matches2 = sort_by_orderid(matches2)
matches3 = sort_by_orderid(matches3)
matches5 = sort_by_orderid(matches5)
matches10 = sort_by_orderid(matches10)
#
# Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server.
# :wmap_ssl
#
print_status "\n=[ SSL testing ]="
print_line "=" * sizeline
if not selected_ssl
print_status ("Target is not SSL. SSL modules disabled.")
end
idx = 0
matches3.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Handle modules that need to be run before all tests, once usually again the web server.
# :wmap_server
#
print_status "\n=[ Web Server testing ]="
print_line "=" * sizeline
idx = 0
matches1.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Handle modules to be run at every path/file
# wmap_dir, wmap_file
#
print_status "\n=[ File/Dir testing ]="
print_line "=" * sizeline
idx = 0
matches.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx+=1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins that only need to be
# launched once.
#
wtype = xref[2]
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
test_tree = load_tree(w)
test_tree.each do |node|
if self.masstop
print_error("STOPPED.")
return
end
p = node.current_path
testpath = Pathname.new(p)
strpath = testpath.cleanpath(false).to_s
#
# Fixing paths
#
if node.is_leaf? and not node.is_root?
#
# Later we can add here more checks to see if its a file
#
else
if node.is_root?
strpath = "/"
else
strpath = strpath.chomp + "/"
end
end
strpath = strpath.gsub("//", "/")
#print_status("Testing path: #{strpath}")
#
# Launch plugin depending module type.
# Module type depends on main input type.
# Code may be the same but it depend on final
# versions of plugins
#
case wtype
when :wmap_file
if node.is_leaf? and not node.is_root?
#
# Check if an exclusion regex has been defined
#
if self.framework.datastore['WMAP_EXCLUDE']
excludefilestr = self.framework.datastore['WMAP_EXCLUDE']
else
excludefilestr = wmap_exclude_files
end
if not strpath.match(excludefilestr)
if (not usinginipath) or (usinginipath and strpath.match(inipathname))
modopts['PATH'] = strpath
print_status("Path: #{strpath}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
end
end
when :wmap_dir
if (node.is_leaf? and not strpath.include? ".") or node.is_root? or not node.is_leaf?
if (not usinginipath) or (usinginipath and strpath.match(inipathname))
modopts['PATH'] = strpath
print_status("Path: #{strpath}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
end
end
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Run modules for each request to play with URI with UNIQUE query parameters.
# wmap_unique_query
#
print_status "\n=[ Unique Query testing ]="
print_line "=" * sizeline
idx = 0
matches5.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins for each request that have a distinct
# GET/POST URI QUERY string.
#
utest_query = Hash.new()
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
w.web_forms.each do |form|
if self.masstop
print_error("STOPPED.")
return
end
#
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
#
datastr = ""
typestr = ""
temparr = []
#print_status "---------"
#print_status form.params
#print_status "+++++++++"
form.params.each do |p|
pn, pv, pt = p
if pn
if not pn.empty?
if not pv or pv.empty?
#TODO add value based on param name
pv = "aaa"
end
#temparr << pn.to_s + "=" + Rex::Text.uri_encode(pv.to_s)
temparr << pn.to_s + "=" + pv.to_s
end
else
print_error("Blank parameter name. Form #{form.path}")
end
end
datastr = temparr.join("&") if (temparr and not temparr.empty?)
if (utest_query.has_key?(signature(form.path,datastr)) == false)
modopts['METHOD'] = form.method.upcase
modopts['PATH'] = form.path
modopts['QUERY'] = form.query
if form.method.upcase == 'GET'
modopts['QUERY'] = datastr
modopts['DATA'] = ""
end
if form.method.upcase == 'POST'
modopts['DATA'] = datastr
end
modopts['TYPES'] = typestr
#
# TODO: Add headers, etc.
#
if (not usinginipath) or (usinginipath and form.path.match(inipathname))
print_status "Path #{form.path}"
#print_status("Unique PATH #{modopts['PATH']}")
#print_status("Unique GET #{modopts['QUERY']}")
#print_status("Unique POST #{modopts['DATA']}")
#print_status("MODOPTS: #{modopts}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
utest_query[signature(form.path,datastr)]=1
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
else
#print_status("Already tested")
end
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Run modules for each request to play with URI query parameters.
# This approach will reduce the complexity of the Tree used before
# and will make this shotgun implementation much simple.
# wmap_query
#
print_status "\n=[ Query testing ]="
print_line "=" * sizeline
idx = 0
matches2.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if not ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins for each request that have a distinct
# GET/POST URI QUERY string.
#
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
w.web_forms.each do |req|
if self.masstop
print_error("STOPPED.")
return
end
datastr = ""
typestr = ""
temparr = []
req.params.each do |p|
pn, pv, pt = p
if pn
if not pn.empty?
if not pv or pv.empty?
#TODO add value based on param name
pv = "aaa"
end
#temparr << pn.to_s + "=" + Rex::Text.uri_encode(pv.to_s)
temparr << pn.to_s + "=" + pv.to_s
end
else
print_error("Blank parameter name. Form #{req.path}")
end
end
datastr = temparr.join("&") if (temparr and not temparr.empty?)
modopts['METHOD'] = req.method.upcase
modopts['PATH'] = req.path
if req.method.upcase == 'GET'
modopts['QUERY'] = datastr
modopts['DATA'] = ""
end
modopts['DATA'] = datastr if req.method.upcase == 'POST'
modopts['TYPES'] = typestr
#
# TODO: Add method, headers, etc.
#
if (not usinginipath) or (usinginipath and req.path.match(inipathname))
print_status "Path #{req.path}"
#print_status("Query PATH #{modopts['PATH']}")
#print_status("Query GET #{modopts['QUERY']}")
#print_status("Query POST #{modopts['DATA']}")
#print_status("Query TYPES #{typestr}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Handle modules that need to be after all tests, once.
# Good place to have modules that analize the test results and/or
# launch exploits.
# :wmap_generic
#
print_status "\n=[ General testing ]="
print_line "=" * sizeline
idx = 0
matches10.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if not ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins that only need to be
# launched once.
#
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
if (mode & wmap_expl != 0)
print_line "+" * sizeline
if not self.runlocal
if execmod
rpc_list_nodes()
print_status("Note: Use wmap_nodes -l to list node status for completion")
end
end
print_line("Launch completed in #{(Time.now.to_f - stamp)} seconds.")
print_line "+" * sizeline
end
print_status("Done.")
end
# EOM
end
def view_targets
if self.targets == nil or self.targets.keys.length == 0
print_status "No targets have been defined"
return
end
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Defined targets',
'Columns' =>
[
'Id',
'Vhost',
'Host',
'Port',
'SSL',
'Path',
])
self.targets.each_with_index { |t, idx|
2012-02-20 00:24:23 +00:00
tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], "\t"+t[1][:path].to_s ]
}
print_status tbl.to_s + "\n"
end
def view_sites
# Clean temporary sites list
self.lastsites = []
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Available sites',
'Columns' =>
[
'Id',
'Host',
'Vhost',
'Port',
'Proto',
'# Pages',
'# Forms',
])
idx = 0
self.framework.db.hosts.each do |bdhost|
bdhost.services.each do |serv|
serv.web_sites.each do |web|
c = web.web_pages.count
f = web.web_forms.count
tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, serv.name, c.to_s, f.to_s ]
idx += 1
turl = web.vhost + "," + serv.name + "://" +bdhost.address.to_s + ":" + serv.port.to_s + "/"
self.lastsites << turl
end
end
end
print_status tbl.to_s + "\n"
end
# Reusing code from hdmoore
#
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
def add_web_site(url)
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
end
end
# Prefix http:// when the URL has no specified parameter
if url !~ /^[a-z0-9A-Z]+:\/\//
url = "http://" + url
end
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
return
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
return
end
ssl = false
if uri.scheme == 'https'
ssl = true
end
site = self.framework.db.report_web_site(:wait => true, :host => uri.host, :port => uri.port, :vhost => vhost, :ssl => ssl)
return site
end
# Code by hdm. Modified two lines by et
#
def process_urls(urlstr)
target_whitelist = []
urls = urlstr.to_s.split(/\s+/)
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
end
end
# Prefix http:// when the URL has no specified parameter
if url !~ /^[a-z0-9A-Z]+:\/\//
url = "http://" + url
end
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
next
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
next
end
target_whitelist << [vhost || uri.host, uri]
end
# Skip the DB entirely if no matches
return if target_whitelist.length == 0
if not self.targets
# First time targets are defined
self.targets = Hash.new()
end
target_whitelist.each do |ent|
vhost,target = ent
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
next
end
serv = host.services.find_by_port_and_proto(target.port, 'tcp')
if not serv
print_error("No matching service for #{target.host}:#{target.port}")
next
end
#print_status "aaa"
#print_status framework.db.workspace.name
2012-04-19 15:22:31 +00:00
sites = serv.web_sites.where('vhost = ? and service_id = ?', vhost, serv.id)
sites.each do |site|
# Initial defaul path
inipath = target.path
if target.path.empty?
inipath = '/'
end
#site.web_forms.find_all_by_path(target.path).each do |form|
ckey = [ site.vhost, host.address, serv.port, inipath].join("|")
if not self.targets[ckey]
self.targets[ckey] = WebTarget.new
self.targets[ckey].merge!({
:vhost => site.vhost,
:host => host.address,
:port => serv.port,
:ssl => (serv.name == "https"),
:path => inipath
})
#self.targets[ckey][inipath] = []
else
print_status("Target already set in targets list.")
end
# Store the form object in the hash for this path
#self.targets[ckey][inipath] << inipath
#end
end
end
end
# Code by hdm. Modified two lines by et
# lastsites contains a temporary array with vhost,url strings so the id can be
# referenced in the array and prevent new sites added in the db to corrupt previous id list.
def process_ids(idsstr)
if !self.lastsites or self.lastsites.length == 0
view_sites
print_status ("Web sites ids. referenced from previous table.")
end
target_whitelist = []
ids = idsstr.to_s.split(/,/)
ids.each do |id|
next if id.to_s.strip.empty?
if id.to_i > self.lastsites.length
print_error("Skipping id #{id}...")
else
target_whitelist << self.lastsites[id.to_i]
print_status("Loading #{self.lastsites[id.to_i]}.")
end
end
# Skip the DB entirely if no matches
return if target_whitelist.length == 0
if not self.targets
self.targets = Hash.new()
end
target_whitelist.each do |ent|
process_urls(ent)
end
end
def view_site_tree(urlstr, md, ld)
if not urlstr
return
end
site_whitelist = []
urls = urlstr.to_s.split(/\s+/)
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
end
end
# Prefix http:// when the URL has no specified parameter
if url !~ /^[a-z0-9A-Z]+:\/\//
url = "http://" + url
end
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
next
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
next
end
site_whitelist << [vhost || uri.host, uri]
end
# Skip the DB entirely if no matches
return if site_whitelist.length == 0
vsites = Hash.new()
site_whitelist.each do |ent|
vhost,target = ent
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
next
end
serv = host.services.find_by_port_and_proto(target.port, 'tcp')
if not serv
print_error("No matching service for #{target.host}:#{target.port}")
next
end
Cutting over rails3 to master. This switches the Metasploit Framework to a Rails 3 backend. If you run into new problems (especially around Active Record or your postgresql gem) you should try first updating your Ruby installation to 1.9.3 and use a more recent 'pg' gem. If that fails, we'd love to see your bug report (just drop all the detail you can into an issue on GitHub). In the meantime, you can checkout the rails2 branch, which was branched from master immediately before this cutover. Squashed commit of the following: commit 5802ec851580341c6717dfea529027c12678d35f Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 23:30:12 2012 -0500 Enable MSF_BUNDLE_GEMS mode by default (set to N/F/0 to disable) commit 8102f98dce9eb0c73c4374e40dce09af7b51d060 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 23:30:03 2012 -0500 Add a method to expand win32 file paths commit bda6479d154cf75572dd5de8b66bfde661a55de9 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 18:53:44 2012 -0500 Fix 1.8.x compatibility commit 101ce4eb17bfdf755ef8c0a5198174668b6cd6fd Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 18:40:59 2012 -0500 Use verbose instead of stringio commit 5db467ffb593488285576d183b1662093e454b3e Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 18:30:06 2012 -0500 Hide the iconv warning, were stuck with it due to EBCDIC support commit 63b9cb20eb6a61daf4effb4c8d2761c16ff0c4e0 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 18:29:58 2012 -0500 Dont use GEM_HOME by default commit ca49271c22c314a4465fff934334df18c704cbc0 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 18:23:34 2012 -0500 Move Gemfile to root (there be dragons, lets find them) and catch failed bundler loads commit 34af04076a068e9f60c5526045ddbba5fca359fd Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 18:18:29 2012 -0500 Fallback to bundler when not running inside of a installer env commit ed1066a4f3f12fae7d4afc03eb1ab70ffe2f9cf3 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 16:26:55 2012 -0500 Remove a mess of gems that were not actually required commit 21290a73926809e9049a59359449168f740d13d2 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 15:59:10 2012 -0500 Hack around a gem() call that is well-intentioned but an obstacle in this case commit 8e414a8bfab9641c81088d22f73033be5b37a700 Author: Tod Beardsley <todb@metasploit.com> Date: Sun Apr 15 15:06:08 2012 -0500 Ruby, come on. Ducktype this. Please. Use interpolated strings to get the to_s behavior you don't get with just plussing. commit 0fa92c58750f8f84edbecfaab72cd2da5062743f Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 15:05:42 2012 -0500 Add new eventmachine/thin gems commit 819d5e7d45e0a16741d3852df3ed110b4d7abc44 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 15:01:18 2012 -0500 Purge (reimport in a second) commit ea6f3f6c434537ca15b6c6674e31081e27ce7f86 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 14:54:42 2012 -0500 Cleanup uncessary .so files (ext vs lib) commit d219330a3cc563e9da9f01fade016c9ed8cda21c Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 14:53:02 2012 -0500 PG gems built against the older installation environment commit d6e590cfa331ae7b25313ff1471c6148a6b36f3b Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 14:06:35 2012 -0500 Rename to include the version commit a893de222b97ce1222a55324f1811b0262aae2d0 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 13:56:47 2012 -0500 Detect older installation environments and load the arch-lib directories into the search path commit 6444bba0a421921e2ebe2df2323277a586f9736f Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 13:49:25 2012 -0500 Merge in windows gems commit 95efbcfde220917bc7ee08e6083d7b383240d185 Author: Tod Beardsley <todb@metasploit.com> Date: Sun Apr 15 13:49:33 2012 -0500 Report_vuln shouldn't use :include in finder find_or_create_by doesn't take :include as a param. commit c5f99eb87f0874ef7d32fa42828841c9a714b787 Author: David Maloney <DMaloney@rapid7.com> Date: Sun Apr 15 12:44:09 2012 -0500 One more msised Mdm namespace issue commit 2184e2bbc3dd9b0993e8f21d2811a65a0c694d68 Author: David Maloney <DMaloney@rapid7.com> Date: Sun Apr 15 12:33:41 2012 -0500 Fixes some mroe Mdm namespace confusion Fixes #6626 commit 10cee17f391f398bb2be3409137ff7348c7a66ee Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 03:40:44 2012 -0500 Add robots gem (required by webscan) commit 327e674c83850101364c9cca8f8d16da1de3dfb5 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 03:39:05 2012 -0500 Fix missing error checks commit a5a24641866e47e611d7636a3f19ba3b3ed10ac5 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 01:15:37 2012 -0500 Reorder requires and add a method for injecting a new migration path commit 250a5fa5ae8cb05807af022aa4168907772c15f8 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 00:56:09 2012 -0500 Remove missing constant (use string) and add gemcache cleaner commit 37ad6063fce0a41dddedb857fa49aa2c4834a508 Merge: d47ee82 4be0361 Author: Tod Beardsley <todb@metasploit.com> Date: Sun Apr 15 00:40:16 2012 -0500 Merge branch 'master-clone' into rails3-clone commit d47ee82ad7e66de53dd3d3a65649cc37299a2479 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 00:30:03 2012 -0500 cleanup leftovers from gems commit 6d883b5aa8a3a7ddbcde5bfd4521d57c5b30d3c2 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Apr 15 00:25:47 2012 -0500 MDM update with purged DBSave module commit 71e4f2d81f6da221b76150562a16c730888f5925 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 23:19:37 2012 -0500 Add new mdm commit 651cd5adac8211d65e0c8079371d8264e549533a Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 23:19:13 2012 -0500 Update mdm commit 0191a8bd0acec30ddb2a9e9c291111a12378537f Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 22:30:40 2012 -0500 This fixes numerous cases of missed Mdm:: prefixes on db objects commit a2a9bb3f2148622c135663dead80b3367b6f7695 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 18:30:18 2012 -0500 Add eventmachine commit 301ddeb12b906ed3c508613ca894347bedc3b499 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 18:18:12 2012 -0500 A nicer error for folks who need to upgrade pg commit fa6bde1e67b12e2d3d9978f59bbc98e0c1a1a707 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 17:54:55 2012 -0500 Remove bundler requirements commit 2e3ab9ed211303f1116e602b9a450141b71e56a4 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 17:35:38 2012 -0500 Pull in eventmachine with actual .so's this time commit 901fb33ff6b754ce2c2cfd51e3b0b669f6ec600b Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 17:19:12 2012 -0500 Update deps, still need to add eventmachine commit 6b0e17068e8caa0601f3ef81e8dbdb672758fcbe Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 13:07:06 2012 -0500 Handle older installer environments and only allow binary gems when the environment specifically asks for it commit b98eb7873a6342834840424699caa414a5cb172a Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 04:05:13 2012 -0500 Bump version to -testing commit 6ac508c4ba3fdc278aaf8cfe2c58d01de3395431 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 02:25:09 2012 -0500 Remove msf3 subdir commit a27dac5067635a95b4cbb773df1985f2a2dc2c5a Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 02:24:39 2012 -0500 Remove the old busted external commit 5fb5a0fc642b6c301934c319db854cc3145427a1 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 02:03:10 2012 -0500 Add the gemcache loader commit 09e2d89dfd09b9ac0c123fcc4e19816c86725627 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Apr 14 02:02:23 2012 -0500 Purge gemfile/bundler configure in exchange for new gemcache setup commit 3cc0264e1cfb027b515d7f24b95a74b023bd905c Author: Tod Beardsley <todb@metasploit.com> Date: Thu Apr 12 14:11:45 2012 -0500 Mode change on modicon_ladder.apx commit c18b3d56efd639e461137acdc76b4b283fe978d4 Author: HD Moore <hd_moore@rapid7.com> Date: Thu Apr 12 01:38:56 2012 -0500 The go faster button commit ca2a67d51d6d4c7c3ca2e745f8b018279aef668a Merge: 674ee09 b8129f9 Author: Tod Beardsley <todb@metasploit.com> Date: Mon Apr 9 15:50:33 2012 -0500 Merge branch 'master-clone' into rails3-clone Picking up Packetfu upstream changes, all pretty minor commit 674ee097ab8a6bc9608bf377479ccd0b87e7302b Merge: e9513e5 a26e844 Author: Tod Beardsley <todb@metasploit.com> Date: Mon Apr 9 13:57:26 2012 -0500 Merge branch 'master-clone' into rails3-clone Conflicts: lib/msf/core/handler/reverse_http.rb lib/msf/core/handler/reverse_https.rb modules/auxiliary/scanner/discovery/udp_probe.rb modules/auxiliary/scanner/discovery/udp_sweep.rb Resolved conflicts with the reverse_http handlers and the udp probe / scanners byt favoring the more recent changes (which happened to be the intent anyway). The reverse_http and reverse_https changes were mine so I know what the intent was, and @dmaloney-r7 changed udp_probe and udp_sweep to use pcAnywhere_stat instead of merely pcAnywhere, so the intent is clear there as well. commit e9513e54f984fdb100c13b44a1724246779ccb76 Author: David Maloney <dmaloney@melodie.gateway.2wire.net> Date: Fri Apr 6 18:21:46 2012 -0500 Some fixes to how services get reported to prevent issues with the web interface commit adeb44e9aaf1a329a0e587d2b26e678398730422 Author: David Maloney <David_Maloney@rapid7.com> Date: Mon Apr 2 15:39:46 2012 -0500 Some corrections to pcAnywhere discovery modules to distinguish between the two services commit b13900176484fea8f5217a2ef925ae2ad9b7af47 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 31 12:03:21 2012 -0500 Enable additional migration-path parameters, use a temporary directory to bring the database online commit 526b4c56883f461417f71269404faef38639917c Author: David Maloney <David_Maloney@rapid7.com> Date: Wed Mar 28 23:24:56 2012 -0500 A bunch of Mdsm fixes for .kind_of? calls, to make sure we ponit to the right place commit 2cf3143370af808637d164ce59400605300f922c Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 26 16:22:09 2012 -0500 Check for ruby 2.0 as well as 1.9 for encoding override commit 4d0f51b76d89f00f7acbce6b1f00dc6e4c4545ee Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 26 15:36:04 2012 -0500 Remove debug statement commit f5d2335e7745aa1a354f4d6c8fc9d0b3876c472a Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 26 15:01:55 2012 -0500 Be explicit about the Mdm namespace commit bc8be225606d6ea38dd2a85ab4310c1c181a94ee Author: hdm <hdm@hypo.(none)> Date: Mon Mar 26 11:49:51 2012 -0500 Precalculate some uri strings in case the 1000-round generation fails commit 4254f419723349ffb93e4aebdaeabbd7d66bf8c0 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Sat Mar 24 14:03:44 2012 -0500 Removed some non-namespaced calls to Host commit c8190e1bb8ad365fb0d7a1c4a9173e6c739be85c Author: HD Moore <hd_moore@rapid7.com> Date: Tue Mar 20 00:37:00 2012 -0500 Purge the rvmrc, this is causing major headaches commit 76df18588917b7150a3bedf2569710a80bab51f8 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Mar 20 00:31:52 2012 -0500 Switch .rvmrc to the shipping 1.9.3 version commit 7124971d0032b268f4ddf89aca125f15e284f345 Author: David Maloney <David_Maloney@rapid7.com> Date: Mon Mar 12 16:56:40 2012 -0500 Adds mixin for looking up Mime Types by extension commit b7ca8353164c43db6bacb2f3f16afa1269f66e43 Merge: a0b0c75 6b9a219 Author: Matt Buck <techpeace@gmail.com> Date: Tue Mar 6 19:38:53 2012 -0600 Merge from develop. commit a0b0c7528d2b8fabb76b2246a15004bc89239cf0 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Tue Mar 6 11:08:59 2012 -0600 Somehow migration file is new? commit 84d2b3cb1ad6290413c3ea3222ddf9932270b105 Author: David Maloney <David_Maloney@rapid7.com> Date: Wed Feb 29 16:38:55 2012 -0600 Added ability to specify headers to redirects in http server commit e50d27cda83872c616722adb03dc1a6a5e685405 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Feb 4 04:44:50 2012 -0600 Tweak the event dispatcher to enable customer events without a category and trigger http request events from the main exploit mixin. Experimental commit 0e4fd2040df49df2e6cb0e8d2c6240a03d108033 Author: Matt Buck <Matthew_Buck@rapid7.com> Date: Thu Feb 2 22:09:05 2012 -0600 Change Msm -> Mdm in migrations. This is what was preventing migrations from finishing on first boot. commit c94a2961d04eee84adfd42bb01ed7a3e3846b83a Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Wed Feb 1 12:48:48 2012 -0600 Changed Gemfile to use new gem name commit 245c2063f06b4fddbfc607d243796669ef236136 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Wed Feb 1 12:47:42 2012 -0600 Did find/replace for final namespace of Mdm commit 6ed9bf8430b555dcbe62daeddb2f33bd400ab5bc Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Tue Jan 24 10:47:44 2012 -0600 Fix a bunch of namespace issues commit 2fe08d9e4226c27e78d07a00178c58f528cbc72e Author: Matt Buck <Matthew_Buck@rapid7.com> Date: Fri Jan 20 14:37:37 2012 -0600 Update Msm contstants in migrations for initial DB builds. commit 4cc6b8fb0440c6258bf70de77a9153468fea4ea5 Author: Matt Buck <Matthew_Buck@rapid7.com> Date: Fri Jan 20 14:37:25 2012 -0600 Update Gemfile.lock. commit 1cc655b678f0a054a9a783da119237fe3f67faa4 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Thu Jan 19 11:48:29 2012 -0600 Errant Workspaces needed namespace commit 607a78285582c530a68985add33ccf4d899c467a Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Tue Jan 17 15:44:02 2012 -0600 Refactored all models to use the new namespace * Every model using DBManager::* namespace is now Msm namespace * Almost all of this in msf/base/core * Some in modules commit a690cd959b3560fa2284975ca7ecca10c228fb05 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Tue Jan 17 13:41:44 2012 -0600 Move bundler setup commit dae115cc8f7619ca7a827123079cb67fb4d9354b Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Mon Jan 9 15:51:07 2012 -0600 Moved ActiveSupport dep to gem commit d32f8edb6e7f82079b775ffbc2b9a405d1f32b3b Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Mon Jan 9 14:40:05 2012 -0600 Removed model require file commit d0c74cff8c44771e566ec63b03eda10d03b25c42 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Tue Jan 3 16:06:10 2012 -0600 Update some more finds commit 4eb79ea6b58b74c309ab1f1bb0bd35fe9041de46 Author: Trevor Rosen <Trevor_Rosen@rapid7.com> Date: Tue Jan 3 14:21:15 2012 -0600 Yet another dumb commit commit a75febcb593d52fdfe930306b4275829759d81d1 Author: Trevor Rosen <trevor@catapult-creative.com> Date: Thu Dec 29 19:20:51 2011 -0600 Fixing deletion commit dc139ff2fdfc4e7cdee3901dfb863e70913d6b92 Author: Trevor Rosen <trevor@catapult-creative.com> Date: Wed Dec 7 17:06:45 2011 -0600 Fixed erroneous commit commit 531c1e611cf4d23aeb9c48350dabf7630d662d25 Author: Trevor Rosen <trevor@catapult-creative.com> Date: Mon Nov 21 16:11:35 2011 -0600 Remove AR patch stuff; attempting to debug non-connection between MSF and Pro commit 458611224189c7aa27e500aabd373d85dc2dc5c0 Author: Trevor Rosen <trevor@catapult-creative.com> Date: Fri Nov 18 16:17:27 2011 -0600 Drop ActiveRecord/ActiveSupport in preparation for upgrade
2012-04-16 04:35:38 +00:00
sites = serv.web_sites.where('vhost = ? and service_id = ?', vhost, serv.id)
sites.each do |site|
t = load_tree(site)
print_tree(t,target.host,md,ld)
print_line("\n")
end
end
end
#
# Load website structure into a tree
#
def load_tree(s)
pathchr = '/'
wtree = Tree.new(s.vhost)
# Load site pages
s.web_pages.find(:all, :order => 'path').each do |req|
tarray = req.path.to_s.split(pathchr)
tarray.delete("")
tpath = Pathname.new(pathchr)
tarray.each do |df|
wtree.add_at_path(tpath.to_s,df)
tpath = tpath + Pathname.new(df.to_s)
end
end
# Load site forms
s.web_forms.each do |req|
tarray = req.path.to_s.split(pathchr)
tarray.delete("")
tpath = Pathname.new(pathchr)
tarray.each do |df|
wtree.add_at_path(tpath.to_s,df)
tpath = tpath + Pathname.new(df.to_s)
end
end
return wtree
end
#
# Print Tree structure. Still ugly
#
def print_tree(tree, ip, maxlevel, limitlevel)
initab = " " * 4
indent = 6
if tree != nil and tree.depth <= maxlevel
print initab + (" " * indent * tree.depth)
if tree.depth > 0
print "|"+("-" * (indent-1))+"/"
end
if tree.depth >= 0
if tree.depth == 0
print "[#{tree.name}] (#{ip})\n"+initab+(" " * indent)+"\n"
else
c = tree.children.count
if c > 0
print tree.name + " (" + c.to_s+")\n"
else
print tree.name + "\n"
end
end
end
tree.children.each_pair do |name,child|
print_tree(child,ip,maxlevel,limitlevel)
end
end
end
def signature(fpath,fquery)
hsig = Hash.new()
hsig = queryparse(fquery)
#
# Signature of the form ',p1,p2,pn' then to be appended to path: path,p1,p2,pn
#
sigstr = fpath + "," + hsig.map{|p| p[0].to_s}.join(",")
end
def queryparse(query)
params = Hash.new()
query.split(/[&;]/n).each do |pairs|
key, value = pairs.split('=',2)
if params.has_key?(key)
#Error
else
params[key] = value
end
end
params
end
def rpc_add_node(host,port,ssl,user,pass,bypass_exist)
if not self.rpcarr
self.rpcarr = Hash.new()
end
begin
istr = "#{host}|#{port}|#{ssl}|#{user}|#{pass}"
if self.rpcarr.has_key?(istr) and not bypass_exist and self.rpcarr[istr] != nil
print_error("Connection already exists #{istr}")
else
begin
temprpc = ::Msf::RPC::Client.new(
:host => host,
:port => port,
:ssl => ssl
)
rescue
print_error "Unable to connect"
#raise ConnectionError
return
end
res = temprpc.login( user , pass)
if not res
print_error("Unable to authenticate to #{host}:#{port}.")
return
else
res = temprpc.call('core.version')
end
print_status("Connected to #{host}:#{port} [#{res['version']}].")
self.rpcarr[istr] = temprpc
end
rescue
print_error("Unable to connect")
end
end
def local_module_exec(mod,mtype, opts, nmaxjobs)
jobify = false
modinst = framework.modules.create(mod)
if(not modinst)
print_error("Unknown module")
return
end
sess = nil
case mtype
when 'auxiliary'
Msf::Simple::Auxiliary.run_simple(modinst, {
'Action' => opts['ACTION'],
'LocalOutput' => driver.output,
'RunAsJob' => jobify,
'Options' => opts
})
when 'exploit'
if not opts['PAYLOAD']
opts['PAYLOAD'] = WmapCommandDispatcher::Exploit.choose_payload(modinst, opts['TARGET'])
end
sess = Msf::Simple::Exploit.exploit_simple(modinst, {
'Payload' => opts['PAYLOAD'],
'Target' => opts['TARGET'],
'LocalOutput' => driver.output,
'RunAsJob' => jobify,
'Options' => opts
})
else
print_error("Wrong mtype.")
end
if sess
if (jobify == false and sess.interactive?)
print_line
driver.run_single("sessions -q -i #{sess.sid}")
else
print_status("Session #{sess.sid} created in the background.")
end
end
end
def rpc_round_exec(mod,mtype, opts, nmaxjobs)
res = nil
idx = 0
if active_rpc_nodes == 0
if not self.runlocal
print_error("All active nodes not working or removed")
return
end
res = true
else
rpc_reconnect_nodes()
end
if self.masstop
return
end
while not res
if active_rpc_nodes == 0
print_error("All active nodes not working or removed")
return
end
#find the node with less jobs load.
minjobs = nmaxjobs
minconn = nil
nid = 0
self.rpcarr.each do |k,rpccon|
if not rpccon
print_error("Skipping inactive node #{nid} #{k}")
else
begin
currentjobs = rpccon.call('job.list').length
if currentjobs < minjobs
minconn = rpccon
minjobs = currentjobs
end
if currentjobs == nmaxjobs
if self.nmaxdisplay == false
print_error("Node #{nid} reached max number of jobs #{nmaxjobs}")
print_error("Waiting for available node/slot...")
self.nmaxdisplay = true
end
end
#print_status("Node #{nid} #currentjobs #{currentjobs} #min #{minjobs}")
rescue
print_error("Unable to connect. Node #{tarr[0]}:#{tarr[1]}")
self.rpcarr[k]=nil
if active_rpc_nodes == 0
print_error("All active nodes ,not working or removed")
return
else
print_error("Sending job to next node")
next
end
end
end
nid += 1
end
if minjobs < nmaxjobs
res=minconn.call('module.execute', mtype, mod, opts)
self.nmaxdisplay = false
#print_status(">>>#{res} #{mod}")
if res
if res.has_key?("job_id")
return
else
print_error("Unable to execute module in node #{k} #{res}")
end
end
else
#print_status("Max number of jobs #{nmaxjobs} reached in node #{k}")
end
idx += 1
end
if self.runlocal and not self.masstop
local_module_exec(mod,mtype, opts, nmaxjobs)
end
end
def rpc_db_nodes(host,port,user,pass,name)
rpc_reconnect_nodes()
if active_rpc_nodes == 0
print_error("No active nodes at this time")
return
end
self.rpcarr.each do |k,v|
if v
res = v.call('db.driver',{:driver => 'postgresql'})
res = v.call('db.connect',{:database => name, :host => host, :port => port, :username => user, :password => pass})
res = v.call('db.status')
if res['db'] == name
print_status("db_connect #{res} #{host}:#{port} OK")
else
print_error("Error db_connect #{res} #{host}:#{port}")
end
else
print_error("No connection to node #{k}")
end
end
end
def rpc_reconnect_nodes()
begin
# Sucky 5 mins token timeout.
idx = nil
self.rpcarr.each do |k,rpccon|
if rpccon
idx = k
begin
currentjobs = rpccon.call('job.list').length
rescue
tarr = k.split("|")
rflag = false
res = rpccon.login(tarr[3],tarr[4])
if res
rflag = true
print_error("Reauth to node #{tarr[0]}:#{tarr[1]}")
break
else
raise ConnectionError
end
end
end
end
rescue
print_error("ERROR CONNECTING TO NODE. Disabling #{idx} use wmap_nodes -a to reconnect")
self.rpcarr[idx] = nil
if active_rpc_nodes == 0
print_error("No active nodes")
self.masstop = true
else
#blah
end
end
end
def rpc_kill_node(i,j)
if not i
print_error("Nodes not defined")
return
end
if not j
print_error("Node jobs defined")
return
end
rpc_reconnect_nodes()
if active_rpc_nodes == 0
print_error("No active nodes at this time")
return
end
idx=0
self.rpcarr.each do |k,rpccon|
if idx == i.to_i or i.upcase == 'ALL'
#begin
if not rpccon
print_error("No connection to node #{idx}")
else
n = rpccon.call('job.list')
n.each do |id,name|
if j==id.to_s or j.upcase == 'ALL'
rpccon.call('job.stop',id)
print_status("Node #{idx} Killed job id #{id} #{name}")
end
end
end
#rescue
# print_error("No connection")
#end
end
idx += 1
end
end
def rpc_view_jobs()
indent = ' '
rpc_reconnect_nodes()
if active_rpc_nodes == 0
print_error("No active nodes at this time")
return
end
idx=0
self.rpcarr.each do |k,rpccon|
if not rpccon
print_status("[Node ##{idx}: #{k} DISABLED/NO CONNECTION]")
else
arrk = k.split('|')
print_status("[Node ##{idx}: #{arrk[0]} Port:#{arrk[1]} SSL:#{arrk[2]} User:#{arrk[3]}]")
begin
n = rpccon.call('job.list')
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Jobs',
'Columns' =>
[
'Id',
'Job name',
2012-02-20 00:24:23 +00:00
'Target',
'PATH',
])
n.each do |id,name|
jinfo = rpccon.call('job.info',id)
dstore = jinfo['datastore']
2012-02-20 00:24:23 +00:00
tbl << [ id.to_s, name,dstore['VHOST']+":"+dstore['RPORT'],dstore['PATH']]
end
print_status tbl.to_s + "\n"
rescue
print_status("[Node ##{idx} #{k} DISABLED/NO CONNECTION]")
end
end
idx += 1
end
end
# Modified from http://stackoverflow.com/questions/946738/detect-key-press-non-blocking-w-o-getc-gets-in-ruby
def quit?
begin
while c = driver.input.read_nonblock(1)
print_status("Quited")
return true if c == 'Q'
end
false
rescue Errno::EINTR
false
rescue Errno::EAGAIN
false
rescue EOFError
true
end
end
def rpc_mon_nodes()
# Pretty monitor
color = self.opts["ConsoleDriver"].output.supports_color? rescue false
colors = [
'%grn',
'%blu',
'%yel',
'%whi'
]
#begin
loop do
rpc_reconnect_nodes()
idx = 0
self.rpcarr.each do |k,rpccon|
arrk = k.split('|')
v = "NOCONN"
n = 1
c = '%red'
if not rpccon
v = "NOCONN"
n = 1
c = '%red'
else
begin
v = ""
c = '%blu'
rescue
v = "ERROR"
c = '%red'
end
begin
n = rpccon.call('job.list').length
c = '%blu'
rescue
n = 1
v = "NOCONN"
c = '%red'
end
end
#begin
if not @stdio
@stdio = Rex::Ui::Text::Output::Stdio.new
end
if color == true
@stdio.auto_color
else
@stdio.disable_color
end
msg = "[#{idx}] #{"%bld#{c}||%clr"*n} #{n} #{v}\n"
@stdio.print_raw(@stdio.substitute_colors(msg))
#rescue
#blah
#end
sleep(2)
idx += 1
end
end
#rescue
# print_status("End.")
#end
end
def rpc_list_nodes()
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Nodes',
'Columns' =>
[
'Id',
'Host',
'Port',
'SSL',
'User',
'Pass',
'Status',
'#jobs',
])
idx=0
rpc_reconnect_nodes()
self.rpcarr.each do |k,rpccon|
arrk = k.split('|')
if not rpccon
v = "NOCONN"
n = ""
else
begin
v = rpccon.call('core.version')['version']
rescue
v = "ERROR"
end
begin
n = rpccon.call('job.list').length
rescue
n = ""
end
end
tbl << [ idx.to_s, arrk[0], arrk[1], arrk[2], arrk[3], arrk[4], v, n]
idx += 1
end
print_status tbl.to_s + "\n"
end
def active_rpc_nodes
if self.rpcarr.length == 0
return 0
else
idx = 0
self.rpcarr.each do |k,conn|
if conn
idx += 1
end
end
return idx
end
end
def view_modules
indent = ' '
wmaptype = [:wmap_ssl,
:wmap_server,
:wmap_dir,
:wmap_file,
:wmap_unique_query,
:wmap_query,
:wmap_generic
]
if not self.wmapmodules
load_wmap_modules(true)
end
wmaptype.each do |modt|
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => modt.to_s,
'Columns' =>
[
'Name',
'OrderID',
])
idx = 0
self.wmapmodules.each do |w|
oid = w[3]
if w[3] == 0xFFFFFF
oid = ":last"
end
if w[2] == modt
tbl << [w[0],oid]
idx += 1
end
end
print_status tbl.to_s + "\n"
end
end
# Yes sorting hashes dont make sense but actually it does when you are enumerating one. And
# sort_by of a hash returns an array so this is the reason for this ugly piece of code
def sort_by_orderid(m)
temphash=Hash.new()
temparr=[]
temparr = m.sort_by do |xref,v|
xref[3]
end
temparr.each do |b|
temphash[b[0]] = b[1]
end
temphash
end
# Load all wmap modules
def load_wmap_modules(reload)
if reload or not self.wmapmodules
print_status("Loading wmap modules...")
self.wmapmodules=[]
idx = 0
[ [ framework.auxiliary, 'auxiliary' ], [framework.exploits, 'exploit' ] ].each do |mtype|
# Scan all exploit modules for matching references
mtype[0].each_module do |n,m|
e = m.new
# Only include wmap_enabled plugins
if e.respond_to?("wmap_enabled")
penabled = e.wmap_enabled
if penabled
self.wmapmodules << [mtype[1]+'/'+n,mtype[1],e.wmap_type,e.orderid]
idx += 1
end
end
end
end
print_status("#{idx} wmap enabled modules loaded.")
end
end
def view_vulns
framework.db.hosts.each do |host|
host.services.each do |serv|
serv.web_sites.each do |site|
site.web_vulns.each do |wv|
print_status("+ [#{host.address}] (#{site.vhost}): #{wv.category} #{wv.path}")
print_status("\t#{wv.name} #{wv.description}")
print_status("\t#{wv.method} #{wv.proof}")
end
end
end
end
end
end
class WebTarget < ::Hash
def to_url
proto = self[:ssl] ? "https" : "http"
"#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}"
end
end
def initialize(framework, opts)
super
color = self.opts["ConsoleDriver"].output.supports_color? rescue false
wmapversion = '1.5.1'
wmapbanner = "%red\n.-.-.-..-.-.-..---..---.%clr\n"
wmapbanner += "%red| | | || | | || | || |-'%clr\n"
wmapbanner += "%red`-----'`-'-'-'`-^-'`-'%clr\n"
wmapbanner += "[WMAP #{wmapversion}] === et [ ] metasploit.com 2012\n"
if not @stdio
@stdio = Rex::Ui::Text::Output::Stdio.new
end
if color == true
@stdio.auto_color
else
@stdio.disable_color
end
@stdio.print_raw(@stdio.substitute_colors(wmapbanner))
add_console_dispatcher(WmapCommandDispatcher)
#print_status("#{wmapbanner}")
end
def cleanup
remove_console_dispatcher('wmap')
end
def name
"wmap"
end
def desc
"Web assessment plugin"
end
protected
end
end