metasploit-framework/modules/auxiliary/scanner/http/webdav_internal_ip.rb

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary
	
	# Exploit mixins should be called first
	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::WMAPScanServer
	# Scanner mixin should be near last
	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report

	def initialize
		super(
			'Name'        => 'HTTP WebDAV Internal IP Scanner',
			'Version'     => '$Revision$',
			'Description' => 'Detect webservers internal IPs though WebDAV',
			'Author'       => ['et'],
			'License'     => MSF_LICENSE
		)
		
	end

	def run_host(target_host)

		begin
			res = send_request_cgi({
				'uri'          => '/',					
				'method'       => 'PROPFIND',
				'data'	=>	'',
				'ctype'   => 'text/xml',
				'version' => '1.0',
				'vhost' => '',
			}, 10)

						
			if res and res.body 
				# short regex 
				intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i

				#print_status("#{res.body}")

				result = res.body.scan(intipregex).uniq
				

				result.each do |addr|
					print_status("Found internal IP in WebDAV response (#{target_host}) #{addr}")
					
					report_note(
						:host	=> target_host,
						:proto	=> 'HTTP',
						:port	=> rport,
						:type	=> 'INTERNAL_IP',
						:data	=> "#{addr}"
					)
				end
			end	
			
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
		rescue ::Timeout::Error, ::Errno::EPIPE
		end
	end
end
More webdav modules to grab information git-svn-id: file:///home/svn/framework3/trunk@6947 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-10 00:01:38 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`


			`require 'msf/core'`


			`class Metasploit3 < Msf::Auxiliary`

			`# Exploit mixins should be called first`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::WMAPScanServer`
			`# Scanner mixin should be near last`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize`
			`super(`
			`'Name' => 'HTTP WebDAV Internal IP Scanner',`
Keywords on all modules, plugins, and scripts git-svn-id: file:///home/svn/framework3/trunk@7550 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-17 00:05:19 +00:00			`'Version' => '$Revision$',`
More webdav modules to grab information git-svn-id: file:///home/svn/framework3/trunk@6947 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-10 00:01:38 +00:00			`'Description' => 'Detect webservers internal IPs though WebDAV',`
			`'Author' => ['et'],`
			`'License' => MSF_LICENSE`
			`)`

			`end`

			`def run_host(target_host)`

			`begin`
			`res = send_request_cgi({`
			`'uri' => '/',`
			`'method' => 'PROPFIND',`
			`'data' => '',`
			`'ctype' => 'text/xml',`
			`'version' => '1.0',`
			`'vhost' => '',`
			`}, 10)`


			`if res and res.body`
			`# short regex`
			`intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i`

			`#print_status("#{res.body}")`

			`result = res.body.scan(intipregex).uniq`

Replaced reporting to use notes git-svn-id: file:///home/svn/framework3/trunk@7605 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-25 06:08:28 +00:00
			`result.each do \|addr\|`
			`print_status("Found internal IP in WebDAV response (#{target_host}) #{addr}")`

			`report_note(`
			`:host => target_host,`
			`:proto => 'HTTP',`
			`:port => rport,`
			`:type => 'INTERNAL_IP',`
			`:data => "#{addr}"`
			`)`
More webdav modules to grab information git-svn-id: file:///home/svn/framework3/trunk@6947 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-10 00:01:38 +00:00			`end`
			`end`

			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
			`end`
			`end`