2012-11-01 19:14:38 +00:00
|
|
|
# -*- coding: binary -*-
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This module provides methods for brute forcing authentication
|
|
|
|
#
|
|
|
|
###
|
|
|
|
|
|
|
|
module Auxiliary::Web
|
|
|
|
module Analysis
|
|
|
|
end
|
|
|
|
|
|
|
|
require 'msf/core/auxiliary/web/http'
|
|
|
|
require 'msf/core/auxiliary/web/fuzzable'
|
|
|
|
require 'msf/core/auxiliary/web/form'
|
|
|
|
require 'msf/core/auxiliary/web/path'
|
|
|
|
require 'msf/core/auxiliary/web/target'
|
|
|
|
|
|
|
|
include Auxiliary::Report
|
|
|
|
|
|
|
|
attr_reader :target
|
2012-11-16 21:11:48 +00:00
|
|
|
attr_reader :http
|
2012-11-01 19:14:38 +00:00
|
|
|
attr_reader :parent
|
|
|
|
attr_reader :page
|
|
|
|
|
|
|
|
def initialize( info = {} )
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# String id to push to the #checklist
|
|
|
|
def checked( id )
|
|
|
|
parent.checklist << "#{shortname}#{id}".hash
|
|
|
|
end
|
2012-11-01 19:14:38 +00:00
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# String id to check against the #checklist
|
|
|
|
def checked?( id )
|
|
|
|
parent.checklist.include? "#{shortname}#{id}".hash
|
|
|
|
end
|
2012-11-01 19:14:38 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Called directly before 'run'
|
|
|
|
#
|
|
|
|
def setup( opts = {} )
|
|
|
|
@parent = opts[:parent]
|
|
|
|
@target = opts[:target]
|
|
|
|
@page = opts[:page]
|
2012-11-16 21:11:48 +00:00
|
|
|
@http = opts[:http]
|
2012-11-01 19:14:38 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Should be overridden to return the exploits to use for this
|
|
|
|
# vulnerability type as an Array of Strings.
|
|
|
|
def self.exploits
|
|
|
|
end
|
|
|
|
|
|
|
|
# Must return a configuration Hash for the given exploit and vulnerability.
|
|
|
|
def self.configure_exploit( exploit, vuln )
|
|
|
|
end
|
|
|
|
|
|
|
|
# Should be overridden to return the payloads used for this
|
|
|
|
# vulnerability type as an Array of Strings.
|
|
|
|
def payloads
|
|
|
|
end
|
|
|
|
|
|
|
|
def token
|
|
|
|
"xssmsfpro"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Should be overridden to return a pattern to be matched against response
|
2012-11-16 21:11:48 +00:00
|
|
|
# bodies in order to identify a vulnerability.
|
2012-11-01 19:14:38 +00:00
|
|
|
#
|
|
|
|
# You can go one deeper and override #find_proof for more complex processing.
|
|
|
|
#
|
|
|
|
def signature
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Default #run, will audit all elements using taint analysis and log
|
|
|
|
# results based on #find_proof return values.
|
|
|
|
#
|
|
|
|
def run
|
|
|
|
auditable.each { |element| element.taint_analysis }
|
|
|
|
end
|
|
|
|
|
|
|
|
# Returns an Array of elements prepared to be audited.
|
|
|
|
def auditable
|
|
|
|
target.auditable.map do |element|
|
|
|
|
element.fuzzer = self
|
|
|
|
element
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# Checks whether a resource exists based on a path String.
|
2012-11-01 19:14:38 +00:00
|
|
|
def resource_exist?( path )
|
|
|
|
res = http.get( path )
|
|
|
|
res.code.to_i == 200 && !http.custom_404?( path, res.body )
|
|
|
|
end
|
|
|
|
alias :file_exist? :resource_exist?
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# Checks whether a directory exists based on a path String.
|
2012-11-01 19:14:38 +00:00
|
|
|
def directory_exist?( path )
|
|
|
|
dir = path.dup
|
|
|
|
dir << '/' if !dir.end_with?( '/' )
|
|
|
|
resource_exist?( dir )
|
|
|
|
end
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# Logs the existence of a resource in the path String.
|
2012-11-01 19:14:38 +00:00
|
|
|
def log_resource_if_exists( path )
|
|
|
|
log_resource( :location => path ) if resource_exist?( path )
|
|
|
|
end
|
|
|
|
alias :log_file_if_exists :log_resource_if_exists
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# Logs the existence of the directory in the path String.
|
2012-11-01 19:14:38 +00:00
|
|
|
def log_directory_if_exists( path )
|
|
|
|
dir = path.dup
|
|
|
|
dir << '/' if !dir.end_with?( '/' )
|
|
|
|
log_resource_if_exists( dir )
|
|
|
|
end
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# Matches fingerprint pattern against the current page's body and logs matches
|
2013-05-14 17:46:17 +00:00
|
|
|
def match_and_log_fingerprint( fingerprint, options = {} )
|
2013-05-10 16:59:12 +00:00
|
|
|
return if (match = page.body.to_s.match( fingerprint ).to_s).empty?
|
2013-05-14 17:46:17 +00:00
|
|
|
log_fingerprint( options.merge( :fingerprint => match ) )
|
2012-11-01 19:14:38 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Serves as a default detection method for when performing taint analysis.
|
|
|
|
#
|
|
|
|
# Uses the Regexp in #signature against the response body in order to
|
|
|
|
# identify vulnerabilities and return a String that proves it.
|
|
|
|
#
|
|
|
|
# Override it if you need more complex processing, but remember to return
|
|
|
|
# the proof as a String.
|
|
|
|
#
|
2012-12-03 22:05:12 +00:00
|
|
|
# response - Auxiliary::Web::HTTP::Response
|
2012-11-01 19:14:38 +00:00
|
|
|
# element - the submitted element
|
|
|
|
#
|
|
|
|
def find_proof( response, element )
|
|
|
|
return if !signature
|
|
|
|
|
|
|
|
m = response.body.match( signature ).to_s
|
|
|
|
return if !m || m.size < 1
|
|
|
|
|
|
|
|
m.gsub( /[\r\n]/, ' ' )
|
|
|
|
end
|
|
|
|
|
|
|
|
def increment_request_counter
|
|
|
|
parent.increment_request_counter
|
|
|
|
end
|
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
# Should be overridden and return an Integer (0-100) denoting the confidence
|
|
|
|
# in the accuracy of the logged vuln.
|
2012-11-01 19:14:38 +00:00
|
|
|
def calculate_confidence( vuln )
|
|
|
|
100
|
|
|
|
end
|
|
|
|
|
|
|
|
def log_fingerprint( opts = {} )
|
2013-03-12 17:19:09 +00:00
|
|
|
mode = name
|
2012-11-16 21:11:48 +00:00
|
|
|
vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]].
|
|
|
|
map { |x| x.to_s }.join( '|' ).hash
|
2012-11-01 19:14:38 +00:00
|
|
|
|
2013-03-08 20:38:23 +00:00
|
|
|
parent.vulns[mode] ||= {}
|
|
|
|
return if parent.vulns[mode].include?( vhash )
|
2012-11-01 19:14:38 +00:00
|
|
|
|
2012-11-16 21:11:48 +00:00
|
|
|
location = opts[:location] ?
|
|
|
|
page.url.merge( URI( opts[:location].to_s )) : page.url
|
|
|
|
|
2012-11-01 19:14:38 +00:00
|
|
|
info = {
|
2012-11-16 21:11:48 +00:00
|
|
|
:web_site => target.site,
|
|
|
|
:path => location.path,
|
|
|
|
:query => location.query,
|
|
|
|
:method => 'GET',
|
|
|
|
:params => [],
|
|
|
|
:pname => 'path',
|
|
|
|
:proof => opts[:fingerprint],
|
|
|
|
:risk => details[:risk],
|
|
|
|
:name => details[:name],
|
|
|
|
:blame => details[:blame],
|
|
|
|
:category => details[:category],
|
2012-11-01 19:14:38 +00:00
|
|
|
:description => details[:description],
|
2012-11-16 21:11:48 +00:00
|
|
|
:owner => self
|
2012-11-01 19:14:38 +00:00
|
|
|
}
|
|
|
|
|
2013-03-01 18:21:02 +00:00
|
|
|
info[:confidence] = calculate_confidence( info )
|
2013-03-08 20:38:23 +00:00
|
|
|
parent.vulns[mode][vhash] = info
|
2013-03-01 18:21:02 +00:00
|
|
|
|
2012-11-01 19:14:38 +00:00
|
|
|
report_web_vuln( info )
|
|
|
|
|
2013-05-14 17:46:17 +00:00
|
|
|
opts[:print_fingerprint] = true if !opts.include?( :print_fingerprint )
|
|
|
|
|
2013-03-12 17:19:09 +00:00
|
|
|
print_good " FOUND(#{mode.to_s}) URL(#{location})"
|
2013-05-14 17:46:17 +00:00
|
|
|
print_good " PROOF(#{opts[:fingerprint]})" if opts[:print_fingerprint]
|
2012-11-01 19:14:38 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def log_resource( opts = {} )
|
2013-03-12 17:19:09 +00:00
|
|
|
mode = name
|
2012-11-16 21:11:48 +00:00
|
|
|
vhash = [target.to_url, mode, opts[:location]].
|
|
|
|
map { |x| x.to_s }.join( '|' ).hash
|
2012-11-01 19:14:38 +00:00
|
|
|
|
2013-03-08 20:38:23 +00:00
|
|
|
parent.vulns[mode] ||= {}
|
|
|
|
return if parent.vulns[mode].include?( vhash )
|
2012-11-01 19:14:38 +00:00
|
|
|
|
|
|
|
location = URI( opts[:location].to_s )
|
|
|
|
info = {
|
2012-11-16 21:11:48 +00:00
|
|
|
:web_site => target.site,
|
|
|
|
:path => location.path,
|
|
|
|
:query => location.query,
|
|
|
|
:method => 'GET',
|
|
|
|
:params => [],
|
|
|
|
:pname => 'path',
|
|
|
|
:proof => opts[:location],
|
|
|
|
:risk => details[:risk],
|
|
|
|
:name => details[:name],
|
|
|
|
:blame => details[:blame],
|
|
|
|
:category => details[:category],
|
2012-11-01 19:14:38 +00:00
|
|
|
:description => details[:description],
|
2012-11-16 21:11:48 +00:00
|
|
|
:owner => self
|
2012-11-01 19:14:38 +00:00
|
|
|
}
|
|
|
|
|
2013-03-01 18:21:02 +00:00
|
|
|
info[:confidence] = calculate_confidence( info )
|
2013-03-08 20:38:23 +00:00
|
|
|
parent.vulns[mode][vhash] = info
|
2013-03-01 18:21:02 +00:00
|
|
|
|
2012-11-01 19:14:38 +00:00
|
|
|
report_web_vuln( info )
|
|
|
|
|
2013-03-12 17:19:09 +00:00
|
|
|
print_good " VULNERABLE(#{mode.to_s}) URL(#{target.to_url})"
|
2012-11-01 19:14:38 +00:00
|
|
|
print_good " PROOF(#{opts[:location]})"
|
|
|
|
end
|
|
|
|
|
|
|
|
def process_vulnerability( element, proof, opts = {} )
|
2013-03-12 17:19:09 +00:00
|
|
|
mode = name
|
2012-11-16 21:11:48 +00:00
|
|
|
vhash = [target.to_url, mode, element.altered].
|
|
|
|
map{ |x| x.to_s }.join( '|' ).hash
|
2012-11-01 19:14:38 +00:00
|
|
|
|
|
|
|
parent.vulns[mode] ||= {}
|
|
|
|
return parent.vulns[mode][vhash] if parent.vulns[mode][vhash]
|
|
|
|
|
|
|
|
parent.vulns[mode][vhash] = {
|
2012-11-16 21:11:48 +00:00
|
|
|
:target => target,
|
|
|
|
:method => element.method.to_s.upcase,
|
|
|
|
:params => element.params.to_a,
|
|
|
|
:mode => mode,
|
|
|
|
:pname => element.altered,
|
2013-03-08 19:50:01 +00:00
|
|
|
:proof => proof.to_s,
|
2012-11-16 21:11:48 +00:00
|
|
|
:form => element.model,
|
|
|
|
:risk => details[:risk],
|
|
|
|
:name => details[:name],
|
|
|
|
:blame => details[:blame],
|
|
|
|
:category => details[:category],
|
2012-11-01 19:14:38 +00:00
|
|
|
:description => details[:description]
|
|
|
|
}
|
|
|
|
|
|
|
|
confidence = calculate_confidence( parent.vulns[mode][vhash] )
|
|
|
|
|
2012-11-16 22:07:12 +00:00
|
|
|
parent.vulns[mode][vhash].merge!( :confidence => confidence )
|
2012-11-01 19:14:38 +00:00
|
|
|
|
|
|
|
if !(payload = opts[:payload])
|
|
|
|
if payloads
|
2013-01-29 01:08:53 +00:00
|
|
|
payload = payloads.select { |p|
|
|
|
|
element.altered_value.include?( p )
|
|
|
|
}.sort_by { |p| p.size }.last
|
2012-11-01 19:14:38 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
uri = URI( element.action )
|
|
|
|
info = {
|
2012-11-16 21:11:48 +00:00
|
|
|
:web_site => element.model.web_site,
|
|
|
|
:path => uri.path,
|
|
|
|
:query => uri.query,
|
|
|
|
:method => element.method.to_s.upcase,
|
|
|
|
:params => element.params.to_a,
|
|
|
|
:pname => element.altered,
|
2013-03-08 19:50:01 +00:00
|
|
|
:proof => proof.to_s,
|
2012-11-16 21:11:48 +00:00
|
|
|
:risk => details[:risk],
|
|
|
|
:name => details[:name],
|
|
|
|
:blame => details[:blame],
|
|
|
|
:category => details[:category],
|
2012-11-01 19:14:38 +00:00
|
|
|
:description => details[:description],
|
|
|
|
:confidence => confidence,
|
2012-11-16 21:11:48 +00:00
|
|
|
:payload => payload,
|
|
|
|
:owner => self
|
2012-11-01 19:14:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
report_web_vuln( info )
|
|
|
|
|
2013-03-12 17:19:09 +00:00
|
|
|
print_good " VULNERABLE(#{mode.to_s}) URL(#{target.to_url})" +
|
2013-03-01 18:21:02 +00:00
|
|
|
" PARAMETER(#{element.altered}) VALUES(#{element.params})"
|
2012-11-01 19:14:38 +00:00
|
|
|
print_good " PROOF(#{proof})"
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|