2010-11-13 06:40:56 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'rex/proto/http'
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2010-11-13 06:55:19 +00:00
|
|
|
include Msf::Auxiliary::HttpCrawler
|
2010-11-13 06:40:56 +00:00
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Web Site Crawler',
|
|
|
|
'Version' => '$Revision$',
|
2010-11-13 06:55:19 +00:00
|
|
|
'Description' => 'Crawl a web site and store information about what was found',
|
2010-11-13 06:40:56 +00:00
|
|
|
'Author' => 'hdm',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
=begin
|
|
|
|
# Prefer dynamic content over non-dynamic
|
|
|
|
def focus_crawl(page)
|
|
|
|
page.links
|
|
|
|
end
|
|
|
|
=end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
#
|
2011-03-17 21:21:21 +00:00
|
|
|
# The main callback from the crawler, redefines crawler_process_page() as
|
|
|
|
# defined by Msf::Auxiliary::HttpCrawler
|
2010-11-13 06:40:56 +00:00
|
|
|
#
|
|
|
|
# Data we will report:
|
|
|
|
# - The path of any URL found by the crawler (web.uri, :path => page.path)
|
|
|
|
# - The occurence of any form (web.form :path, :type (get|post|path_info), :params)
|
|
|
|
#
|
2010-11-14 19:03:24 +00:00
|
|
|
def crawler_process_page(t, page, cnt)
|
2011-02-08 17:32:37 +00:00
|
|
|
msg = "[#{"%.5d" % cnt}/#{"%.5d" % max_page_count}] #{page.code || "ERR"} - #{t[:vhost]} - #{page.url}"
|
2010-11-13 06:40:56 +00:00
|
|
|
case page.code
|
|
|
|
when 301,302
|
|
|
|
if page.headers and page.headers["location"]
|
|
|
|
print_status(msg + " -> " + page.headers["location"].to_s)
|
|
|
|
else
|
|
|
|
print_status(msg)
|
|
|
|
end
|
|
|
|
when 500...599
|
|
|
|
# XXX: Log the fact that we hit an error page
|
|
|
|
print_good(msg)
|
|
|
|
when 401,403
|
|
|
|
print_good(msg)
|
|
|
|
when 200
|
|
|
|
print_status(msg)
|
|
|
|
when 404
|
|
|
|
print_error(msg)
|
|
|
|
else
|
|
|
|
print_error(msg)
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
#
|
|
|
|
# Process the web page
|
|
|
|
#
|
|
|
|
|
2010-11-14 19:03:24 +00:00
|
|
|
info = {
|
2011-02-08 17:32:37 +00:00
|
|
|
:web_site => t[:site],
|
2010-11-13 06:40:56 +00:00
|
|
|
:path => page.url.path,
|
|
|
|
:query => page.url.query,
|
|
|
|
:code => page.code,
|
|
|
|
:body => page.body,
|
|
|
|
:headers => page.headers
|
|
|
|
}
|
|
|
|
|
|
|
|
if page.headers['content-type']
|
|
|
|
info[:ctype] = page.headers['content-type']
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
if page.headers['set-cookie']
|
|
|
|
info[:cookie] = page.headers['set-cookie']
|
|
|
|
end
|
|
|
|
|
|
|
|
if page.headers['authorization']
|
|
|
|
info[:auth] = page.headers['authorization']
|
|
|
|
end
|
|
|
|
|
|
|
|
if page.headers['location']
|
|
|
|
info[:location] = page.headers['location']
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
if page.headers['last-modified']
|
|
|
|
info[:mtime] = page.headers['last-modified']
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# Report the web page to the database
|
|
|
|
report_web_page(info)
|
|
|
|
|
|
|
|
# Only process interesting response codes
|
|
|
|
return if not [302, 301, 200, 500, 401, 403, 404].include?(page.code)
|
|
|
|
|
2010-11-14 19:03:24 +00:00
|
|
|
#
|
2010-11-13 06:40:56 +00:00
|
|
|
# Skip certain types of forms right off the bat
|
|
|
|
#
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# Apache multiview directories
|
|
|
|
return if page.url.query =~ /^C=[A-Z];O=/ # Apache
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# Scrub out the jsessionid appends
|
|
|
|
page.url.path = page.url.path.sub(/;jsessionid=[a-zA-Z0-9]+/, '')
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
#
|
|
|
|
# Continue processing forms
|
2010-11-14 19:03:24 +00:00
|
|
|
#
|
2010-11-13 06:40:56 +00:00
|
|
|
forms = []
|
2011-02-08 17:32:37 +00:00
|
|
|
form_template = { :web_site => t[:site] }
|
2010-11-13 06:40:56 +00:00
|
|
|
form = {}.merge(form_template)
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# This page has a query parameter we can test with GET parameters
|
|
|
|
# ex: /test.php?a=b&c=d
|
|
|
|
if page.url.query and not page.url.query.empty?
|
|
|
|
form[:method] = 'GET'
|
|
|
|
form[:path] = page.url.path
|
|
|
|
vars = page.url.query.split('&').map{|x| x.split("=", 2) }
|
|
|
|
form[:params] = vars
|
|
|
|
end
|
|
|
|
|
|
|
|
# This is a REST-ish application with numeric parameters
|
|
|
|
# ex: /customers/343
|
|
|
|
if not form[:path] and page.url.path.to_s =~ /(.*)\/(\d+)$/
|
|
|
|
path_base = $1
|
|
|
|
path_info = $2
|
|
|
|
form[:method] = 'PATH'
|
|
|
|
form[:path] = path_base
|
|
|
|
form[:params] = [['PATH', path_info]]
|
|
|
|
form[:query] = page.url.query.to_s
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# This is an application that uses PATH_INFO for parameters:
|
|
|
|
# ex: /index.php/Main_Page/Article01
|
|
|
|
if not form[:path] and page.url.path.to_s =~ /(.*\/[a-z09A-Z]{3,256}\.[a-z09A-Z]{2,8})(\/.*)/
|
|
|
|
path_base = $1
|
|
|
|
path_info = $2
|
|
|
|
form[:method] = 'PATH'
|
|
|
|
form[:path] = path_base
|
|
|
|
form[:params] = [['PATH', path_info]]
|
|
|
|
form[:query] = page.url.query.to_s
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# Done processing URI-based forms
|
|
|
|
forms << form
|
|
|
|
|
|
|
|
if page.doc
|
|
|
|
page.doc.css("form").each do |f|
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
target = page.url
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
if f['action'] and not f['action'].strip.empty?
|
2010-11-14 19:03:24 +00:00
|
|
|
action = f['action']
|
|
|
|
|
|
|
|
# Prepend relative URLs with the current directory
|
2010-11-13 06:40:56 +00:00
|
|
|
if action[0,1] != "/" and action !~ /\:\/\//
|
|
|
|
# Extract the base href first
|
|
|
|
base = target.path.gsub(/(.*\/)[^\/]+$/, "\\1")
|
|
|
|
page.doc.css("base").each do |bref|
|
|
|
|
if bref['href']
|
|
|
|
base = bref['href']
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
end
|
2010-11-13 06:40:56 +00:00
|
|
|
action = (base + "/").sub(/\/\/$/, '/') + action
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
target = page.to_absolute(URI( action )) rescue next
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
if not page.in_domain?(target)
|
|
|
|
# Replace 127.0.0.1 and non-qualified hostnames with our page.host
|
|
|
|
# ex: http://localhost/url OR http://www01/url
|
|
|
|
target_uri = URI(target.to_s)
|
|
|
|
if (target_uri.host.index(".").nil? or target_uri.host == "127.0.0.1")
|
|
|
|
target_uri.host = page.url.host
|
|
|
|
target = target_uri
|
|
|
|
else
|
|
|
|
next
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
form = {}.merge!(form_template)
|
|
|
|
form[:method] = (f['method'] || 'GET').upcase
|
|
|
|
form[:query] = target.query.to_s if form[:method] != "GET"
|
|
|
|
form[:path] = target.path
|
|
|
|
form[:params] = []
|
|
|
|
f.css('input', 'textarea').each do |inp|
|
|
|
|
form[:params] << [inp['name'].to_s, inp['value'] || inp.content || '', { :type => inp['type'].to_s }]
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# XXX: handle SELECT elements
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
forms << form
|
|
|
|
end
|
|
|
|
end
|
2010-11-14 19:03:24 +00:00
|
|
|
|
2010-11-13 06:40:56 +00:00
|
|
|
# Report each of the discovered forms
|
|
|
|
forms.each do |form|
|
|
|
|
next if not form[:method]
|
|
|
|
print_status((" " * 24) + "FORM: #{form[:method]} #{form[:path]}")
|
|
|
|
report_web_form(form)
|
|
|
|
self.form_count += 1
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|