From a1e0e0cdd994c16f4bfed4433c235d546a51978d Mon Sep 17 00:00:00 2001
From: JT <shipcodez@gmail.com>
Date: Wed, 7 Oct 2015 11:19:00 +0800
Subject: [PATCH] Add HTTP Host-Header Injection Detection

---
 .../scanner/http/host_header_injection.rb     | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/host_header_injection.rb

diff --git a/modules/auxiliary/scanner/http/host_header_injection.rb b/modules/auxiliary/scanner/http/host_header_injection.rb
new file mode 100644
index 0000000000..c6692f7352
--- /dev/null
+++ b/modules/auxiliary/scanner/http/host_header_injection.rb
@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  # Exploit mixins should be called first
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::WmapScanServer
+  # Scanner mixin should be near last
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'HTTP Host-Header Injection Detection',
+      'Description' => 'Checks if the host is vulnerable to Host-Header Injection',
+      'Author'       =>
+        [
+          'Jay Turla <@shipcod3>',
+          'Medz Barao <@godflux>'
+        ],
+      'License'     => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html']
+        ]
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETHOST',[true, "The redirector target", "evil.com"]),
+      ],self.class)
+  end
+
+  def run_host(target_host)
+
+    begin
+      p = "#{datastore['TARGETHOST']}"
+      res = send_request_raw({
+        'uri'          => '/',
+        'method'       => 'GET',
+        'headers'      => {
+          'host' => p,
+          'x-forwarded-host' => p,
+        }
+      })
+
+      unless res
+        vprint_error("#{rhost}:#{rport} did not reply to our request")
+        return
+      end
+
+      if res.headers =~ /#{p}/ || res.body =~ /#{p}/
+        print_good("#{rhost}:#{rport} is vulnerable to HTTP Host-Header Injection")
+        report_vuln(
+          :host   => rhost,
+          :port   => rport,
+          :proto  => 'tcp',
+          :sname  => (ssl ? 'https' : 'http'),
+          :info   => "Vulnerable to HTTP Host-Header Injection",
+        )
+      else
+        vprint_error("#{rhost}:#{rport} returned #{res.code} #{res.message}")
+      end
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+    rescue ::Timeout::Error, ::Errno::EPIPE
+    end
+  end
+end