infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Multiple bug fixes. Fixed query modules now resolved to correct function. Corrected in proxy and wmap code handling of RHOSTS as hostnames are not in use. Fixed reporting as target port was not handled properly and modules modified to reflect new wmap_target methods. 

git-svn-id: file:///home/svn/framework3/trunk@5869 4d416f70-5f16-0410-b530-b9f4589650da
unstable
et 2008-11-10 04:38:05 +00:00
parent 23274e6efc
commit b4cbe4ff8d
17 changed files with 259 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
data/wmap/wmap_dirs.txt
View File

@ -42,6 +42,7 @@ content
core
custom
customers
CVS
data
database
db
@ -152,6 +153,7 @@ search
sections
secure
server
share
shared
shop
shopping_cart
@ -200,4 +202,4 @@ wp-login
wp-register
ws
ws4ee
xml
xml

1
data/wmap/wmap_files.txt
View File

@ -25,6 +25,7 @@ CVS
CYBERDOCS
CYBERDOCS25
CYBERDOCS31
Entries
INSTALL_admin
Log
Logs

211
documentation/wmap.txt
View File

@ -69,93 +69,93 @@ WMAPScanBody - Runs for every Body found in each request to the target
WMAPScanHeaders - Runs for every Header found in each request to the target
WMAPScanGeneric - Modules to be run after all tests complete. Good place to
perform passive analysis of responses, analysis of test
results to launch other modules (i.e. exploits).
=[ Reporting.
Each module is capable of storing reporting information.
Reporting key concepts:
+ Reporting is used to gather and store data
+ Bye bye to useless risk levels
+ Data is not only findings (i.e vulnerabilities) but also any relevant
data (i.e. Database name from a SQL injection)
+ Data is available to other modules so reporting becomes a method to
share information
+ Data has context and that context is preserved.
+ Context is preserved by having a tree structure in the Report database
table
+ Every report entry has a parent_id the top parent_id is 0 and only used
to create a report entry (this allows for the storage of multiple reports)
+ The report table is basically a type,name,value database.
+ This schema allows the storage of data/vulnerabilities with any classification/naming
convention. (very useful to store vulnerabilities discovered in year 2060).
So how it works:
When q module is executed (using WMAP 'wmap_run -e' or standalone):
WMAP creates a new report entry, then in each module when something is found or
something needs to be reported the module should implement the following lines:
Example:
if (vulnerability is found)
print_status("FOUND BLAH BLAH BLAH")
#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
)
# REPORT ABOUT THE FINDING
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
vulnerability was found in the following URL in the parameter 'test'")
# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
# OF INJECTION.
NOTE: wmap_report() returns the id of this entry
wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
end
If you are connected to a database (db_connect) then reporting is active and every module executed will
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
host,port,ssl target.
Anything can be represented and reported and other modules will have access to this information to do
whatever they want.
To view available reports use the 'wmap_reports' command:
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.2 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect
[*] Successfully connected to the database
[*] File: /Users/et/.msf3/sqlite3.db
...
msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
[*] Done.
msf > wmap_reports -s 1
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
[*] Done.
results to launch other modules (i.e. exploits).
=[ Reporting.
Each module is capable of storing reporting information.
Reporting key concepts:
+ Reporting is used to gather and store data
+ Bye bye to useless risk levels
+ Data is not only findings (i.e vulnerabilities) but also any relevant
data (i.e. Database name from a SQL injection)
+ Data is available to other modules so reporting becomes a method to
share information
+ Data has context and that context is preserved.
+ Context is preserved by having a tree structure in the Report database
table
+ Every report entry has a parent_id the top parent_id is 0 and only used
to create a report entry (this allows for the storage of multiple reports)
+ The report table is basically a type,name,value database.
+ This schema allows the storage of data/vulnerabilities with any classification/naming
convention. (very useful to store vulnerabilities discovered in year 2060).
So how it works:
When q module is executed (using WMAP 'wmap_run -e' or standalone):
WMAP creates a new report entry, then in each module when something is found or
something needs to be reported the module should implement the following lines:
Example:
if (vulnerability is found)
print_status("FOUND BLAH BLAH BLAH")
#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
)
# REPORT ABOUT THE FINDING
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
vulnerability was found in the following URL in the parameter 'test'")
# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
# OF INJECTION.
NOTE: wmap_report() returns the id of this entry
wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
end
If you are connected to a database (db_connect) then reporting is active and every module executed will
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
host,port,ssl target.
Anything can be represented and reported and other modules will have access to this information to do
whatever they want.
To view available reports use the 'wmap_reports' command:
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.2 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect
[*] Successfully connected to the database
[*] File: /Users/et/.msf3/sqlite3.db
...
msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
[*] Done.
msf > wmap_reports -s 1
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
[*] Done.
=[ Simple example.
The following are the basic steps for testing a web server/app using WMAP:
@ -169,7 +169,7 @@ The following are the basic steps for testing a web server/app using WMAP:
ratproxy (ratproxy_wmap.diff applied) basic example:
$ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db
$ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db -a
ratproxy version 1.51-beta by <lcamtuf@google.com>
[*] Proxy configured successfully. Have fun, and please do not be evil.
[+] Accepting connections on port 8080/tcp (local only)...
@ -216,19 +216,19 @@ The following are the basic steps for testing a web server/app using WMAP:
msf > wmap_targets -r
[*] Reloading targets...
[*] Added. metasploit.com 80 0
[*] Added. target.com 80 0
[*] Added. framework.metasploit.com 80 0
[*] Added. www.uninformed.org 80 0
[*] Added. 192.168.1.1 80 0
[*] Added. 192.168.2.10 80 0
[*] Added. 192.168.5.11 80 0
[*] Added. 192.168.1.3 80 0
6. View available targets;
msf > wmap_targets -p
[*] Id. Host Port SSL
[*] 1. metasploit.com 80
[*] 2. target.com 80
[*] 3. framework.metasploit.com 80
[*] 4. www.uninformed.org 80
[*] 1. 192.168.1.1 80
[*] 2. 192.168.2.10 80
[*] 3. 192.168.5.11 80
[*] 4. 192.168.1.3 80
[*] Done.
7. Select target (i.e. select target.com);
@ -236,16 +236,16 @@ The following are the basic steps for testing a web server/app using WMAP:
msf > wmap_targets -s 2
msf > wmap_targets -p
[*] Id. Host Port SSL
[*] 1. metasploit.com 80
[*] => 2. target.com 80
[*] 3. framework.metasploit.com 80
[*] 4. www.uninformed.org 80
[*] 1. 192.168.1.1 80
[*] => 2. 192.168.2.10 80
[*] 3. 192.168.5.11 80
[*] 4. 192.168.1.3 80
[*] Done.
8. View target website structure;
msf > wmap_website
[*] Website structure
[*] target.com:80 SSL:0
[*] 192.168.2.10:80 SSL:0
ROOT_TREE
+------ index.asp
| images
@ -273,7 +273,10 @@ The following are the basic steps for testing a web server/app using WMAP:
this can be done with the 'setg' command.
Example:
msf > setg VHOST www.targetco.com
VHOST => www.targetco.com
msf > setg DOMAIN targetco.com
DOMAIN => targetco.com
@ -298,7 +301,7 @@ The following are the basic steps for testing a web server/app using WMAP:
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against
www.targetco.com:80
[*] http://xxx.xxx.xxx.xxx:80 is running Apache
[*] FrontPage not found on http://200.41.9.39:80 [302 Object Moved]
[*] FrontPage not found on http://192.168.2.10:80 [302 Object Moved]
...
...
[*] Done.
@ -309,7 +312,7 @@ This is first release version of WMAP and as you know, the Metasploit project
welcomes feedback, comments, ideas, patches, module, etc. This TODO list is
more of a placeholder of the things you may see in the near future.
- Add more commands
- Add more commands
- Add more types of reports (PDF, XML, etc.)
- Develop more modules
- Create more module types to perform tasks like response analysis

66
external/ratproxy/ratproxy_wmap.diff vendored
View File

@ -1,6 +1,5 @@
diff -Naur ratproxy/Makefile ratproxymod/Makefile
--- ratproxy/Makefile 2008-06-10 11:44:28.000000000 +0000
+++ ratproxymod/Makefile 2008-09-25 18:53:31.000000000 +0000
--- ratproxy/Makefile 2008-06-10 06:44:28.000000000 -0500
+++ ratproxymod/Makefile 2008-11-06 16:36:22.000000000 -0600
@@ -21,7 +21,7 @@
PROGNAME = ratproxy
@ -10,9 +9,8 @@ diff -Naur ratproxy/Makefile ratproxymod/Makefile
all: $(PROGNAME) flare-check
diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
--- ratproxy/ratproxy.c 2008-07-03 06:27:15.000000000 +0000
+++ ratproxymod/ratproxy.c 2008-09-25 22:15:54.000000000 +0000
--- ratproxy/ratproxy.c 2008-07-03 01:27:15.000000000 -0500
+++ ratproxymod/ratproxy.c 2008-11-06 16:36:24.000000000 -0600
@@ -43,6 +43,9 @@
#include <openssl/md5.h>
#include <time.h>
@ -23,15 +21,20 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
#include "config.h"
#include "types.h"
#include "debug.h"
@@ -75,6 +78,7 @@
@@ -75,8 +78,11 @@
_u8* use_proxy; /* Upstream proxy */
_u8* trace_dir; /* Trace directory */
+_u8* db_file; /* Sqlite3 DB */
_u32 proxy_port = 8080; /* Upstream proxy port */
_u8 use_len; /* Use length, not cksum */
-_u8 use_len; /* Use length, not cksum */
+_u8 use_len; /* Use length, not cksum */
+
+_u8 ip_addr[18];
@@ -90,6 +94,7 @@
static FILE* outfile; /* Output file descriptor */
@@ -90,6 +96,7 @@
" -p port - listen on a custom TCP port (default: 8080)\n"
" -d domain - analyze requests to specified domains only (default: all)\n"
" -P host:port - use upstream proxy for all requests (format host:port)\n"
@ -39,7 +42,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
" -r - accept remote connections (default: 127.0.0.1 only)\n"
" -l - use response length, not checksum, for identity check\n"
" -2 - perform two, not one, page identity check\n"
@@ -111,7 +116,8 @@
@@ -111,7 +118,8 @@
"Example settings suitable for most tests:\n"
" 1) Low verbosity : -v <outdir> -w <outfile> -d <domain> -lfscm\n"
" 2) High verbosity : -v <outdir> -w <outfile> -d <domain> -lextifscgjm\n"
@ -49,7 +52,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
"Multiple -d options are allowed. Consult the documentation for more.\n", argv0);
@@ -538,12 +544,23 @@
@@ -538,12 +546,23 @@
static _u8 dump_fn[1024];
static _u8 dumped_already;
@ -73,7 +76,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
if (!trace_dir) return "-";
@@ -551,6 +568,109 @@
@@ -551,6 +570,109 @@
if (dumped_already) return dump_fn;
dumped_already = 1;
@ -147,7 +150,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
+ if(rc==SQLITE_OK){
+ //fprintf(stderr, "SQL OK: retries %d\n", kr++);
+
+ sqlite3_bind_text(pStmt, 1, req->host, -1, SQLITE_STATIC);
+ sqlite3_bind_text(pStmt, 1, ip_addr, -1, SQLITE_STATIC);
+ sqlite3_bind_int(pStmt, 2, req->port);
+ sqlite3_bind_int(pStmt, 3, req->from_ssl);
+ sqlite3_bind_text(pStmt, 4, req->method, -1, SQLITE_STATIC);
@ -183,7 +186,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
sprintf(dump_fn,"%.512s/%08x-%04x.trace",trace_dir,(_u32)time(0),getpid());
f = open(dump_fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
@@ -594,6 +714,7 @@
@@ -594,6 +716,7 @@
fclose(out);
close(f);
@ -191,7 +194,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
return dump_fn;
}
@@ -1653,7 +1774,7 @@
@@ -1653,7 +1776,7 @@
debug("ratproxy version " VERSION " by <lcamtuf@google.com>\n");
@ -200,7 +203,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
switch (opt) {
case 'w': {
@@ -1761,6 +1882,11 @@
@@ -1761,6 +1884,11 @@
use_any = 1;
break;
@ -212,3 +215,34 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
default:
usage(argv[0]);
}
--- ratproxy/http.c 2008-06-10 07:28:26.000000000 -0500
+++ ratproxymod/http.c 2008-11-06 16:36:24.000000000 -0600
@@ -32,6 +32,7 @@
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@@ -57,6 +58,8 @@
static _u8 srv_buf[MAXLINE], /* libc IO buffers */
cli_buf[MAXLINE];
+extern _u8 ip_addr[18];
+
/* Read a single line of HTTP headers, strip whitespaces */
static _u8* grab_line(FILE* where) {
@@ -657,7 +660,10 @@
struct hostent* he;
_s32 ss;
- if (!(he = gethostbyname(host)) || !(he->h_addr_list[0]))
+ he = gethostbyname(host);
+ strncpy(ip_addr,inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),18);
+
+ if (!(he) || !(he->h_addr_list[0]))
http_error(client,"Unable to find target host",0);
ss = socket(PF_INET, SOCK_STREAM, 0);

30
lib/msf/core/auxiliary/wmapmodule.rb
View File

@ -25,6 +25,29 @@ module Auxiliary::WMAPModule
nil
end
#
# Oveload target_port method as the one in scanner.rb has issues
# - target_host works ok as run() receives ip
#
def wmap_target_host
self.target_host
end
def wmap_target_port
self.datastore['RPORT']
end
def wmap_target_ssl
self.ssl
end
#
# WMAP Reporting methods
#
def wmap_base_report_id(host,port,ssl)
if framework.db.report_active?
if not ssl
@ -51,8 +74,9 @@ module Auxiliary::WMAPModule
nil
end
#modified from CGI.rb as we dont use arrays
#
# Modified from CGI.rb as we dont use arrays
#
def headersparse(qheaders)
params = Hash.new()
@ -227,4 +251,4 @@ module Auxiliary::WMAPScanGeneric
end
end
end
end

10
lib/msf/core/db.rb
View File

@ -443,6 +443,16 @@ class DBManager
block.call(req)
end
end
#
# WMAP
# This method iterates the requests table returning a list of all requests of a specific target
#
def each_request_target_with_query(&block)
target_requests('AND requests.query IS NOT NULL').each do |req|
block.call(req)
end
end
#
# WMAP

24
lib/msf/ui/console/command_dispatcher/wmap.rb
View File

@ -83,10 +83,24 @@ module Wmap
end
print_status("Done.")
when '-r'
# Default behavior to handle hosts names in the db as RHOSTS only
# accepts IP addresses
resolv_hosts = false
framework.db.delete_all_targets
framework.db.each_distinct_target do |req|
framework.db.create_target(req.host, req.port, req.ssl, 0)
print_status("Added. #{req.host} #{req.port} #{req.ssl}")
if Rex::Socket.dotted_ip?(req.host)
framework.db.create_target(req.host, req.port, req.ssl, 0)
print_status("Added. #{req.host} #{req.port} #{req.ssl}")
else
print_error("RHOSTS only accepts IP addresses: #{req.host}")
if resolv_hosts
hip = Rex::Socket.resolv_to_dotted(req.host)
framework.db.create_target(hip, req.port, req.ssl, 0)
print_status("Added host #{req.host} resolved as #{hip}.")
end
end
end
when '-s'
framework.db.each_target do |tgt|
@ -471,7 +485,7 @@ module Wmap
utest_query = {}
framework.db.each_request_target_with_path do |req|
framework.db.each_request_target_with_query do |req|
#
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
#
@ -567,7 +581,7 @@ module Wmap
wtype = mod.wmap_type
framework.db.each_request_target_with_path do |req|
framework.db.each_request_target_with_query do |req|
#
# Weird bug req.method doesnt work
# collides with some method named 'method'
@ -928,4 +942,4 @@ end
end
end
end
end
end

8
modules/auxiliary/scanner/http/version.rb
View File

@ -48,9 +48,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{ip} is running #{res.headers['Server']}#{extra}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
wmap_report(rep_id,'WEB_SERVER','TYPE',"#{res.headers['Server']}#{extra}",nil)
end
@ -101,4 +101,4 @@ class Metasploit3 < Msf::Auxiliary
' ( ' + extras.join(', ') + ' )'
end
end
end

8
modules/auxiliary/scanner/http/wmap_backup_file.rb
View File

@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Found http://#{target_host}:#{datastore['RPORT']}#{file}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
wmap_report(rep_id,'VULNERABILITY','BACKUP_FILE',"#{file}","A backup file was found.")
else
@ -88,4 +88,4 @@ class Metasploit3 < Msf::Auxiliary
end
end
end

8
modules/auxiliary/scanner/http/wmap_blind_sql_query.rb
View File

@ -142,9 +142,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
vul_id = wmap_report(rep_id,'VULNERABILITY','BLIND_SQL_INJECTION',"#{datastore['PATH']}","Possible blind SQL Injection Found #{datastore['PATH']}")
wmap_report(vul_id,'BLIND_SQL_INJECTION','PARAMETER',"#{key}","Vulnerable parameter is #{key}")
@ -169,4 +169,4 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
end
end

12
modules/auxiliary/scanner/http/wmap_brute_dirs.rb
View File

@ -41,6 +41,10 @@ class Metasploit3 < Msf::Auxiliary
end
def wmap_enabled
true
end
def run_host(ip)
numb = []
@ -83,9 +87,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Found http://#{target_host}:#{target_port}#{teststr} #{res.code.to_i}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
wmap_report(rep_id,'DIRECTORY','NAME',"#{teststr}","Directory #{teststr} found.")
@ -222,4 +226,4 @@ module Enumerable
a
end
end
end

8
modules/auxiliary/scanner/http/wmap_dir_listing.rb
View File

@ -52,9 +52,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Found Directory Listing http://#{target_host}:#{datastore['RPORT']}#{tpath}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
wmap_report(rep_id,'VULNERABILITY','DIR_LISTING',"#{tpath}","Directory #{teststr} disclose its contents.")
end
@ -66,4 +66,4 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
end

6
modules/auxiliary/scanner/http/wmap_dir_scanner.rb
View File

@ -86,9 +86,9 @@ class Metasploit3 < Msf::Auxiliary
if (res and res.code.to_i != ecode.to_i)
print_status("Found http://#{target_host}:#{datastore['RPORT']}#{tpath}#{testfdir} #{res.code}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
vul_id = wmap_report(rep_id,'DIRECTORY','NAME',"#{tpath}#{testfdir}","Directory #{tpath}#{testfdir} found.")
wmap_report(vul_id,'DIRECTORY','RESP_CODE',"#{res.code}",nil)

8
modules/auxiliary/scanner/http/wmap_files_dir.rb
View File

@ -62,9 +62,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Found http://#{target_host}:#{datastore['RPORT']}#{tpath}#{testfext}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
vul_id = wmap_report(rep_id,'FILE','NAME',"#{tpath}#{testfext}","File #{tpath}#{testfext} found.")
@ -80,4 +80,4 @@ class Metasploit3 < Msf::Auxiliary
}
end
end
end

8
modules/auxiliary/scanner/http/wmap_replace_ext.rb
View File

@ -74,9 +74,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Found http://#{target_host}:#{target_port}#{tpath}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
vul_id = wmap_report(rep_id,'FILE','NAME',"#{tpath}","File #{tpath} found.")
@ -93,4 +93,4 @@ class Metasploit3 < Msf::Auxiliary
end
end
end

6
modules/auxiliary/scanner/http/wmap_ssl_vhost.rb
View File

@ -58,9 +58,9 @@ class Metasploit3 < Msf::Auxiliary
if vhostn
print_status("#{ip} is host #{vhostn}")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
wmap_report(rep_id,'VHOST','NAME',"#{vhostn}","Vhost #{vhostn} found.")

8
modules/auxiliary/scanner/http/writable.rb
View File

@ -68,9 +68,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Upload succeeded on http://#{target_host}:#{target_port}#{datastore['PATH']} [#{res.code}]")
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
wmap_target_host,
wmap_target_port,
wmap_target_ssl
)
wmap_report(rep_id,'VULNERABILITY','PUT_ENABLED',"#{datastore['PATH']}","Upload succeeded on #{datastore['PATH']}")
@ -111,4 +111,4 @@ class Metasploit3 < Msf::Auxiliary
end
end
end