Multiple bug fixes. Fixed query modules now resolved to correct function. Corrected in proxy and wmap code handling of RHOSTS as hostnames are not in use. Fixed reporting as target port was not handled properly and modules modified to reflect new wmap_target methods.
git-svn-id: file:///home/svn/framework3/trunk@5869 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
23274e6efc
commit
b4cbe4ff8d
|
@ -42,6 +42,7 @@ content
|
|||
core
|
||||
custom
|
||||
customers
|
||||
CVS
|
||||
data
|
||||
database
|
||||
db
|
||||
|
@ -152,6 +153,7 @@ search
|
|||
sections
|
||||
secure
|
||||
server
|
||||
share
|
||||
shared
|
||||
shop
|
||||
shopping_cart
|
||||
|
@ -200,4 +202,4 @@ wp-login
|
|||
wp-register
|
||||
ws
|
||||
ws4ee
|
||||
xml
|
||||
xml
|
||||
|
|
|
@ -25,6 +25,7 @@ CVS
|
|||
CYBERDOCS
|
||||
CYBERDOCS25
|
||||
CYBERDOCS31
|
||||
Entries
|
||||
INSTALL_admin
|
||||
Log
|
||||
Logs
|
||||
|
|
|
@ -69,93 +69,93 @@ WMAPScanBody - Runs for every Body found in each request to the target
|
|||
WMAPScanHeaders - Runs for every Header found in each request to the target
|
||||
WMAPScanGeneric - Modules to be run after all tests complete. Good place to
|
||||
perform passive analysis of responses, analysis of test
|
||||
results to launch other modules (i.e. exploits).
|
||||
|
||||
=[ Reporting.
|
||||
|
||||
Each module is capable of storing reporting information.
|
||||
Reporting key concepts:
|
||||
|
||||
+ Reporting is used to gather and store data
|
||||
+ Bye bye to useless risk levels
|
||||
+ Data is not only findings (i.e vulnerabilities) but also any relevant
|
||||
data (i.e. Database name from a SQL injection)
|
||||
+ Data is available to other modules so reporting becomes a method to
|
||||
share information
|
||||
+ Data has context and that context is preserved.
|
||||
+ Context is preserved by having a tree structure in the Report database
|
||||
table
|
||||
+ Every report entry has a parent_id the top parent_id is 0 and only used
|
||||
to create a report entry (this allows for the storage of multiple reports)
|
||||
+ The report table is basically a type,name,value database.
|
||||
+ This schema allows the storage of data/vulnerabilities with any classification/naming
|
||||
convention. (very useful to store vulnerabilities discovered in year 2060).
|
||||
|
||||
So how it works:
|
||||
|
||||
When q module is executed (using WMAP 'wmap_run -e' or standalone):
|
||||
|
||||
WMAP creates a new report entry, then in each module when something is found or
|
||||
something needs to be reported the module should implement the following lines:
|
||||
|
||||
Example:
|
||||
|
||||
if (vulnerability is found)
|
||||
print_status("FOUND BLAH BLAH BLAH")
|
||||
|
||||
#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
)
|
||||
|
||||
# REPORT ABOUT THE FINDING
|
||||
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
|
||||
vulnerability was found in the following URL in the parameter 'test'")
|
||||
|
||||
# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
|
||||
# OF INJECTION.
|
||||
|
||||
NOTE: wmap_report() returns the id of this entry
|
||||
|
||||
wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
|
||||
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
|
||||
end
|
||||
|
||||
|
||||
If you are connected to a database (db_connect) then reporting is active and every module executed will
|
||||
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
|
||||
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
|
||||
host,port,ssl target.
|
||||
|
||||
Anything can be represented and reported and other modules will have access to this information to do
|
||||
whatever they want.
|
||||
|
||||
To view available reports use the 'wmap_reports' command:
|
||||
|
||||
msf > load db_sqlite3
|
||||
[*] Successfully loaded plugin: db_sqlite3
|
||||
msf > load db_wmap
|
||||
[*] =[ WMAP v0.2 - ET LoWNOISE
|
||||
[*] Successfully loaded plugin: db_wmap
|
||||
msf > db_connect
|
||||
[*] Successfully connected to the database
|
||||
[*] File: /Users/et/.msf3/sqlite3.db
|
||||
...
|
||||
msf > wmap_reports -p
|
||||
[*] Id. Created Target (host,port,ssl)
|
||||
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
|
||||
[*] Done.
|
||||
msf > wmap_reports -s 1
|
||||
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
|
||||
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
|
||||
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
|
||||
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
|
||||
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
|
||||
[*] Done.
|
||||
|
||||
|
||||
results to launch other modules (i.e. exploits).
|
||||
|
||||
=[ Reporting.
|
||||
|
||||
Each module is capable of storing reporting information.
|
||||
Reporting key concepts:
|
||||
|
||||
+ Reporting is used to gather and store data
|
||||
+ Bye bye to useless risk levels
|
||||
+ Data is not only findings (i.e vulnerabilities) but also any relevant
|
||||
data (i.e. Database name from a SQL injection)
|
||||
+ Data is available to other modules so reporting becomes a method to
|
||||
share information
|
||||
+ Data has context and that context is preserved.
|
||||
+ Context is preserved by having a tree structure in the Report database
|
||||
table
|
||||
+ Every report entry has a parent_id the top parent_id is 0 and only used
|
||||
to create a report entry (this allows for the storage of multiple reports)
|
||||
+ The report table is basically a type,name,value database.
|
||||
+ This schema allows the storage of data/vulnerabilities with any classification/naming
|
||||
convention. (very useful to store vulnerabilities discovered in year 2060).
|
||||
|
||||
So how it works:
|
||||
|
||||
When q module is executed (using WMAP 'wmap_run -e' or standalone):
|
||||
|
||||
WMAP creates a new report entry, then in each module when something is found or
|
||||
something needs to be reported the module should implement the following lines:
|
||||
|
||||
Example:
|
||||
|
||||
if (vulnerability is found)
|
||||
print_status("FOUND BLAH BLAH BLAH")
|
||||
|
||||
#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
)
|
||||
|
||||
# REPORT ABOUT THE FINDING
|
||||
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
|
||||
vulnerability was found in the following URL in the parameter 'test'")
|
||||
|
||||
# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
|
||||
# OF INJECTION.
|
||||
|
||||
NOTE: wmap_report() returns the id of this entry
|
||||
|
||||
wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
|
||||
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
|
||||
end
|
||||
|
||||
|
||||
If you are connected to a database (db_connect) then reporting is active and every module executed will
|
||||
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
|
||||
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
|
||||
host,port,ssl target.
|
||||
|
||||
Anything can be represented and reported and other modules will have access to this information to do
|
||||
whatever they want.
|
||||
|
||||
To view available reports use the 'wmap_reports' command:
|
||||
|
||||
msf > load db_sqlite3
|
||||
[*] Successfully loaded plugin: db_sqlite3
|
||||
msf > load db_wmap
|
||||
[*] =[ WMAP v0.2 - ET LoWNOISE
|
||||
[*] Successfully loaded plugin: db_wmap
|
||||
msf > db_connect
|
||||
[*] Successfully connected to the database
|
||||
[*] File: /Users/et/.msf3/sqlite3.db
|
||||
...
|
||||
msf > wmap_reports -p
|
||||
[*] Id. Created Target (host,port,ssl)
|
||||
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
|
||||
[*] Done.
|
||||
msf > wmap_reports -s 1
|
||||
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
|
||||
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
|
||||
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
|
||||
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
|
||||
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
|
||||
[*] Done.
|
||||
|
||||
|
||||
=[ Simple example.
|
||||
|
||||
The following are the basic steps for testing a web server/app using WMAP:
|
||||
|
@ -169,7 +169,7 @@ The following are the basic steps for testing a web server/app using WMAP:
|
|||
|
||||
ratproxy (ratproxy_wmap.diff applied) basic example:
|
||||
|
||||
$ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db
|
||||
$ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db -a
|
||||
ratproxy version 1.51-beta by <lcamtuf@google.com>
|
||||
[*] Proxy configured successfully. Have fun, and please do not be evil.
|
||||
[+] Accepting connections on port 8080/tcp (local only)...
|
||||
|
@ -216,19 +216,19 @@ The following are the basic steps for testing a web server/app using WMAP:
|
|||
|
||||
msf > wmap_targets -r
|
||||
[*] Reloading targets...
|
||||
[*] Added. metasploit.com 80 0
|
||||
[*] Added. target.com 80 0
|
||||
[*] Added. framework.metasploit.com 80 0
|
||||
[*] Added. www.uninformed.org 80 0
|
||||
[*] Added. 192.168.1.1 80 0
|
||||
[*] Added. 192.168.2.10 80 0
|
||||
[*] Added. 192.168.5.11 80 0
|
||||
[*] Added. 192.168.1.3 80 0
|
||||
|
||||
6. View available targets;
|
||||
|
||||
msf > wmap_targets -p
|
||||
[*] Id. Host Port SSL
|
||||
[*] 1. metasploit.com 80
|
||||
[*] 2. target.com 80
|
||||
[*] 3. framework.metasploit.com 80
|
||||
[*] 4. www.uninformed.org 80
|
||||
[*] 1. 192.168.1.1 80
|
||||
[*] 2. 192.168.2.10 80
|
||||
[*] 3. 192.168.5.11 80
|
||||
[*] 4. 192.168.1.3 80
|
||||
[*] Done.
|
||||
|
||||
7. Select target (i.e. select target.com);
|
||||
|
@ -236,16 +236,16 @@ The following are the basic steps for testing a web server/app using WMAP:
|
|||
msf > wmap_targets -s 2
|
||||
msf > wmap_targets -p
|
||||
[*] Id. Host Port SSL
|
||||
[*] 1. metasploit.com 80
|
||||
[*] => 2. target.com 80
|
||||
[*] 3. framework.metasploit.com 80
|
||||
[*] 4. www.uninformed.org 80
|
||||
[*] 1. 192.168.1.1 80
|
||||
[*] => 2. 192.168.2.10 80
|
||||
[*] 3. 192.168.5.11 80
|
||||
[*] 4. 192.168.1.3 80
|
||||
[*] Done.
|
||||
|
||||
8. View target website structure;
|
||||
msf > wmap_website
|
||||
[*] Website structure
|
||||
[*] target.com:80 SSL:0
|
||||
[*] 192.168.2.10:80 SSL:0
|
||||
ROOT_TREE
|
||||
+------ index.asp
|
||||
| images
|
||||
|
@ -273,7 +273,10 @@ The following are the basic steps for testing a web server/app using WMAP:
|
|||
this can be done with the 'setg' command.
|
||||
|
||||
Example:
|
||||
|
||||
|
||||
msf > setg VHOST www.targetco.com
|
||||
VHOST => www.targetco.com
|
||||
|
||||
msf > setg DOMAIN targetco.com
|
||||
DOMAIN => targetco.com
|
||||
|
||||
|
@ -298,7 +301,7 @@ The following are the basic steps for testing a web server/app using WMAP:
|
|||
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against
|
||||
www.targetco.com:80
|
||||
[*] http://xxx.xxx.xxx.xxx:80 is running Apache
|
||||
[*] FrontPage not found on http://200.41.9.39:80 [302 Object Moved]
|
||||
[*] FrontPage not found on http://192.168.2.10:80 [302 Object Moved]
|
||||
...
|
||||
...
|
||||
[*] Done.
|
||||
|
@ -309,7 +312,7 @@ This is first release version of WMAP and as you know, the Metasploit project
|
|||
welcomes feedback, comments, ideas, patches, module, etc. This TODO list is
|
||||
more of a placeholder of the things you may see in the near future.
|
||||
|
||||
- Add more commands
|
||||
- Add more commands
|
||||
- Add more types of reports (PDF, XML, etc.)
|
||||
- Develop more modules
|
||||
- Create more module types to perform tasks like response analysis
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
diff -Naur ratproxy/Makefile ratproxymod/Makefile
|
||||
--- ratproxy/Makefile 2008-06-10 11:44:28.000000000 +0000
|
||||
+++ ratproxymod/Makefile 2008-09-25 18:53:31.000000000 +0000
|
||||
--- ratproxy/Makefile 2008-06-10 06:44:28.000000000 -0500
|
||||
+++ ratproxymod/Makefile 2008-11-06 16:36:22.000000000 -0600
|
||||
@@ -21,7 +21,7 @@
|
||||
|
||||
PROGNAME = ratproxy
|
||||
|
@ -10,9 +9,8 @@ diff -Naur ratproxy/Makefile ratproxymod/Makefile
|
|||
|
||||
all: $(PROGNAME) flare-check
|
||||
|
||||
diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
||||
--- ratproxy/ratproxy.c 2008-07-03 06:27:15.000000000 +0000
|
||||
+++ ratproxymod/ratproxy.c 2008-09-25 22:15:54.000000000 +0000
|
||||
--- ratproxy/ratproxy.c 2008-07-03 01:27:15.000000000 -0500
|
||||
+++ ratproxymod/ratproxy.c 2008-11-06 16:36:24.000000000 -0600
|
||||
@@ -43,6 +43,9 @@
|
||||
#include <openssl/md5.h>
|
||||
#include <time.h>
|
||||
|
@ -23,15 +21,20 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
#include "config.h"
|
||||
#include "types.h"
|
||||
#include "debug.h"
|
||||
@@ -75,6 +78,7 @@
|
||||
@@ -75,8 +78,11 @@
|
||||
|
||||
_u8* use_proxy; /* Upstream proxy */
|
||||
_u8* trace_dir; /* Trace directory */
|
||||
+_u8* db_file; /* Sqlite3 DB */
|
||||
_u32 proxy_port = 8080; /* Upstream proxy port */
|
||||
_u8 use_len; /* Use length, not cksum */
|
||||
-_u8 use_len; /* Use length, not cksum */
|
||||
+_u8 use_len; /* Use length, not cksum */
|
||||
+
|
||||
+_u8 ip_addr[18];
|
||||
|
||||
@@ -90,6 +94,7 @@
|
||||
static FILE* outfile; /* Output file descriptor */
|
||||
|
||||
@@ -90,6 +96,7 @@
|
||||
" -p port - listen on a custom TCP port (default: 8080)\n"
|
||||
" -d domain - analyze requests to specified domains only (default: all)\n"
|
||||
" -P host:port - use upstream proxy for all requests (format host:port)\n"
|
||||
|
@ -39,7 +42,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
" -r - accept remote connections (default: 127.0.0.1 only)\n"
|
||||
" -l - use response length, not checksum, for identity check\n"
|
||||
" -2 - perform two, not one, page identity check\n"
|
||||
@@ -111,7 +116,8 @@
|
||||
@@ -111,7 +118,8 @@
|
||||
"Example settings suitable for most tests:\n"
|
||||
" 1) Low verbosity : -v <outdir> -w <outfile> -d <domain> -lfscm\n"
|
||||
" 2) High verbosity : -v <outdir> -w <outfile> -d <domain> -lextifscgjm\n"
|
||||
|
@ -49,7 +52,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
|
||||
"Multiple -d options are allowed. Consult the documentation for more.\n", argv0);
|
||||
|
||||
@@ -538,12 +544,23 @@
|
||||
@@ -538,12 +546,23 @@
|
||||
|
||||
static _u8 dump_fn[1024];
|
||||
static _u8 dumped_already;
|
||||
|
@ -73,7 +76,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
|
||||
if (!trace_dir) return "-";
|
||||
|
||||
@@ -551,6 +568,109 @@
|
||||
@@ -551,6 +570,109 @@
|
||||
if (dumped_already) return dump_fn;
|
||||
dumped_already = 1;
|
||||
|
||||
|
@ -147,7 +150,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
+ if(rc==SQLITE_OK){
|
||||
+ //fprintf(stderr, "SQL OK: retries %d\n", kr++);
|
||||
+
|
||||
+ sqlite3_bind_text(pStmt, 1, req->host, -1, SQLITE_STATIC);
|
||||
+ sqlite3_bind_text(pStmt, 1, ip_addr, -1, SQLITE_STATIC);
|
||||
+ sqlite3_bind_int(pStmt, 2, req->port);
|
||||
+ sqlite3_bind_int(pStmt, 3, req->from_ssl);
|
||||
+ sqlite3_bind_text(pStmt, 4, req->method, -1, SQLITE_STATIC);
|
||||
|
@ -183,7 +186,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
sprintf(dump_fn,"%.512s/%08x-%04x.trace",trace_dir,(_u32)time(0),getpid());
|
||||
|
||||
f = open(dump_fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
|
||||
@@ -594,6 +714,7 @@
|
||||
@@ -594,6 +716,7 @@
|
||||
fclose(out);
|
||||
close(f);
|
||||
|
||||
|
@ -191,7 +194,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
return dump_fn;
|
||||
|
||||
}
|
||||
@@ -1653,7 +1774,7 @@
|
||||
@@ -1653,7 +1776,7 @@
|
||||
|
||||
debug("ratproxy version " VERSION " by <lcamtuf@google.com>\n");
|
||||
|
||||
|
@ -200,7 +203,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
switch (opt) {
|
||||
|
||||
case 'w': {
|
||||
@@ -1761,6 +1882,11 @@
|
||||
@@ -1761,6 +1884,11 @@
|
||||
use_any = 1;
|
||||
break;
|
||||
|
||||
|
@ -212,3 +215,34 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c
|
|||
default:
|
||||
usage(argv[0]);
|
||||
}
|
||||
--- ratproxy/http.c 2008-06-10 07:28:26.000000000 -0500
|
||||
+++ ratproxymod/http.c 2008-11-06 16:36:24.000000000 -0600
|
||||
@@ -32,6 +32,7 @@
|
||||
#include <unistd.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
+#include <arpa/inet.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
@@ -57,6 +58,8 @@
|
||||
static _u8 srv_buf[MAXLINE], /* libc IO buffers */
|
||||
cli_buf[MAXLINE];
|
||||
|
||||
+extern _u8 ip_addr[18];
|
||||
+
|
||||
|
||||
/* Read a single line of HTTP headers, strip whitespaces */
|
||||
static _u8* grab_line(FILE* where) {
|
||||
@@ -657,7 +660,10 @@
|
||||
struct hostent* he;
|
||||
_s32 ss;
|
||||
|
||||
- if (!(he = gethostbyname(host)) || !(he->h_addr_list[0]))
|
||||
+ he = gethostbyname(host);
|
||||
+ strncpy(ip_addr,inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),18);
|
||||
+
|
||||
+ if (!(he) || !(he->h_addr_list[0]))
|
||||
http_error(client,"Unable to find target host",0);
|
||||
|
||||
ss = socket(PF_INET, SOCK_STREAM, 0);
|
||||
|
|
|
@ -25,6 +25,29 @@ module Auxiliary::WMAPModule
|
|||
nil
|
||||
end
|
||||
|
||||
#
|
||||
# Oveload target_port method as the one in scanner.rb has issues
|
||||
# - target_host works ok as run() receives ip
|
||||
#
|
||||
|
||||
def wmap_target_host
|
||||
self.target_host
|
||||
end
|
||||
|
||||
def wmap_target_port
|
||||
self.datastore['RPORT']
|
||||
end
|
||||
|
||||
def wmap_target_ssl
|
||||
self.ssl
|
||||
end
|
||||
|
||||
|
||||
|
||||
#
|
||||
# WMAP Reporting methods
|
||||
#
|
||||
|
||||
def wmap_base_report_id(host,port,ssl)
|
||||
if framework.db.report_active?
|
||||
if not ssl
|
||||
|
@ -51,8 +74,9 @@ module Auxiliary::WMAPModule
|
|||
nil
|
||||
end
|
||||
|
||||
|
||||
#modified from CGI.rb as we dont use arrays
|
||||
#
|
||||
# Modified from CGI.rb as we dont use arrays
|
||||
#
|
||||
def headersparse(qheaders)
|
||||
params = Hash.new()
|
||||
|
||||
|
@ -227,4 +251,4 @@ module Auxiliary::WMAPScanGeneric
|
|||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -443,6 +443,16 @@ class DBManager
|
|||
block.call(req)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# WMAP
|
||||
# This method iterates the requests table returning a list of all requests of a specific target
|
||||
#
|
||||
def each_request_target_with_query(&block)
|
||||
target_requests('AND requests.query IS NOT NULL').each do |req|
|
||||
block.call(req)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# WMAP
|
||||
|
|
|
@ -83,10 +83,24 @@ module Wmap
|
|||
end
|
||||
print_status("Done.")
|
||||
when '-r'
|
||||
# Default behavior to handle hosts names in the db as RHOSTS only
|
||||
# accepts IP addresses
|
||||
resolv_hosts = false
|
||||
|
||||
framework.db.delete_all_targets
|
||||
framework.db.each_distinct_target do |req|
|
||||
framework.db.create_target(req.host, req.port, req.ssl, 0)
|
||||
print_status("Added. #{req.host} #{req.port} #{req.ssl}")
|
||||
if Rex::Socket.dotted_ip?(req.host)
|
||||
framework.db.create_target(req.host, req.port, req.ssl, 0)
|
||||
print_status("Added. #{req.host} #{req.port} #{req.ssl}")
|
||||
else
|
||||
print_error("RHOSTS only accepts IP addresses: #{req.host}")
|
||||
|
||||
if resolv_hosts
|
||||
hip = Rex::Socket.resolv_to_dotted(req.host)
|
||||
framework.db.create_target(hip, req.port, req.ssl, 0)
|
||||
print_status("Added host #{req.host} resolved as #{hip}.")
|
||||
end
|
||||
end
|
||||
end
|
||||
when '-s'
|
||||
framework.db.each_target do |tgt|
|
||||
|
@ -471,7 +485,7 @@ module Wmap
|
|||
|
||||
utest_query = {}
|
||||
|
||||
framework.db.each_request_target_with_path do |req|
|
||||
framework.db.each_request_target_with_query do |req|
|
||||
#
|
||||
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
|
||||
#
|
||||
|
@ -567,7 +581,7 @@ module Wmap
|
|||
wtype = mod.wmap_type
|
||||
|
||||
|
||||
framework.db.each_request_target_with_path do |req|
|
||||
framework.db.each_request_target_with_query do |req|
|
||||
#
|
||||
# Weird bug req.method doesnt work
|
||||
# collides with some method named 'method'
|
||||
|
@ -928,4 +942,4 @@ end
|
|||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -48,9 +48,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("#{ip} is running #{res.headers['Server']}#{extra}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
wmap_report(rep_id,'WEB_SERVER','TYPE',"#{res.headers['Server']}#{extra}",nil)
|
||||
end
|
||||
|
@ -101,4 +101,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
' ( ' + extras.join(', ') + ' )'
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Found http://#{target_host}:#{datastore['RPORT']}#{file}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
wmap_report(rep_id,'VULNERABILITY','BACKUP_FILE',"#{file}","A backup file was found.")
|
||||
else
|
||||
|
@ -88,4 +88,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -142,9 +142,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
vul_id = wmap_report(rep_id,'VULNERABILITY','BLIND_SQL_INJECTION',"#{datastore['PATH']}","Possible blind SQL Injection Found #{datastore['PATH']}")
|
||||
wmap_report(vul_id,'BLIND_SQL_INJECTION','PARAMETER',"#{key}","Vulnerable parameter is #{key}")
|
||||
|
@ -169,4 +169,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -41,6 +41,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
end
|
||||
|
||||
def wmap_enabled
|
||||
true
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
numb = []
|
||||
|
@ -83,9 +87,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Found http://#{target_host}:#{target_port}#{teststr} #{res.code.to_i}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
wmap_report(rep_id,'DIRECTORY','NAME',"#{teststr}","Directory #{teststr} found.")
|
||||
|
||||
|
@ -222,4 +226,4 @@ module Enumerable
|
|||
a
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -52,9 +52,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Found Directory Listing http://#{target_host}:#{datastore['RPORT']}#{tpath}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
wmap_report(rep_id,'VULNERABILITY','DIR_LISTING',"#{tpath}","Directory #{teststr} disclose its contents.")
|
||||
end
|
||||
|
@ -66,4 +66,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -86,9 +86,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if (res and res.code.to_i != ecode.to_i)
|
||||
print_status("Found http://#{target_host}:#{datastore['RPORT']}#{tpath}#{testfdir} #{res.code}")
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
vul_id = wmap_report(rep_id,'DIRECTORY','NAME',"#{tpath}#{testfdir}","Directory #{tpath}#{testfdir} found.")
|
||||
wmap_report(vul_id,'DIRECTORY','RESP_CODE',"#{res.code}",nil)
|
||||
|
|
|
@ -62,9 +62,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Found http://#{target_host}:#{datastore['RPORT']}#{tpath}#{testfext}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
|
||||
vul_id = wmap_report(rep_id,'FILE','NAME',"#{tpath}#{testfext}","File #{tpath}#{testfext} found.")
|
||||
|
@ -80,4 +80,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -74,9 +74,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Found http://#{target_host}:#{target_port}#{tpath}")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
|
||||
vul_id = wmap_report(rep_id,'FILE','NAME',"#{tpath}","File #{tpath} found.")
|
||||
|
@ -93,4 +93,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -58,9 +58,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if vhostn
|
||||
print_status("#{ip} is host #{vhostn}")
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
|
||||
wmap_report(rep_id,'VHOST','NAME',"#{vhostn}","Vhost #{vhostn} found.")
|
||||
|
|
|
@ -68,9 +68,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Upload succeeded on http://#{target_host}:#{target_port}#{datastore['PATH']} [#{res.code}]")
|
||||
|
||||
rep_id = wmap_base_report_id(
|
||||
self.target_host,
|
||||
self.target_port,
|
||||
self.ssl
|
||||
wmap_target_host,
|
||||
wmap_target_port,
|
||||
wmap_target_ssl
|
||||
)
|
||||
|
||||
wmap_report(rep_id,'VULNERABILITY','PUT_ENABLED',"#{datastore['PATH']}","Upload succeeded on #{datastore['PATH']}")
|
||||
|
@ -111,4 +111,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue