From b4cbe4ff8d5f64a10521ab1498437dda5663c265 Mon Sep 17 00:00:00 2001 From: et <> Date: Mon, 10 Nov 2008 04:38:05 +0000 Subject: [PATCH] Multiple bug fixes. Fixed query modules now resolved to correct function. Corrected in proxy and wmap code handling of RHOSTS as hostnames are not in use. Fixed reporting as target port was not handled properly and modules modified to reflect new wmap_target methods. git-svn-id: file:///home/svn/framework3/trunk@5869 4d416f70-5f16-0410-b530-b9f4589650da --- data/wmap/wmap_dirs.txt | 4 +- data/wmap/wmap_files.txt | 1 + documentation/wmap.txt | 211 +++++++++--------- external/ratproxy/ratproxy_wmap.diff | 66 ++++-- lib/msf/core/auxiliary/wmapmodule.rb | 30 ++- lib/msf/core/db.rb | 10 + lib/msf/ui/console/command_dispatcher/wmap.rb | 24 +- modules/auxiliary/scanner/http/version.rb | 8 +- .../scanner/http/wmap_backup_file.rb | 8 +- .../scanner/http/wmap_blind_sql_query.rb | 8 +- .../auxiliary/scanner/http/wmap_brute_dirs.rb | 12 +- .../scanner/http/wmap_dir_listing.rb | 8 +- .../scanner/http/wmap_dir_scanner.rb | 6 +- .../auxiliary/scanner/http/wmap_files_dir.rb | 8 +- .../scanner/http/wmap_replace_ext.rb | 8 +- .../auxiliary/scanner/http/wmap_ssl_vhost.rb | 6 +- modules/auxiliary/scanner/http/writable.rb | 8 +- 17 files changed, 259 insertions(+), 167 deletions(-) diff --git a/data/wmap/wmap_dirs.txt b/data/wmap/wmap_dirs.txt index 6231717c6d..cd28b502ee 100644 --- a/data/wmap/wmap_dirs.txt +++ b/data/wmap/wmap_dirs.txt @@ -42,6 +42,7 @@ content core custom customers +CVS data database db @@ -152,6 +153,7 @@ search sections secure server +share shared shop shopping_cart @@ -200,4 +202,4 @@ wp-login wp-register ws ws4ee -xml \ No newline at end of file +xml diff --git a/data/wmap/wmap_files.txt b/data/wmap/wmap_files.txt index 5502e9623f..e2a40a55e9 100644 --- a/data/wmap/wmap_files.txt +++ b/data/wmap/wmap_files.txt @@ -25,6 +25,7 @@ CVS CYBERDOCS CYBERDOCS25 CYBERDOCS31 +Entries INSTALL_admin Log Logs diff --git a/documentation/wmap.txt b/documentation/wmap.txt index 0ef9cafdda..4ebdb3daa8 100644 --- a/documentation/wmap.txt +++ b/documentation/wmap.txt @@ -69,93 +69,93 @@ WMAPScanBody - Runs for every Body found in each request to the target WMAPScanHeaders - Runs for every Header found in each request to the target WMAPScanGeneric - Modules to be run after all tests complete. Good place to perform passive analysis of responses, analysis of test - results to launch other modules (i.e. exploits). - -=[ Reporting. - -Each module is capable of storing reporting information. -Reporting key concepts: - - + Reporting is used to gather and store data - + Bye bye to useless risk levels - + Data is not only findings (i.e vulnerabilities) but also any relevant - data (i.e. Database name from a SQL injection) - + Data is available to other modules so reporting becomes a method to - share information - + Data has context and that context is preserved. - + Context is preserved by having a tree structure in the Report database - table - + Every report entry has a parent_id the top parent_id is 0 and only used - to create a report entry (this allows for the storage of multiple reports) - + The report table is basically a type,name,value database. - + This schema allows the storage of data/vulnerabilities with any classification/naming - convention. (very useful to store vulnerabilities discovered in year 2060). - - So how it works: - - When q module is executed (using WMAP 'wmap_run -e' or standalone): - - WMAP creates a new report entry, then in each module when something is found or - something needs to be reported the module should implement the following lines: - - Example: - - if (vulnerability is found) - print_status("FOUND BLAH BLAH BLAH") - - #OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target) - rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl - ) - - # REPORT ABOUT THE FINDING - vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection - vulnerability was found in the following URL in the parameter 'test'") - - # LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE - # OF INJECTION. - - NOTE: wmap_report() returns the id of this entry - - wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah") - wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah") - end - - - If you are connected to a database (db_connect) then reporting is active and every module executed will - store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will - be organized per host,port as wmap_base_report_id() returns the last available report for the specified - host,port,ssl target. - - Anything can be represented and reported and other modules will have access to this information to do - whatever they want. - - To view available reports use the 'wmap_reports' command: - - msf > load db_sqlite3 - [*] Successfully loaded plugin: db_sqlite3 - msf > load db_wmap - [*] =[ WMAP v0.2 - ET LoWNOISE - [*] Successfully loaded plugin: db_wmap - msf > db_connect - [*] Successfully connected to the database - [*] File: /Users/et/.msf3/sqlite3.db - ... - msf > wmap_reports -p - [*] Id. Created Target (host,port,ssl) - 1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0 - [*] Done. - msf > wmap_reports -s 1 - WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008] - WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008] - VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008] - SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008] - SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008] - [*] Done. - - + results to launch other modules (i.e. exploits). + +=[ Reporting. + +Each module is capable of storing reporting information. +Reporting key concepts: + + + Reporting is used to gather and store data + + Bye bye to useless risk levels + + Data is not only findings (i.e vulnerabilities) but also any relevant + data (i.e. Database name from a SQL injection) + + Data is available to other modules so reporting becomes a method to + share information + + Data has context and that context is preserved. + + Context is preserved by having a tree structure in the Report database + table + + Every report entry has a parent_id the top parent_id is 0 and only used + to create a report entry (this allows for the storage of multiple reports) + + The report table is basically a type,name,value database. + + This schema allows the storage of data/vulnerabilities with any classification/naming + convention. (very useful to store vulnerabilities discovered in year 2060). + + So how it works: + + When q module is executed (using WMAP 'wmap_run -e' or standalone): + + WMAP creates a new report entry, then in each module when something is found or + something needs to be reported the module should implement the following lines: + + Example: + + if (vulnerability is found) + print_status("FOUND BLAH BLAH BLAH") + + #OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target) + rep_id = wmap_base_report_id( + self.target_host, + self.target_port, + self.ssl + ) + + # REPORT ABOUT THE FINDING + vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection + vulnerability was found in the following URL in the parameter 'test'") + + # LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE + # OF INJECTION. + + NOTE: wmap_report() returns the id of this entry + + wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah") + wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah") + end + + + If you are connected to a database (db_connect) then reporting is active and every module executed will + store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will + be organized per host,port as wmap_base_report_id() returns the last available report for the specified + host,port,ssl target. + + Anything can be represented and reported and other modules will have access to this information to do + whatever they want. + + To view available reports use the 'wmap_reports' command: + + msf > load db_sqlite3 + [*] Successfully loaded plugin: db_sqlite3 + msf > load db_wmap + [*] =[ WMAP v0.2 - ET LoWNOISE + [*] Successfully loaded plugin: db_wmap + msf > db_connect + [*] Successfully connected to the database + [*] File: /Users/et/.msf3/sqlite3.db + ... + msf > wmap_reports -p + [*] Id. Created Target (host,port,ssl) + 1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0 + [*] Done. + msf > wmap_reports -s 1 + WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008] + WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008] + VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008] + SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008] + SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008] + [*] Done. + + =[ Simple example. The following are the basic steps for testing a web server/app using WMAP: @@ -169,7 +169,7 @@ The following are the basic steps for testing a web server/app using WMAP: ratproxy (ratproxy_wmap.diff applied) basic example: - $ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db + $ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db -a ratproxy version 1.51-beta by [*] Proxy configured successfully. Have fun, and please do not be evil. [+] Accepting connections on port 8080/tcp (local only)... @@ -216,19 +216,19 @@ The following are the basic steps for testing a web server/app using WMAP: msf > wmap_targets -r [*] Reloading targets... - [*] Added. metasploit.com 80 0 - [*] Added. target.com 80 0 - [*] Added. framework.metasploit.com 80 0 - [*] Added. www.uninformed.org 80 0 + [*] Added. 192.168.1.1 80 0 + [*] Added. 192.168.2.10 80 0 + [*] Added. 192.168.5.11 80 0 + [*] Added. 192.168.1.3 80 0 6. View available targets; msf > wmap_targets -p [*] Id. Host Port SSL - [*] 1. metasploit.com 80 - [*] 2. target.com 80 - [*] 3. framework.metasploit.com 80 - [*] 4. www.uninformed.org 80 + [*] 1. 192.168.1.1 80 + [*] 2. 192.168.2.10 80 + [*] 3. 192.168.5.11 80 + [*] 4. 192.168.1.3 80 [*] Done. 7. Select target (i.e. select target.com); @@ -236,16 +236,16 @@ The following are the basic steps for testing a web server/app using WMAP: msf > wmap_targets -s 2 msf > wmap_targets -p [*] Id. Host Port SSL - [*] 1. metasploit.com 80 - [*] => 2. target.com 80 - [*] 3. framework.metasploit.com 80 - [*] 4. www.uninformed.org 80 + [*] 1. 192.168.1.1 80 + [*] => 2. 192.168.2.10 80 + [*] 3. 192.168.5.11 80 + [*] 4. 192.168.1.3 80 [*] Done. 8. View target website structure; msf > wmap_website [*] Website structure - [*] target.com:80 SSL:0 + [*] 192.168.2.10:80 SSL:0 ROOT_TREE +------ index.asp | images @@ -273,7 +273,10 @@ The following are the basic steps for testing a web server/app using WMAP: this can be done with the 'setg' command. Example: - + + msf > setg VHOST www.targetco.com + VHOST => www.targetco.com + msf > setg DOMAIN targetco.com DOMAIN => targetco.com @@ -298,7 +301,7 @@ The following are the basic steps for testing a web server/app using WMAP: [*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against www.targetco.com:80 [*] http://xxx.xxx.xxx.xxx:80 is running Apache - [*] FrontPage not found on http://200.41.9.39:80 [302 Object Moved] + [*] FrontPage not found on http://192.168.2.10:80 [302 Object Moved] ... ... [*] Done. @@ -309,7 +312,7 @@ This is first release version of WMAP and as you know, the Metasploit project welcomes feedback, comments, ideas, patches, module, etc. This TODO list is more of a placeholder of the things you may see in the near future. -- Add more commands +- Add more commands - Add more types of reports (PDF, XML, etc.) - Develop more modules - Create more module types to perform tasks like response analysis diff --git a/external/ratproxy/ratproxy_wmap.diff b/external/ratproxy/ratproxy_wmap.diff index c4b08ded95..51f5a60818 100644 --- a/external/ratproxy/ratproxy_wmap.diff +++ b/external/ratproxy/ratproxy_wmap.diff @@ -1,6 +1,5 @@ -diff -Naur ratproxy/Makefile ratproxymod/Makefile ---- ratproxy/Makefile 2008-06-10 11:44:28.000000000 +0000 -+++ ratproxymod/Makefile 2008-09-25 18:53:31.000000000 +0000 +--- ratproxy/Makefile 2008-06-10 06:44:28.000000000 -0500 ++++ ratproxymod/Makefile 2008-11-06 16:36:22.000000000 -0600 @@ -21,7 +21,7 @@ PROGNAME = ratproxy @@ -10,9 +9,8 @@ diff -Naur ratproxy/Makefile ratproxymod/Makefile all: $(PROGNAME) flare-check -diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c ---- ratproxy/ratproxy.c 2008-07-03 06:27:15.000000000 +0000 -+++ ratproxymod/ratproxy.c 2008-09-25 22:15:54.000000000 +0000 +--- ratproxy/ratproxy.c 2008-07-03 01:27:15.000000000 -0500 ++++ ratproxymod/ratproxy.c 2008-11-06 16:36:24.000000000 -0600 @@ -43,6 +43,9 @@ #include #include @@ -23,15 +21,20 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c #include "config.h" #include "types.h" #include "debug.h" -@@ -75,6 +78,7 @@ +@@ -75,8 +78,11 @@ _u8* use_proxy; /* Upstream proxy */ _u8* trace_dir; /* Trace directory */ +_u8* db_file; /* Sqlite3 DB */ _u32 proxy_port = 8080; /* Upstream proxy port */ - _u8 use_len; /* Use length, not cksum */ +-_u8 use_len; /* Use length, not cksum */ ++_u8 use_len; /* Use length, not cksum */ ++ ++_u8 ip_addr[18]; -@@ -90,6 +94,7 @@ + static FILE* outfile; /* Output file descriptor */ + +@@ -90,6 +96,7 @@ " -p port - listen on a custom TCP port (default: 8080)\n" " -d domain - analyze requests to specified domains only (default: all)\n" " -P host:port - use upstream proxy for all requests (format host:port)\n" @@ -39,7 +42,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c " -r - accept remote connections (default: 127.0.0.1 only)\n" " -l - use response length, not checksum, for identity check\n" " -2 - perform two, not one, page identity check\n" -@@ -111,7 +116,8 @@ +@@ -111,7 +118,8 @@ "Example settings suitable for most tests:\n" " 1) Low verbosity : -v -w -d -lfscm\n" " 2) High verbosity : -v -w -d -lextifscgjm\n" @@ -49,7 +52,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c "Multiple -d options are allowed. Consult the documentation for more.\n", argv0); -@@ -538,12 +544,23 @@ +@@ -538,12 +546,23 @@ static _u8 dump_fn[1024]; static _u8 dumped_already; @@ -73,7 +76,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c if (!trace_dir) return "-"; -@@ -551,6 +568,109 @@ +@@ -551,6 +570,109 @@ if (dumped_already) return dump_fn; dumped_already = 1; @@ -147,7 +150,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c + if(rc==SQLITE_OK){ + //fprintf(stderr, "SQL OK: retries %d\n", kr++); + -+ sqlite3_bind_text(pStmt, 1, req->host, -1, SQLITE_STATIC); ++ sqlite3_bind_text(pStmt, 1, ip_addr, -1, SQLITE_STATIC); + sqlite3_bind_int(pStmt, 2, req->port); + sqlite3_bind_int(pStmt, 3, req->from_ssl); + sqlite3_bind_text(pStmt, 4, req->method, -1, SQLITE_STATIC); @@ -183,7 +186,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c sprintf(dump_fn,"%.512s/%08x-%04x.trace",trace_dir,(_u32)time(0),getpid()); f = open(dump_fn, O_WRONLY | O_CREAT | O_EXCL, 0600); -@@ -594,6 +714,7 @@ +@@ -594,6 +716,7 @@ fclose(out); close(f); @@ -191,7 +194,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c return dump_fn; } -@@ -1653,7 +1774,7 @@ +@@ -1653,7 +1776,7 @@ debug("ratproxy version " VERSION " by \n"); @@ -200,7 +203,7 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c switch (opt) { case 'w': { -@@ -1761,6 +1882,11 @@ +@@ -1761,6 +1884,11 @@ use_any = 1; break; @@ -212,3 +215,34 @@ diff -Naur ratproxy/ratproxy.c ratproxymod/ratproxy.c default: usage(argv[0]); } +--- ratproxy/http.c 2008-06-10 07:28:26.000000000 -0500 ++++ ratproxymod/http.c 2008-11-06 16:36:24.000000000 -0600 +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -57,6 +58,8 @@ + static _u8 srv_buf[MAXLINE], /* libc IO buffers */ + cli_buf[MAXLINE]; + ++extern _u8 ip_addr[18]; ++ + + /* Read a single line of HTTP headers, strip whitespaces */ + static _u8* grab_line(FILE* where) { +@@ -657,7 +660,10 @@ + struct hostent* he; + _s32 ss; + +- if (!(he = gethostbyname(host)) || !(he->h_addr_list[0])) ++ he = gethostbyname(host); ++ strncpy(ip_addr,inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),18); ++ ++ if (!(he) || !(he->h_addr_list[0])) + http_error(client,"Unable to find target host",0); + + ss = socket(PF_INET, SOCK_STREAM, 0); diff --git a/lib/msf/core/auxiliary/wmapmodule.rb b/lib/msf/core/auxiliary/wmapmodule.rb index e37dfc9f3c..d07f2edd7c 100644 --- a/lib/msf/core/auxiliary/wmapmodule.rb +++ b/lib/msf/core/auxiliary/wmapmodule.rb @@ -25,6 +25,29 @@ module Auxiliary::WMAPModule nil end + # + # Oveload target_port method as the one in scanner.rb has issues + # - target_host works ok as run() receives ip + # + + def wmap_target_host + self.target_host + end + + def wmap_target_port + self.datastore['RPORT'] + end + + def wmap_target_ssl + self.ssl + end + + + + # + # WMAP Reporting methods + # + def wmap_base_report_id(host,port,ssl) if framework.db.report_active? if not ssl @@ -51,8 +74,9 @@ module Auxiliary::WMAPModule nil end - - #modified from CGI.rb as we dont use arrays + # + # Modified from CGI.rb as we dont use arrays + # def headersparse(qheaders) params = Hash.new() @@ -227,4 +251,4 @@ module Auxiliary::WMAPScanGeneric end end -end \ No newline at end of file +end diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index ee975e9c12..205530d606 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -443,6 +443,16 @@ class DBManager block.call(req) end end + + # + # WMAP + # This method iterates the requests table returning a list of all requests of a specific target + # + def each_request_target_with_query(&block) + target_requests('AND requests.query IS NOT NULL').each do |req| + block.call(req) + end + end # # WMAP diff --git a/lib/msf/ui/console/command_dispatcher/wmap.rb b/lib/msf/ui/console/command_dispatcher/wmap.rb index 7f17edd1c3..03a049d844 100644 --- a/lib/msf/ui/console/command_dispatcher/wmap.rb +++ b/lib/msf/ui/console/command_dispatcher/wmap.rb @@ -83,10 +83,24 @@ module Wmap end print_status("Done.") when '-r' + # Default behavior to handle hosts names in the db as RHOSTS only + # accepts IP addresses + resolv_hosts = false + framework.db.delete_all_targets framework.db.each_distinct_target do |req| - framework.db.create_target(req.host, req.port, req.ssl, 0) - print_status("Added. #{req.host} #{req.port} #{req.ssl}") + if Rex::Socket.dotted_ip?(req.host) + framework.db.create_target(req.host, req.port, req.ssl, 0) + print_status("Added. #{req.host} #{req.port} #{req.ssl}") + else + print_error("RHOSTS only accepts IP addresses: #{req.host}") + + if resolv_hosts + hip = Rex::Socket.resolv_to_dotted(req.host) + framework.db.create_target(hip, req.port, req.ssl, 0) + print_status("Added host #{req.host} resolved as #{hip}.") + end + end end when '-s' framework.db.each_target do |tgt| @@ -471,7 +485,7 @@ module Wmap utest_query = {} - framework.db.each_request_target_with_path do |req| + framework.db.each_request_target_with_query do |req| # # Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn' # @@ -567,7 +581,7 @@ module Wmap wtype = mod.wmap_type - framework.db.each_request_target_with_path do |req| + framework.db.each_request_target_with_query do |req| # # Weird bug req.method doesnt work # collides with some method named 'method' @@ -928,4 +942,4 @@ end end end end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/version.rb b/modules/auxiliary/scanner/http/version.rb index 77e0c286cb..3b6e288dc8 100644 --- a/modules/auxiliary/scanner/http/version.rb +++ b/modules/auxiliary/scanner/http/version.rb @@ -48,9 +48,9 @@ class Metasploit3 < Msf::Auxiliary print_status("#{ip} is running #{res.headers['Server']}#{extra}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) wmap_report(rep_id,'WEB_SERVER','TYPE',"#{res.headers['Server']}#{extra}",nil) end @@ -101,4 +101,4 @@ class Metasploit3 < Msf::Auxiliary ' ( ' + extras.join(', ') + ' )' end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_backup_file.rb b/modules/auxiliary/scanner/http/wmap_backup_file.rb index 66d55b9e54..d69186f5d9 100644 --- a/modules/auxiliary/scanner/http/wmap_backup_file.rb +++ b/modules/auxiliary/scanner/http/wmap_backup_file.rb @@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Found http://#{target_host}:#{datastore['RPORT']}#{file}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) wmap_report(rep_id,'VULNERABILITY','BACKUP_FILE',"#{file}","A backup file was found.") else @@ -88,4 +88,4 @@ class Metasploit3 < Msf::Auxiliary end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_blind_sql_query.rb b/modules/auxiliary/scanner/http/wmap_blind_sql_query.rb index 74435115ce..d86461e581 100644 --- a/modules/auxiliary/scanner/http/wmap_blind_sql_query.rb +++ b/modules/auxiliary/scanner/http/wmap_blind_sql_query.rb @@ -142,9 +142,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) vul_id = wmap_report(rep_id,'VULNERABILITY','BLIND_SQL_INJECTION',"#{datastore['PATH']}","Possible blind SQL Injection Found #{datastore['PATH']}") wmap_report(vul_id,'BLIND_SQL_INJECTION','PARAMETER',"#{key}","Vulnerable parameter is #{key}") @@ -169,4 +169,4 @@ class Metasploit3 < Msf::Auxiliary end end end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_brute_dirs.rb b/modules/auxiliary/scanner/http/wmap_brute_dirs.rb index b9947faded..178bf14b8c 100644 --- a/modules/auxiliary/scanner/http/wmap_brute_dirs.rb +++ b/modules/auxiliary/scanner/http/wmap_brute_dirs.rb @@ -41,6 +41,10 @@ class Metasploit3 < Msf::Auxiliary end + def wmap_enabled + true + end + def run_host(ip) numb = [] @@ -83,9 +87,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Found http://#{target_host}:#{target_port}#{teststr} #{res.code.to_i}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) wmap_report(rep_id,'DIRECTORY','NAME',"#{teststr}","Directory #{teststr} found.") @@ -222,4 +226,4 @@ module Enumerable a end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_dir_listing.rb b/modules/auxiliary/scanner/http/wmap_dir_listing.rb index a7c863ef04..f0a9d7911e 100644 --- a/modules/auxiliary/scanner/http/wmap_dir_listing.rb +++ b/modules/auxiliary/scanner/http/wmap_dir_listing.rb @@ -52,9 +52,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Found Directory Listing http://#{target_host}:#{datastore['RPORT']}#{tpath}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) wmap_report(rep_id,'VULNERABILITY','DIR_LISTING',"#{tpath}","Directory #{teststr} disclose its contents.") end @@ -66,4 +66,4 @@ class Metasploit3 < Msf::Auxiliary rescue ::Timeout::Error, ::Errno::EPIPE end end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_dir_scanner.rb b/modules/auxiliary/scanner/http/wmap_dir_scanner.rb index 9c177f36c7..6471b0f1f1 100644 --- a/modules/auxiliary/scanner/http/wmap_dir_scanner.rb +++ b/modules/auxiliary/scanner/http/wmap_dir_scanner.rb @@ -86,9 +86,9 @@ class Metasploit3 < Msf::Auxiliary if (res and res.code.to_i != ecode.to_i) print_status("Found http://#{target_host}:#{datastore['RPORT']}#{tpath}#{testfdir} #{res.code}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) vul_id = wmap_report(rep_id,'DIRECTORY','NAME',"#{tpath}#{testfdir}","Directory #{tpath}#{testfdir} found.") wmap_report(vul_id,'DIRECTORY','RESP_CODE',"#{res.code}",nil) diff --git a/modules/auxiliary/scanner/http/wmap_files_dir.rb b/modules/auxiliary/scanner/http/wmap_files_dir.rb index bdc7879d59..a055f703c7 100644 --- a/modules/auxiliary/scanner/http/wmap_files_dir.rb +++ b/modules/auxiliary/scanner/http/wmap_files_dir.rb @@ -62,9 +62,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Found http://#{target_host}:#{datastore['RPORT']}#{tpath}#{testfext}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) vul_id = wmap_report(rep_id,'FILE','NAME',"#{tpath}#{testfext}","File #{tpath}#{testfext} found.") @@ -80,4 +80,4 @@ class Metasploit3 < Msf::Auxiliary } end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_replace_ext.rb b/modules/auxiliary/scanner/http/wmap_replace_ext.rb index a65ee9b264..d2700be1fd 100644 --- a/modules/auxiliary/scanner/http/wmap_replace_ext.rb +++ b/modules/auxiliary/scanner/http/wmap_replace_ext.rb @@ -74,9 +74,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Found http://#{target_host}:#{target_port}#{tpath}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) vul_id = wmap_report(rep_id,'FILE','NAME',"#{tpath}","File #{tpath} found.") @@ -93,4 +93,4 @@ class Metasploit3 < Msf::Auxiliary end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/wmap_ssl_vhost.rb b/modules/auxiliary/scanner/http/wmap_ssl_vhost.rb index 648bcf7fbf..4ef48fbcd2 100644 --- a/modules/auxiliary/scanner/http/wmap_ssl_vhost.rb +++ b/modules/auxiliary/scanner/http/wmap_ssl_vhost.rb @@ -58,9 +58,9 @@ class Metasploit3 < Msf::Auxiliary if vhostn print_status("#{ip} is host #{vhostn}") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) wmap_report(rep_id,'VHOST','NAME',"#{vhostn}","Vhost #{vhostn} found.") diff --git a/modules/auxiliary/scanner/http/writable.rb b/modules/auxiliary/scanner/http/writable.rb index 2cade69c1e..70d09a79f0 100644 --- a/modules/auxiliary/scanner/http/writable.rb +++ b/modules/auxiliary/scanner/http/writable.rb @@ -68,9 +68,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Upload succeeded on http://#{target_host}:#{target_port}#{datastore['PATH']} [#{res.code}]") rep_id = wmap_base_report_id( - self.target_host, - self.target_port, - self.ssl + wmap_target_host, + wmap_target_port, + wmap_target_ssl ) wmap_report(rep_id,'VULNERABILITY','PUT_ENABLED',"#{datastore['PATH']}","Upload succeeded on #{datastore['PATH']}") @@ -111,4 +111,4 @@ class Metasploit3 < Msf::Auxiliary end -end \ No newline at end of file +end