Merge pull request #110 from jhartftw/soap_xml_6249
Improvements to auxiiliary/scanner/http/soap_xml to (#6249)unstable
sinn3r
commit
d5443159d7
|
|
@ -42,7 +42,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
OptString.new('XMLSCHEMA', [ true, "XML Schema", 'http://www.w3.org/2001/XMLSchema']),
|
OptString.new('XMLSCHEMA', [ true, "XML Schema", 'http://www.w3.org/2001/XMLSchema']),
|
||||||
OptString.new('XMLSOAP', [ true, "XML SOAP", 'http://schemas.xmlsoap.org/soap/envelope/']),
|
OptString.new('XMLSOAP', [ true, "XML SOAP", 'http://schemas.xmlsoap.org/soap/envelope/']),
|
||||||
OptString.new('CONTENTTYPE', [ true, "The HTTP Content-Type Header", 'application/x-www-form-urlencoded']),
|
OptString.new('CONTENTTYPE', [ true, "The HTTP Content-Type Header", 'application/x-www-form-urlencoded']),
|
||||||
|
OptInt.new('SLEEP', [true, "Sleep this many seconds between requests", 0 ]),
|
||||||
OptBool.new('DISPLAYHTML', [ true, "Display HTML response", false ]),
|
OptBool.new('DISPLAYHTML', [ true, "Display HTML response", false ]),
|
||||||
|
OptBool.new('SSL', [ true, "Use SSL", false ]),
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
@ -53,6 +55,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
verbs = [
|
verbs = [
|
||||||
'get',
|
'get',
|
||||||
'active',
|
'active',
|
||||||
|
'activate',
|
||||||
'create',
|
'create',
|
||||||
'change',
|
'change',
|
||||||
'set',
|
'set',
|
||||||
|
|
@ -74,33 +77,49 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'register',
|
'register',
|
||||||
'log',
|
'log',
|
||||||
'add',
|
'add',
|
||||||
|
'list',
|
||||||
|
'query',
|
||||||
#'delete', # Best to be safe!
|
#'delete', # Best to be safe!
|
||||||
]
|
]
|
||||||
|
|
||||||
nouns = [
|
nouns = [
|
||||||
'password',
|
'password',
|
||||||
'task',
|
'task',
|
||||||
|
'tasks',
|
||||||
'pass',
|
'pass',
|
||||||
'administration',
|
'administration',
|
||||||
'account',
|
'account',
|
||||||
|
'accounts',
|
||||||
'admin',
|
'admin',
|
||||||
'login',
|
'login',
|
||||||
|
'logins',
|
||||||
'token',
|
'token',
|
||||||
'credentials',
|
'tokens',
|
||||||
'credential',
|
'credential',
|
||||||
|
'credentials',
|
||||||
'key',
|
'key',
|
||||||
|
'keys',
|
||||||
'guid',
|
'guid',
|
||||||
'message',
|
'message',
|
||||||
|
'messages',
|
||||||
'user',
|
'user',
|
||||||
|
'users',
|
||||||
'username',
|
'username',
|
||||||
|
'usernames',
|
||||||
'load',
|
'load',
|
||||||
'list',
|
'list',
|
||||||
'name',
|
'name',
|
||||||
|
'names',
|
||||||
'file',
|
'file',
|
||||||
|
'files',
|
||||||
'path',
|
'path',
|
||||||
|
'paths',
|
||||||
'directory',
|
'directory',
|
||||||
|
'directories',
|
||||||
'configuration',
|
'configuration',
|
||||||
|
'configurations',
|
||||||
'config',
|
'config',
|
||||||
|
'configs',
|
||||||
'setting',
|
'setting',
|
||||||
'settings',
|
'settings',
|
||||||
'registry',
|
'registry',
|
||||||
|
|
@ -111,28 +130,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
target_port = datastore['RPORT']
|
target_port = datastore['RPORT']
|
||||||
vhost = datastore['VHOST'] || wmap_target_host || ip
|
vhost = datastore['VHOST'] || wmap_target_host || ip
|
||||||
|
|
||||||
|
# regular expressions for common rejection messages
|
||||||
|
reject_regexen = []
|
||||||
|
reject_regexen << Regexp.new("method \\S+ is not valid", true)
|
||||||
|
reject_regexen << Regexp.new("Method \\S+ not implemented", true)
|
||||||
|
reject_regexen << Regexp.new("unable to resolve WSDL method name", true)
|
||||||
|
|
||||||
begin
|
begin
|
||||||
# Check service exists
|
|
||||||
res = send_request_raw({
|
|
||||||
'uri' => datastore['PATH'],
|
|
||||||
'method' => 'GET',
|
|
||||||
'vhost' => vhost,
|
|
||||||
}, 10)
|
|
||||||
|
|
||||||
if (res.code == 200)
|
|
||||||
print_status("PATH appears to be OK.")
|
|
||||||
|
|
||||||
verbs.each do |v|
|
verbs.each do |v|
|
||||||
nouns.each do |n|
|
nouns.each do |n|
|
||||||
|
data_parts = []
|
||||||
# This could be cleaned up - patrickw
|
data_parts << "<?xml version=\"1.0\" encoding=\"utf-8\"?>"
|
||||||
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
|
data_parts << "<soap:Envelope xmlns:xsi=\"#{datastore['XMLINSTANCE']}\" xmlns:xsd=\"#{datastore['XMLSCHEMA']}\" xmlns:soap=\"#{datastore['XMLSOAP']}\">"
|
||||||
data << '<soap:Envelope xmlns:xsi="' + datastore['XMLINSTANCE'] + '" xmlns:xsd="' + datastore['XMLSCHEMA'] + '" xmlns:soap="' + datastore['XMLSOAP'] + '">' + "\r\n"
|
data_parts << "<soap:Body>"
|
||||||
data << '<soap:Body>' + "\r\n"
|
data_parts << "<#{v}#{n} xmlns=\"#{datastore['XMLNAMESPACE']}\">"
|
||||||
data << "<#{v}#{n}" + " xmlns=\"#{datastore['XMLNAMESPACE']}\">" + "\r\n"
|
data_parts << "</#{v}#{n}>"
|
||||||
data << "</#{v}#{n}>" + "\r\n"
|
data_parts << "</soap:Body>"
|
||||||
data << '</soap:Body>' + "\r\n"
|
data_parts << "</soap:Envelope>"
|
||||||
data << '</soap:Envelope>' + "\r\n\r\n"
|
data_parts << nil
|
||||||
|
data_parts << nil
|
||||||
|
data = data_parts.join("\r\n")
|
||||||
|
|
||||||
res = send_request_raw({
|
res = send_request_raw({
|
||||||
'uri' => datastore['PATH'] + '/' + v + n,
|
'uri' => datastore['PATH'] + '/' + v + n,
|
||||||
|
|
@ -149,7 +166,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
}, 15)
|
}, 15)
|
||||||
|
|
||||||
if (res && !(res.body.empty?))
|
if (res && !(res.body.empty?))
|
||||||
if (res.body =~ /method name is not valid/)
|
if ((not reject_regexen.select { |r| res.body =~ r }.empty?))
|
||||||
print_status("Server rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
print_status("Server rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||||
elsif (res.message =~ /Cannot process the message because the content type/)
|
elsif (res.message =~ /Cannot process the message because the content type/)
|
||||||
print_status("Server rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
|
print_status("Server rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
|
||||||
|
|
@ -157,6 +174,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_status("Set CONTENTTYPE to \"#{$1}\"")
|
print_status("Set CONTENTTYPE to \"#{$1}\"")
|
||||||
return false
|
return false
|
||||||
elsif (res.code == 404)
|
elsif (res.code == 404)
|
||||||
|
print_status("Server returned HTTP 404 for #{datastore['PATH']}. Use a different one.")
|
||||||
return false
|
return false
|
||||||
else
|
else
|
||||||
print_status("Server responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
print_status("Server responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||||
|
|
@ -164,7 +182,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
report_note(
|
report_note(
|
||||||
:host => ip,
|
:host => ip,
|
||||||
:proto => 'tcp',
|
:proto => 'tcp',
|
||||||
:sname => 'HTTP',
|
:sname => (ssl ? 'https' : 'http'),
|
||||||
:port => rport,
|
:port => rport,
|
||||||
:type => "SOAPAction: #{v}#{n}",
|
:type => "SOAPAction: #{v}#{n}",
|
||||||
:data => "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
|
:data => "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
|
||||||
|
|
@ -175,15 +193,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
select(nil, nil, nil, datastore['SLEEP']) if (datastore['SLEEP'] > 0)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
|
||||||
else
|
print_error(e)
|
||||||
print_status("Server did not respond with 200 OK.")
|
|
||||||
print_status(res.to_s)
|
|
||||||
end
|
|
||||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
||||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue