diff --git a/modules/auxiliary/scanner/http/apache_userdir_enum.rb b/modules/auxiliary/scanner/http/apache_userdir_enum.rb index 07c3b7d832..1ba9f3fa3f 100644 --- a/modules/auxiliary/scanner/http/apache_userdir_enum.rb +++ b/modules/auxiliary/scanner/http/apache_userdir_enum.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('URI', [true, 'The path to users Home Page', '/']), + OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']), OptPath.new('USER_FILE', [ true, "File containing users, one per line", File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]), ], self.class) @@ -51,11 +51,6 @@ class Metasploit3 < Msf::Auxiliary ) end - def target_url - uri = normalize_uri(datastore['URI']) - "http://#{vhost}:#{rport}#{uri}" - end - def run_host(ip) @users_found = {} @@ -64,9 +59,9 @@ class Metasploit3 < Msf::Auxiliary } if(@users_found.empty?) - print_status("#{target_url} - No users found.") + print_status("#{full_uri} - No users found.") else - print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}") + print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}") report_note( :host => rhost, :port => rport, @@ -80,8 +75,8 @@ class Metasploit3 < Msf::Auxiliary def do_login(user) - vprint_status("#{target_url}~#{user} - Trying UserDir: '#{user}'") - uri = normalize_uri(datastore['URI']) + vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'") + uri = normalize_uri(target_uri.path) payload = "#{uri}~#{user}/" begin res = send_request_cgi( @@ -93,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary return unless res if ((res.code == 403) or (res.code == 200)) - print_good("#{target_url} - Apache UserDir: '#{user}' found ") + print_good("#{full_uri} - Apache UserDir: '#{user}' found ") @users_found[user] = :reported else - vprint_status("#{target_url} - Apache UserDir: '#{user}' not found ") + vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE diff --git a/modules/auxiliary/scanner/http/axis_local_file_include.rb b/modules/auxiliary/scanner/http/axis_local_file_include.rb index fe384ff9aa..c4c029987c 100644 --- a/modules/auxiliary/scanner/http/axis_local_file_include.rb +++ b/modules/auxiliary/scanner/http/axis_local_file_include.rb @@ -34,17 +34,12 @@ class Metasploit3 < Msf::Auxiliary register_options([ Opt::RPORT(8080), - OptString.new('URI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']), + OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']), ], self.class) end - def target_url - uri = normalize_uri(datastore['URI']) - "http://#{vhost}:#{rport}#{uri}" - end - def run_host(ip) - uri = normalize_uri(datastore['URI']) + uri = normalize_uri(target_uri.path) begin res = send_request_raw({ @@ -53,13 +48,12 @@ class Metasploit3 < Msf::Auxiliary }, 25) if (res and res.code == 200) - extract_uri = res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/) - new_uri = "/axis2/services/#{$1}" - new_uri = normalize_uri(new_uri) + res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/) + new_uri = normalize_uri("/axis2/services/#{$1}") get_credentials(new_uri) else - print_status("#{target_url} - Apache Axis - The remote page not accessible") + print_status("#{full_uri} - Apache Axis - The remote page not accessible") return end @@ -106,10 +100,10 @@ class Metasploit3 < Msf::Auxiliary 'uri' => "#{uri}" + lfi_payload, }, 25) - print_status("#{target_url} - Apache Axis - Dumping administrative credentials") + print_status("#{full_uri} - Apache Axis - Dumping administrative credentials") if res.nil? - print_error("#{target_url} - Connection timed out") + print_error("#{full_uri} - Connection timed out") return end @@ -121,17 +115,17 @@ class Metasploit3 < Msf::Auxiliary res.body.scan(/parameter\sname=\"password\">([^\s]+) 100 file_data = html.gsub(%r{]+?>}, '') - print_good("#{target_url} - Barracuda - Vulnerable") - print_good("#{target_url} - Barracuda - File Output:\n" + file_data + "\n") + print_good("#{full_uri} - Barracuda - Vulnerable") + print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n") else - print_error("#{target_url} - Barracuda - Not vulnerable: HTML too short?") + print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?") end elsif res.body =~ /help_page/ - print_error("#{target_url} - Barracuda - Not vulnerable: Patched?") + print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?") else - print_error("#{target_url} - Barracuda - File not found or permission denied") + print_error("#{full_uri} - Barracuda - File not found or permission denied") end else - print_error("#{target_url} - Barracuda - No HTML was returned") + print_error("#{full_uri} - Barracuda - No HTML was returned") end else - print_error("#{target_url} - Barracuda - Unrecognized #{res.code} response") + print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout diff --git a/modules/auxiliary/scanner/http/nginx_source_disclosure.rb b/modules/auxiliary/scanner/http/nginx_source_disclosure.rb index 8f3543c202..b49e3e4137 100644 --- a/modules/auxiliary/scanner/http/nginx_source_disclosure.rb +++ b/modules/auxiliary/scanner/http/nginx_source_disclosure.rb @@ -35,18 +35,13 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('URI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']), + OptString.new('TARGETURI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']), OptString.new('PATH_SAVE', [true, 'The path to save the downloaded source code', '']), ], self.class) end - def target_url - uri = normalize_uri(datastore['URI']) - "http://#{vhost}:#{rport}#{uri}" - end - def run_host(ip) - uri = normalize_uri(datastore['URI']) + uri = normalize_uri(target_uri.path) path_save = datastore['PATH_SAVE'] vuln_versions = [ @@ -70,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary }, 25) if res.nil? - print_error("#{target_url} - nginx - Connection timed out") + print_error("#{full_uri} - nginx - Connection timed out") return else version = res.headers['Server'] @@ -78,17 +73,17 @@ class Metasploit3 < Msf::Auxiliary end if vuln_versions.include?(version) - print_good("#{target_url} - nginx - Vulnerable version: #{version}") + print_good("#{full_uri} - nginx - Vulnerable version: #{version}") if (res and res.code == 200) - print_good("#{target_url} - nginx - Getting the source of page #{uri}") + print_good("#{full_uri} - nginx - Getting the source of page #{uri}") save_source = File.new("#{path_save}#{uri}","w") save_source.puts(res.body.to_s) save_source.close - print_status("#{target_url} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}")) + print_status("#{full_uri} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}")) else print_error("http://#{vhost}:#{rport} - nginx - Unrecognized #{res.code} response") @@ -98,9 +93,9 @@ class Metasploit3 < Msf::Auxiliary else if version =~ /nginx/ - print_error("#{target_url} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}") + print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}") else - print_error("#{target_url} - nginx - Cannot exploit: the remote server is not ngnix") + print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not ngnix") end return diff --git a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb index e3a820fc2a..56a0b065c0 100644 --- a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb +++ b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb @@ -40,17 +40,12 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('URI', [true, 'The path to users Squiz Matrix installation', '/']), + OptString.new('TARGETURI', [true, 'The path to users Squiz Matrix installation', '/']), OptInt.new('ASSETBEGIN', [ true, "Asset ID to start at", 1]), OptInt.new('ASSETEND', [ true, "Asset ID to stop at", 100]), ], self.class) end - def target_url - uri = normalize_uri(datastore['URI']) - "http://#{vhost}:#{rport}#{uri}" - end - def run_host(ip) @users_found = {} @@ -65,9 +60,9 @@ class Metasploit3 < Msf::Auxiliary end if(@users_found.empty?) - print_status("#{target_url} - No users found.") + print_status("#{full_uri} - No users found.") else - print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}") + print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}") report_note( :host => rhost, :port => rport, @@ -106,16 +101,18 @@ class Metasploit3 < Msf::Auxiliary def do_enum(asset) begin + uri = normalize_uri(target_uri.path) + res = send_request_cgi({ - 'uri' => "#{target_url}?a=#{asset}", + 'uri' => "#{uri}?a=#{asset}", 'method' => 'GET' }, 20) if (datastore['VERBOSE']) if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access (\w+)<\/i>/) - print_status("#{target_url}?a=#{asset} - Trying Asset: '#{asset}' title '#{$1}'") + print_status("#{full_uri}?a=#{asset} - Trying Asset: '#{asset}' title '#{$1}'") else - print_status("#{target_url}?a=#{asset} - Trying Asset: '#{asset}'") + print_status("#{full_uri}?a=#{asset} - Trying Asset: '#{asset}'") end end @@ -123,25 +120,25 @@ class Metasploit3 < Msf::Auxiliary user=$1.strip # try the full name of the user - tmpasset = asset -1 + tmpasset = asset - 1 res = send_request_cgi({ - 'uri' => "#{target_url}?a=#{tmpasset}", + 'uri' => "#{uri}?a=#{tmpasset}", 'method' => 'GET' }, 20) if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access Inbox<\/i>/) - tmpasset = asset -2 + tmpasset = asset - 2 res = send_request_cgi({ - 'uri' => "#{target_url}?a=#{tmpasset}", + 'uri' => "#{uri}?a=#{tmpasset}", 'method' => 'GET' }, 20) - print_good("#{target_url}?a=#{asset} - Trying to obtain fullname for Asset ID '#{asset}', '#{user}'") + print_good("#{full_uri}?a=#{asset} - Trying to obtain fullname for Asset ID '#{asset}', '#{user}'") if (res and res.code = 403 and res.body and res.body =~ /You do not have permission to access (.*)<\/i>/) fullname = $1.strip - print_good("#{target_url}?a=#{tmpasset} - Squiz Matrix User Found: '#{user}' (#{fullname})") + print_good("#{full_uri}?a=#{tmpasset} - Squiz Matrix User Found: '#{user}' (#{fullname})") @users_found["#{user} (#{fullname})"] = :reported end else - print_good("#{target_url} - Squiz Matrix User: '#{user}'") + print_good("#{full_uri} - Squiz Matrix User: '#{user}'") @users_found[user] = :reported end diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb index 377aa03096..9a4c1e244f 100644 --- a/modules/auxiliary/scanner/http/tomcat_enum.rb +++ b/modules/auxiliary/scanner/http/tomcat_enum.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT(8080), - OptString.new('URI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']), + OptString.new('TARGETURI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']), OptPath.new('USER_FILE', [ true, "File containing users, one per line", File.join(Msf::Config.data_directory, "wordlists", "tomcat_mgr_default_users.txt") ]), ], self.class) @@ -49,16 +49,11 @@ class Metasploit3 < Msf::Auxiliary deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME') end - def target_url - uri = normalize_uri(datastore['URI']) - "http://#{vhost}:#{rport}#{uri}" - end - def has_j_security_check? - vprint_status("#{target_url} - Checking j_security_check...") - res = send_request_raw({'uri' => normalize_uri(datastore['URI'])}) + vprint_status("#{full_uri} - Checking j_security_check...") + res = send_request_raw({'uri' => normalize_uri(target_uri.path)}) if res - vprint_status("#{target_url} - Server returned: #{res.code.to_s}") + vprint_status("#{full_uri} - Server returned: #{res.code.to_s}") return true if res.code == 200 or res.code == 302 end @@ -67,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless has_j_security_check? - print_error("#{target_url} - Unable to enumerate users with this URI") + print_error("#{full_uri} - Unable to enumerate users with this URI") return end @@ -78,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary } if(@users_found.empty?) - print_status("#{target_url} - No users found.") + print_status("#{full_uri} - No users found.") else - print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}") + print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}") report_note( :host => rhost, :port => rport, @@ -92,34 +87,34 @@ class Metasploit3 < Msf::Auxiliary def do_login(user) post_data = "j_username=#{user}&password=%" - vprint_status("#{target_url} - Apache Tomcat - Trying name: '#{user}'") + vprint_status("#{full_uri} - Apache Tomcat - Trying name: '#{user}'") begin res = send_request_cgi( { 'method' => 'POST', - 'uri' => normalize_uri(datastore['URI']), + 'uri' => normalize_uri(target_uri.path), 'data' => post_data, }, 20) if res and res.code == 200 and !res.get_cookies.empty? - vprint_error("#{target_url} - Apache Tomcat #{user} not found ") + vprint_error("#{full_uri} - Apache Tomcat #{user} not found ") elsif res and res.code == 200 and res.body =~ /invalid username/i - vprint_error("#{target_url} - Apache Tomcat #{user} not found ") + vprint_error("#{full_uri} - Apache Tomcat #{user} not found ") elsif res and res.code == 500 # Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html - vprint_good("#{target_url} - Apache Tomcat #{user} found ") + vprint_good("#{full_uri} - Apache Tomcat #{user} found ") @users_found[user] = :reported elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/ # Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html - print_good("#{target_url} - Apache Tomcat #{user} found ") + print_good("#{full_uri} - Apache Tomcat #{user} found ") @users_found[user] = :reported else - print_error("#{target_url} - NOT VULNERABLE") + print_error("#{full_uri} - NOT VULNERABLE") return :abort end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE - print_error("#{target_url} - UNREACHABLE") + print_error("#{full_uri} - UNREACHABLE") return :abort end end