Improvements to auxiiliary/scanner/http/soap_xml to:
* Detect additional SOAP faults to reduce false positives * More obviously support SSL * Report http/https * Make it obvious when a SOAP endpoint falls over mid-scan * Add a few more nouns/verbs * Add an optional SLEEP to play nice with old/slow SOAP endpoints https://dev.metasploit.com/redmine/issues/6249
This commit is contained in:
Jon Hart
parent
84db5a21fc
commit
6a057560fa
|
|
@ -42,7 +42,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptString.new('XMLSCHEMA', [ true, "XML Schema", 'http://www.w3.org/2001/XMLSchema']),
|
||||
OptString.new('XMLSOAP', [ true, "XML SOAP", 'http://schemas.xmlsoap.org/soap/envelope/']),
|
||||
OptString.new('CONTENTTYPE', [ true, "The HTTP Content-Type Header", 'application/x-www-form-urlencoded']),
|
||||
OptInt.new('SLEEP', [true, "Sleep this many seconds between requests", 0 ]),
|
||||
OptBool.new('DISPLAYHTML', [ true, "Display HTML response", false ]),
|
||||
OptBool.new('SSL', [ true, "Use SSL", false ]),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
|
@ -53,6 +55,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
verbs = [
|
||||
'get',
|
||||
'active',
|
||||
'activate',
|
||||
'create',
|
||||
'change',
|
||||
'set',
|
||||
|
|
@ -74,33 +77,49 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'register',
|
||||
'log',
|
||||
'add',
|
||||
'list',
|
||||
'query',
|
||||
#'delete', # Best to be safe!
|
||||
]
|
||||
|
||||
nouns = [
|
||||
'password',
|
||||
'task',
|
||||
'tasks',
|
||||
'pass',
|
||||
'administration',
|
||||
'account',
|
||||
'accounts',
|
||||
'admin',
|
||||
'login',
|
||||
'logins',
|
||||
'token',
|
||||
'credentials',
|
||||
'tokens',
|
||||
'credential',
|
||||
'credentials',
|
||||
'key',
|
||||
'keys',
|
||||
'guid',
|
||||
'message',
|
||||
'messages',
|
||||
'user',
|
||||
'users',
|
||||
'username',
|
||||
'usernames',
|
||||
'load',
|
||||
'list',
|
||||
'name',
|
||||
'names',
|
||||
'file',
|
||||
'files',
|
||||
'path',
|
||||
'paths',
|
||||
'directory',
|
||||
'directories',
|
||||
'configuration',
|
||||
'configurations',
|
||||
'config',
|
||||
'configs',
|
||||
'setting',
|
||||
'settings',
|
||||
'registry',
|
||||
|
|
@ -111,79 +130,74 @@ class Metasploit3 < Msf::Auxiliary
|
|||
target_port = datastore['RPORT']
|
||||
vhost = datastore['VHOST'] || wmap_target_host || ip
|
||||
|
||||
# regular expressions for common rejection messages
|
||||
reject_regexen = []
|
||||
reject_regexen << Regexp.new("method \\S+ is not valid", true)
|
||||
reject_regexen << Regexp.new("Method \\S+ not implemented", true)
|
||||
reject_regexen << Regexp.new("unable to resolve WSDL method name", true)
|
||||
|
||||
begin
|
||||
# Check service exists
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['PATH'],
|
||||
'method' => 'GET',
|
||||
'vhost' => vhost,
|
||||
}, 10)
|
||||
verbs.each do |v|
|
||||
nouns.each do |n|
|
||||
data_parts = []
|
||||
data_parts << "<?xml version=\"1.0\" encoding=\"utf-8\"?>"
|
||||
data_parts << "<soap:Envelope xmlns:xsi=\"#{datastore['XMLINSTANCE']}\" xmlns:xsd=\"#{datastore['XMLSCHEMA']}\" xmlns:soap=\"#{datastore['XMLSOAP']}\">"
|
||||
data_parts << "<soap:Body>"
|
||||
data_parts << "<#{v}#{n} xmlns=\"#{datastore['XMLNAMESPACE']}\">"
|
||||
data_parts << "</#{v}#{n}>"
|
||||
data_parts << "</soap:Body>"
|
||||
data_parts << "</soap:Envelope>"
|
||||
data_parts << nil
|
||||
data_parts << nil
|
||||
data = data_parts.join("\r\n")
|
||||
|
||||
if (res.code == 200)
|
||||
print_status("PATH appears to be OK.")
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['PATH'] + '/' + v + n,
|
||||
'method' => 'POST',
|
||||
'vhost' => vhost,
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => data.length,
|
||||
'SOAPAction' => '"' + datastore['XMLNAMESPACE'] + v + n + '"',
|
||||
'Expect' => '100-continue',
|
||||
'Content-Type' => datastore['CONTENTTYPE'],
|
||||
}
|
||||
}, 15)
|
||||
|
||||
verbs.each do |v|
|
||||
nouns.each do |n|
|
||||
|
||||
# This could be cleaned up - patrickw
|
||||
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
|
||||
data << '<soap:Envelope xmlns:xsi="' + datastore['XMLINSTANCE'] + '" xmlns:xsd="' + datastore['XMLSCHEMA'] + '" xmlns:soap="' + datastore['XMLSOAP'] + '">' + "\r\n"
|
||||
data << '<soap:Body>' + "\r\n"
|
||||
data << "<#{v}#{n}" + " xmlns=\"#{datastore['XMLNAMESPACE']}\">" + "\r\n"
|
||||
data << "</#{v}#{n}>" + "\r\n"
|
||||
data << '</soap:Body>' + "\r\n"
|
||||
data << '</soap:Envelope>' + "\r\n\r\n"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['PATH'] + '/' + v + n,
|
||||
'method' => 'POST',
|
||||
'vhost' => vhost,
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => data.length,
|
||||
'SOAPAction' => '"' + datastore['XMLNAMESPACE'] + v + n + '"',
|
||||
'Expect' => '100-continue',
|
||||
'Content-Type' => datastore['CONTENTTYPE'],
|
||||
}
|
||||
}, 15)
|
||||
|
||||
if (res && !(res.body.empty?))
|
||||
if (res.body =~ /method name is not valid/)
|
||||
print_status("Server rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||
elsif (res.message =~ /Cannot process the message because the content type/)
|
||||
print_status("Server rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
|
||||
res.message =~ /was not the expected type\s\'([^']+)'/
|
||||
print_status("Set CONTENTTYPE to \"#{$1}\"")
|
||||
return false
|
||||
elsif (res.code == 404)
|
||||
return false
|
||||
else
|
||||
print_status("Server responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||
## Add Report
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'tcp',
|
||||
:sname => 'HTTP',
|
||||
:port => rport,
|
||||
:type => "SOAPAction: #{v}#{n}",
|
||||
:data => "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
|
||||
)
|
||||
if datastore['DISPLAYHTML']
|
||||
print_status("The HTML content follows:")
|
||||
print_status(res.body + "\r\n")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
else
|
||||
print_status("Server did not respond with 200 OK.")
|
||||
print_status(res.to_s)
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
if (res && !(res.body.empty?))
|
||||
if ((not reject_regexen.select { |r| res.body =~ r }.empty?))
|
||||
print_status("Server rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||
elsif (res.message =~ /Cannot process the message because the content type/)
|
||||
print_status("Server rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
|
||||
res.message =~ /was not the expected type\s\'([^']+)'/
|
||||
print_status("Set CONTENTTYPE to \"#{$1}\"")
|
||||
return false
|
||||
elsif (res.code == 404)
|
||||
print_status("Server returned HTTP 404 for #{datastore['PATH']}. Use a different one.")
|
||||
return false
|
||||
else
|
||||
print_status("Server responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||
## Add Report
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'tcp',
|
||||
:sname => (ssl ? 'https' : 'http'),
|
||||
:port => rport,
|
||||
:type => "SOAPAction: #{v}#{n}",
|
||||
:data => "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
|
||||
)
|
||||
if datastore['DISPLAYHTML']
|
||||
print_status("The HTML content follows:")
|
||||
print_status(res.body + "\r\n")
|
||||
end
|
||||
end
|
||||
end
|
||||
select(nil, nil, nil, datastore['SLEEP']) if (datastore['SLEEP'] > 0)
|
||||
end
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
|
||||
print_error(e)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue