Fix nginx_source_disclosure for full_uri

2015-11-25 11:19:27 -06:00 · 2015-11-25 11:19:27 -06:00 · 7d17c5741b
parent 035882702a
commit 7d17c5741b
1 changed files with 8 additions and 17 deletions
--- a/modules/auxiliary/scanner/http/nginx_source_disclosure.rb
+++ b/modules/auxiliary/scanner/http/nginx_source_disclosure.rb
@ -35,22 +35,13 @@ class Metasploit3 < Msf::Auxiliary

    register_options(
      [
-        OptString.new('URI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']),
+        OptString.new('TARGETURI', [true, 'Specify the path to download the file (ex: admin.php)', '/admin.php']),
        OptString.new('PATH_SAVE', [true, 'The path to save the downloaded source code', '']),
      ], self.class)
  end

-  def target_url
-    uri = normalize_uri(datastore['URI'])
-    proto = 'http'
-    if rport == 443 || ssl
-      proto = 'https'
-    end
-    "#{proto}://#{vhost}:#{rport}#{uri}"
-  end
-
  def run_host(ip)
-    uri = normalize_uri(datastore['URI'])
+    uri = normalize_uri(target_uri.path)
    path_save = datastore['PATH_SAVE']

    vuln_versions = [
@ -74,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
        }, 25)

      if res.nil?
-        print_error("#{target_url} - nginx - Connection timed out")
+        print_error("#{full_uri} - nginx - Connection timed out")
        return
      else
        version = res.headers['Server']
@ -82,17 +73,17 @@ class Metasploit3 < Msf::Auxiliary
      end

      if vuln_versions.include?(version)
-        print_good("#{target_url} - nginx - Vulnerable version: #{version}")
+        print_good("#{full_uri} - nginx - Vulnerable version: #{version}")

        if (res and res.code == 200)

-          print_good("#{target_url} - nginx - Getting the source of page #{uri}")
+          print_good("#{full_uri} - nginx - Getting the source of page #{uri}")

          save_source = File.new("#{path_save}#{uri}","w")
          save_source.puts(res.body.to_s)
          save_source.close

-          print_status("#{target_url} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))
+          print_status("#{full_uri} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))

        else
          print_error("http://#{vhost}:#{rport} - nginx - Unrecognized #{res.code} response")
@ -102,9 +93,9 @@ class Metasploit3 < Msf::Auxiliary

      else
        if version =~ /nginx/
-          print_error("#{target_url} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}")
+          print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not vulnerable - Version #{version}")
        else
-          print_error("#{target_url} - nginx - Cannot exploit: the remote server is not ngnix")
+          print_error("#{full_uri} - nginx - Cannot exploit: the remote server is not ngnix")
        end
        return