added web exploit mixin
This commit is contained in:
parent
37a9c13c34
commit
a88031a02a
|
@ -91,3 +91,5 @@ require 'msf/core/exploit/wbemexec'
|
|||
#WinRM
|
||||
require 'msf/core/exploit/winrm'
|
||||
|
||||
# WebApp
|
||||
require 'msf/core/exploit/web'
|
||||
|
|
|
@ -0,0 +1,138 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This module exposes methods that may be useful to exploits that deal with
|
||||
# servers that speak the telnet protocol.
|
||||
#
|
||||
###
|
||||
module Exploit::Remote::Web
|
||||
include Exploit::Remote::Tcp
|
||||
include Exploit::Remote::HttpClient
|
||||
|
||||
# Default value for #web_payload_stub
|
||||
WEB_PAYLOAD_STUB = '!payload!'
|
||||
|
||||
#
|
||||
# Optional stub to be replaced with the exploit payload.
|
||||
#
|
||||
# Default stub is 'WEB_PAYLOAD_STUB'.
|
||||
#
|
||||
attr_accessor :web_payload_stub
|
||||
|
||||
# Creates an instance of a Telnet exploit module.
|
||||
#
|
||||
def initialize( info = {} )
|
||||
super
|
||||
|
||||
register_options([
|
||||
OptString.new( 'PATH', [ true, 'The path to the vulnerable script.', '/' ] ),
|
||||
OptString.new( 'GET', [ false, "GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
|
||||
OptString.new( 'POST', [ false, "POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
|
||||
OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
|
||||
OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
|
||||
], self.class )
|
||||
|
||||
self.web_payload_stub = WEB_PAYLOAD_STUB
|
||||
end
|
||||
|
||||
def path
|
||||
Rex::Text.uri_encode( substitute_web_payload_stub( datastore['PATH'] ) )
|
||||
end
|
||||
|
||||
def get
|
||||
substitute_in_hash( parse_query( datastore['GET'] ) )
|
||||
end
|
||||
|
||||
def post
|
||||
substitute_in_hash( parse_query( datastore['POST'] ) )
|
||||
end
|
||||
|
||||
def cookies
|
||||
substitute_web_payload_stub( datastore['COOKIES'], ',;' )
|
||||
end
|
||||
|
||||
def headers
|
||||
substitute_in_hash( parse_query( datastore['HEADERS'] ) )
|
||||
end
|
||||
|
||||
def method
|
||||
post.empty? ? 'GET' : 'POST'
|
||||
end
|
||||
|
||||
def check
|
||||
path = datastore['PATH']
|
||||
print_status "Checking #{path}"
|
||||
|
||||
response = send_request_raw( 'uri' => path )
|
||||
return Exploit::CheckCode::Detected if response.code == 200
|
||||
|
||||
print_error "Server responded with #{response.code}"
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status "Sending HTTP request for #{path}"
|
||||
res = send_request_cgi({
|
||||
'global' => true,
|
||||
'uri' => path,
|
||||
'method' => method,
|
||||
'vars_get' => get,
|
||||
'vars_post' => post,
|
||||
'headers' => headers,
|
||||
'cookie' => cookies
|
||||
}, 0.01 )
|
||||
|
||||
if res
|
||||
print_status "The server responded with HTTP status code #{res.code}."
|
||||
else
|
||||
print_status 'The server did not respond to our request.'
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
#
|
||||
# Converts a URI query string into a key=>value hash.
|
||||
#
|
||||
def parse_query( query, sep = '&' )
|
||||
query = query.to_s
|
||||
return {} if query.empty?
|
||||
|
||||
query.split( sep ).inject({}) do |h, part|
|
||||
k, v = part.split( '=', 2 )
|
||||
h[k.to_s] = v.to_s
|
||||
h
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# With what to replace 'WEB_PAYLOAD_STUB'.
|
||||
#
|
||||
# By default returns 'payload.encoded', override as needed.
|
||||
#
|
||||
def stub_value
|
||||
payload.encoded
|
||||
end
|
||||
|
||||
#
|
||||
# Substitutes 'web_payload_stub' with the exploit payload.
|
||||
#
|
||||
def substitute_web_payload_stub( str, escape = '' )
|
||||
value = stub_value
|
||||
value = URI.encode( stub_value, escape ) if !escape.empty?
|
||||
str.to_s.gsub( web_payload_stub, value )
|
||||
end
|
||||
|
||||
def substitute_in_hash( hash )
|
||||
hash.inject({}) do |h, (k, v)|
|
||||
h[substitute_web_payload_stub( k )] = substitute_web_payload_stub( v )
|
||||
h
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue