dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #3148, check_urlprefixes for sap_icm_urlscan

This commit is contained in:
William Vu 2014-05-17 16:10:52 -05:00
parent 488c3e6b93 dd1a47f31f
commit a97d9ed54f
No known key found for this signature in database
GPG Key ID: E761DCB4C1629024
1 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
View File

@ -89,6 +89,8 @@ class Metasploit3 < Msf::Auxiliary
urls_to_check.each do |url|
check_url(url.strip)
end
# check custom URLs
check_urlprefixes
else
print_error("#{rhost}:#{rport} No response received")
end
@ -110,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary
case
when res.code == 200
print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)")
print_good("#{rhost}:#{rport} #{url} - does not require authentication (200) (length: #{res.headers['Content-Length']})")
when res.code == 403
print_good("#{rhost}:#{rport} #{url} - restricted (403)")
when res.code == 401
@ -129,7 +131,7 @@ class Metasploit3 < Msf::Auxiliary
end
else
print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)")
print_status("#{rhost}:#{rport} #{url} - not found (No Response code Received)")
end
end
@ -143,9 +145,28 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
if (res and res.code == 200)
print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering")
print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering (length: #{res.headers['Content-Length']})")
else
print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
end
end
def check_urlprefixes
# "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. This is how the message server finds out which URLs must be forwarded where." (SAP help)
# -> this disclose custom URLs that are also checked for authentication
res = send_request_cgi({
'uri' => "/sap/public/icf_info/urlprefix",
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if (res and res.code == 200)
res.body.each_line do |line|
if line =~ /PREFIX=/
url_enc = line.sub(/^PREFIX=/, '')
url_dec = URI.unescape(url_enc).sub(/;/, '')
check_url(url_dec.strip)
end
end
end
end
end