Module: Msf::Auxiliary::Web

Includes:

Report

Defined in:

lib/msf/core/auxiliary/web.rb,
lib/msf/core/auxiliary/web/form.rb,
lib/msf/core/auxiliary/web/path.rb,
lib/msf/core/auxiliary/web/fuzzable.rb,
lib/msf/core/auxiliary/web/analysis/taint.rb,
lib/msf/core/auxiliary/web/analysis/timing.rb,
lib/msf/core/auxiliary/web/analysis/differential.rb

Overview

Represents a webpage path.

Defined Under Namespace

Modules: Analysis Classes: Form, Fuzzable, HTTP, Path, Target

Instance Attribute Summary

• #http ⇒ Object readonly

  Returns the value of attribute http.

• #page ⇒ Object readonly

  Returns the value of attribute page.

• #parent ⇒ Object readonly

  Returns the value of attribute parent.

• #target ⇒ Object readonly

  Returns the value of attribute target.

Class Method Summary

• .configure_exploit(exploit, vuln) ⇒ Object

  Must return a configuration Hash for the given exploit and vulnerability.

• .exploits ⇒ Object

  Should be overridden to return the exploits to use for this vulnerability type as an Array of Strings.

Instance Method Summary

• #auditable ⇒ Object

  Returns an Array of elements prepared to be audited.

• #calculate_confidence(_vuln) ⇒ Object

  Should be overridden and return an Integer (0-100) denoting the confidence in the accuracy of the logged vuln.

• #checked(id) ⇒ Object

  String id to push to the #checklist.

• #checked?(id) ⇒ Boolean

  String id to check against the #checklist.

• #directory_exist?(path) ⇒ Boolean

  Checks whether a directory exists based on a path String.

• #find_proof(response, _element) ⇒ Object

  Serves as a default detection method for when performing taint analysis.

• #increment_request_counter ⇒ Object
• #initialize(info = {}) ⇒ Object
• #log_directory_if_exists(path) ⇒ Object

  Logs the existence of the directory in the path String.

• #log_fingerprint(opts = {}) ⇒ Object
• #log_resource(opts = {}) ⇒ Object
• #log_resource_if_exists(path) ⇒ Object (also: #log_file_if_exists)

  Logs the existence of a resource in the path String.

• #match_and_log_fingerprint(fingerprint, options = {}) ⇒ Object

  Matches fingerprint pattern against the current page's body and logs matches.

• #payloads ⇒ Object

  Should be overridden to return the payloads used for this vulnerability type as an Array of Strings.

• #process_vulnerability(element, proof, opts = {}) ⇒ Object
• #resource_exist?(path) ⇒ Boolean (also: #file_exist?)

  Checks whether a resource exists based on a path String.

• #run ⇒ Object

  Default #run, will audit all elements using taint analysis and log results based on #find_proof return values.

• #setup(opts = {}) ⇒ Object

  Called directly before 'run'.

• #signature ⇒ Object

  Should be overridden to return a pattern to be matched against response bodies in order to identify a vulnerability.

• #token ⇒ Object

Methods included from Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Attribute Details

#http ⇒ Object (readonly)

Returns the value of attribute http.

# File 'lib/msf/core/auxiliary/web.rb', line 17

def http
  @http
end

#page ⇒ Object (readonly)

Returns the value of attribute page.

# File 'lib/msf/core/auxiliary/web.rb', line 19

def page
  @page
end

#parent ⇒ Object (readonly)

Returns the value of attribute parent.

# File 'lib/msf/core/auxiliary/web.rb', line 18

def parent
  @parent
end

#target ⇒ Object (readonly)

Returns the value of attribute target.

# File 'lib/msf/core/auxiliary/web.rb', line 16

def target
  @target
end

Class Method Details

.configure_exploit(exploit, vuln) ⇒ Object

Must return a configuration Hash for the given exploit and vulnerability.

# File 'lib/msf/core/auxiliary/web.rb', line 50

def self.configure_exploit(exploit, vuln); end

.exploits ⇒ Object

Should be overridden to return the exploits to use for this vulnerability type as an Array of Strings.

# File 'lib/msf/core/auxiliary/web.rb', line 47

def self.exploits; end

Instance Method Details

#auditable ⇒ Object

Returns an Array of elements prepared to be audited.

# File 'lib/msf/core/auxiliary/web.rb', line 77

def auditable
  target.auditable.map do |element|
    element.fuzzer = self
    element
  end
end

#calculate_confidence(_vuln) ⇒ Object

Should be overridden and return an Integer (0-100) denoting the confidence in the accuracy of the logged vuln.

# File 'lib/msf/core/auxiliary/web.rb', line 144

def calculate_confidence(_vuln)
  100
end

#checked(id) ⇒ Object

String id to push to the #checklist

# File 'lib/msf/core/auxiliary/web.rb', line 26

def checked(id)
  parent.checklist << "#{shortname}#{id}".hash
end

#checked?(id) ⇒ Boolean

String id to check against the #checklist

Returns:

• (Boolean)

# File 'lib/msf/core/auxiliary/web.rb', line 31

def checked?(id)
  parent.checklist.include? "#{shortname}#{id}".hash
end

#directory_exist?(path) ⇒ Boolean

Checks whether a directory exists based on a path String.

Returns:

• (Boolean)

# File 'lib/msf/core/auxiliary/web.rb', line 92

def directory_exist?(path)
  dir = path.dup
  dir << '/' if !dir.end_with?('/')
  resource_exist?(dir)
end

#find_proof(response, _element) ⇒ Object

Serves as a default detection method for when performing taint analysis.

Uses the Regexp in #signature against the response body in order to identify vulnerabilities and return a String that proves it.

Override it if you need more complex processing, but remember to return the proof as a String.

response - Auxiliary::Web::HTTP::Response element - the submitted element

# File 'lib/msf/core/auxiliary/web.rb', line 129

def find_proof(response, _element)
  return if !signature

  m = response.body.match(signature).to_s
  return if !m || m.empty?

  m.gsub(/[\r\n]/, ' ')
end

#increment_request_counter ⇒ Object

# File 'lib/msf/core/auxiliary/web.rb', line 138

def increment_request_counter
  parent.increment_request_counter
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/auxiliary/web.rb', line 21

def initialize(info = {})
  super
end

#log_directory_if_exists(path) ⇒ Object

Logs the existence of the directory in the path String.

# File 'lib/msf/core/auxiliary/web.rb', line 105

def log_directory_if_exists(path)
  dir = path.dup
  dir << '/' if !dir.end_with?('/')
  log_resource_if_exists(dir)
end

#log_fingerprint(opts = {}) ⇒ Object

# File 'lib/msf/core/auxiliary/web.rb', line 148

def log_fingerprint(opts = {})
  mode  = name
  vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?(vhash)

  location = opts[:location] ?
    page.url.merge(URI(opts[:location].to_s)) : page.url

  info = {
    web_site: target.site,
    path: location.path,
    query: location.query,
    method: 'GET',
    params: [],
    pname: 'path',
    proof: opts[:fingerprint],
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    owner: self
  }

  info[:confidence] = calculate_confidence(info)
  parent.vulns[mode][vhash] = info

  report_web_vuln(info)

  opts[:print_fingerprint] = true if !opts.include?(:print_fingerprint)

  print_good "	FOUND(#{mode}) URL(#{location})"
  print_good "		 PROOF(#{opts[:fingerprint]})" if opts[:print_fingerprint]
end

#log_resource(opts = {}) ⇒ Object

# File 'lib/msf/core/auxiliary/web.rb', line 186

def log_resource(opts = {})
  mode  = name
  vhash = [target.to_url, mode, opts[:location]]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?(vhash)

  location = URI(opts[:location].to_s)
  info = {
    web_site: target.site,
    path: location.path,
    query: location.query,
    method: 'GET',
    params: [],
    pname: 'path',
    proof: opts[:location],
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    owner: self
  }

  info[:confidence] = calculate_confidence(info)
  parent.vulns[mode][vhash] = info

  report_web_vuln(info)

  print_good "	VULNERABLE(#{mode}) URL(#{target.to_url})"
  print_good "		 PROOF(#{opts[:location]})"
end

#log_resource_if_exists(path) ⇒ Object Also known as: log_file_if_exists

Logs the existence of a resource in the path String.

# File 'lib/msf/core/auxiliary/web.rb', line 99

def log_resource_if_exists(path)
  log_resource(location: path) if resource_exist?(path)
end

#match_and_log_fingerprint(fingerprint, options = {}) ⇒ Object

Matches fingerprint pattern against the current page's body and logs matches

# File 'lib/msf/core/auxiliary/web.rb', line 112

def match_and_log_fingerprint(fingerprint, options = {})
  return if (match = page.body.to_s.match(fingerprint).to_s).empty?
  log_fingerprint(options.merge(fingerprint: match))
end

#payloads ⇒ Object

Should be overridden to return the payloads used for this vulnerability type as an Array of Strings.

# File 'lib/msf/core/auxiliary/web.rb', line 54

def payloads; end

#process_vulnerability(element, proof, opts = {}) ⇒ Object

# File 'lib/msf/core/auxiliary/web.rb', line 220

def process_vulnerability(element, proof, opts = {})
  mode  = name
  vhash = [target.to_url, mode, element.altered]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return parent.vulns[mode][vhash] if parent.vulns[mode][vhash]

  parent.vulns[mode][vhash] = {
    target: target,
    method: element.method.to_s.upcase,
    params: element.params.to_a,
    mode: mode,
    pname: element.altered,
    proof: proof.to_s,
    form: element.model,
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description]
  }

  confidence = calculate_confidence(parent.vulns[mode][vhash])

  parent.vulns[mode][vhash][:confidence] = confidence

  if !(payload = opts[:payload])
    if payloads
      payload = payloads.select do |p|
        element.altered_value.include?(p)
      end.max_by(&:size)
    end
  end

  uri = URI(element.action)
  info = {
    web_site: element.model.web_site,
    path: uri.path,
    query: uri.query,
    method: element.method.to_s.upcase,
    params: element.params.to_a,
    pname: element.altered,
    proof: proof.to_s,
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    confidence: confidence,
    payload: payload,
    owner: self
  }

  report_web_vuln(info)

  print_good "	VULNERABLE(#{mode}) URL(#{target.to_url})" \
             " PARAMETER(#{element.altered}) VALUES(#{element.params})"
  print_good "		 PROOF(#{proof})"
end

#resource_exist?(path) ⇒ Boolean Also known as: file_exist?

Checks whether a resource exists based on a path String.

Returns:

• (Boolean)

# File 'lib/msf/core/auxiliary/web.rb', line 85

def resource_exist?(path)
  res = http.get(path)
  res.code.to_i == 200 && !http.custom_404?(path, res.body)
end

#run ⇒ Object

Default #run, will audit all elements using taint analysis and log results based on #find_proof return values.

# File 'lib/msf/core/auxiliary/web.rb', line 72

def run
  auditable.each(&:taint_analysis)
end

#setup(opts = {}) ⇒ Object

Called directly before 'run'

# File 'lib/msf/core/auxiliary/web.rb', line 38

def setup(opts = {})
  @parent = opts[:parent]
  @target = opts[:target]
  @page   = opts[:page]
  @http   = opts[:http]
end

#signature ⇒ Object

Should be overridden to return a pattern to be matched against response bodies in order to identify a vulnerability.

You can go one deeper and override #find_proof for more complex processing.

# File 'lib/msf/core/auxiliary/web.rb', line 66

def signature; end

#token ⇒ Object

# File 'lib/msf/core/auxiliary/web.rb', line 56

def token
  "xssmsfpro"
end