Class: Msf::Auxiliary::Web::HTTP

Inherits:

Object

• Object
• Msf::Auxiliary::Web::HTTP

Defined in:

lib/msf/core/auxiliary/web/http.rb

Defined Under Namespace

Classes: Request, Response

Instance Attribute Summary

• #domain ⇒ Object

  Returns the value of attribute domain.

• #framework ⇒ Object readonly

  Returns the value of attribute framework.

• #headers ⇒ Object readonly

  Returns the value of attribute headers.

• #opts ⇒ Object readonly

  Returns the value of attribute opts.

• #parent ⇒ Object readonly

  Returns the value of attribute parent.

• #password ⇒ Object

  Returns the value of attribute password.

• #redirect_limit ⇒ Object

  Returns the value of attribute redirect_limit.

• #username ⇒ Object

  Returns the value of attribute username.

Instance Method Summary

• #after_run { ... } ⇒ Array<Proc>

  Registers a callback to be executed after #run drains the request queue.

• #connect ⇒ Rex::Proto::Http::Client

  Creates a Rex HTTP client using the configured target and authentication defaults.

• #custom_404?(path, body) {|is_custom_404| ... } ⇒ nil

  Determines whether a response body matches the application’s custom 404 behavior.

• #get(url, opts = {}) ⇒ Response^?

  Sends a synchronous GET request.

• #get_async(url, opts = {}) {|response| ... } ⇒ Queue

  Enqueues a GET request.

• #if_not_custom_404(path, body) { ... } ⇒ void

  Yields only when the supplied response body does not appear to be a custom 404 page.

• #initialize(opts = {}) ⇒ HTTP constructor

  A new instance of HTTP.

• #post(url, opts = {}) ⇒ Response^?

  Sends a synchronous POST request.

• #post_async(url, opts = {}) {|response| ... } ⇒ Queue

  Enqueues a POST request.

• #request(url, opts = {}) ⇒ Response^?

  Sends an HTTP request and optionally follows redirect responses.

• #request_async(url, opts = {}) {|response| ... } ⇒ Queue

  Enqueues a request to be sent later by #run.

• #run ⇒ void

  Executes all queued asynchronous requests using the configured thread pool size.

Constructor Details

#initialize(opts = {}) ⇒ HTTP

Returns a new instance of HTTP.

Parameters:

• opts (Hash) (defaults to: {}) —

  Configuration for the HTTP helper.

Options Hash (opts):

• :framework (Object) —

  The active framework instance used for threading.

• :parent (Object) —

  The owning module used for error reporting.

• :headers (Hash) —

  Additional HTTP headers to send with every request.

• :cookie_string (String) —

  Cookie header value to set by default.

• :auth (Hash) —

  Default authentication options.

• :redirect_limit (Integer) —

  Maximum redirects to follow.

# File 'lib/msf/core/auxiliary/web/http.rb', line 106

def initialize( opts = {} )
  @opts = opts.dup

  @framework = opts[:framework]
  @parent    = opts[:parent]

  @headers = {
    'Accept' => '*/*',
    'Cookie' => opts[:cookie_string]
  }.merge( opts[:headers] || {} )

  @headers.delete( 'Cookie' ) if !@headers['Cookie']

  @request_opts = {}
  if opts[:auth].is_a? Hash
    @username = opts[:auth][:user].to_s
    @password = opts[:auth][:password].to_s
    @domain   = opts[:auth][:domain].to_s
  end

  self.redirect_limit = opts[:redirect_limit] || 20

  @queue = Queue.new

  @after_run_blocks = []
end

Instance Attribute Details

#domain ⇒ Object

Returns the value of attribute domain.

# File 'lib/msf/core/auxiliary/web/http.rb', line 97

def domain
  @domain
end

#framework ⇒ Object (readonly)

Returns the value of attribute framework.

# File 'lib/msf/core/auxiliary/web/http.rb', line 93

def framework
  @framework
end

#headers ⇒ Object (readonly)

Returns the value of attribute headers.

# File 'lib/msf/core/auxiliary/web/http.rb', line 92

def headers
  @headers
end

#opts ⇒ Object (readonly)

Returns the value of attribute opts.

# File 'lib/msf/core/auxiliary/web/http.rb', line 91

def opts
  @opts
end

#parent ⇒ Object (readonly)

Returns the value of attribute parent.

# File 'lib/msf/core/auxiliary/web/http.rb', line 94

def parent
  @parent
end

#password ⇒ Object

Returns the value of attribute password.

# File 'lib/msf/core/auxiliary/web/http.rb', line 97

def password
  @password
end

#redirect_limit ⇒ Object

Returns the value of attribute redirect_limit.

# File 'lib/msf/core/auxiliary/web/http.rb', line 96

def redirect_limit
  @redirect_limit
end

#username ⇒ Object

Returns the value of attribute username.

# File 'lib/msf/core/auxiliary/web/http.rb', line 97

def username
  @username
end

Instance Method Details

#after_run { ... } ⇒ Array<Proc>

Registers a callback to be executed after #run drains the request queue.

Yields:

• A block to run after all queued requests finish.

Returns:

• (Array<Proc>) —

  The accumulated after-run callbacks.

# File 'lib/msf/core/auxiliary/web/http.rb', line 137

def after_run( &block )
  @after_run_blocks << block
end

#connect ⇒ Rex::Proto::Http::Client

Creates a Rex HTTP client using the configured target and authentication defaults.

Returns:

• (Rex::Proto::Http::Client) —

  A configured HTTP client.

# File 'lib/msf/core/auxiliary/web/http.rb', line 144

def connect
  c = Rex::Proto::Http::Client.new(
    opts[:target].host,
    opts[:target].port,
    {},
    opts[:target].ssl,
    'Auto',
    nil,
    username,
    password,
    subscriber: opts[:http_subscriber]
  )

  c.set_config({
    'vhost' => opts[:target].vhost,
    'ssl_server_name_indication' => opts[:target].ssl_server_name_indication || opts[:target].vhost,
    'agent' => opts[:user_agent] || Rex::UserAgent.session_agent,
    'domain' => domain
  })
  c
end

#custom_404?(path, body) {|is_custom_404| ... } ⇒ nil

Determines whether a response body matches the application’s custom 404 behavior.

The helper probes several random paths, refines their dynamic content, and compares the result to the supplied response body.

Parameters:

• path (String) —

  The original request path.

• body (String) —

  The response body to classify.

Yield Parameters:

• is_custom_404 (Boolean) —

  True when the body matches the custom 404 fingerprint.

Returns:

• (nil) —

  Returns nil immediately and reports the result via the callback.

# File 'lib/msf/core/auxiliary/web/http.rb', line 283

def custom_404?( path, body, &callback )
  return if !path || !body

  precision = 2

  trv_back = File.dirname( path )
  trv_back << '/' if trv_back[-1,1] != '/'

  # 404 probes
  generators = [
    # get a random path with an extension
    proc{ path + Rex::Text.rand_text_alpha( 10 ) + '.' + Rex::Text.rand_text_alpha( 10 )[0..precision] },

    # get a random path without an extension
    proc{ path + Rex::Text.rand_text_alpha( 10 ) },

    # move up a dir and get a random file
    proc{ trv_back + Rex::Text.rand_text_alpha( 10 ) },

    # move up a dir and get a random file with an extension
    proc{ trv_back + Rex::Text.rand_text_alpha( 10 ) + '.' + Rex::Text.rand_text_alpha( 10 )[0..precision] },

    # get a random directory
    proc{ path + Rex::Text.rand_text_alpha( 10 ) + '/' }
  ]

  synchronize do
    @@_404 ||= {}
    @@_404[path] ||= []

    @@_404_gathered ||= Set.new

    gathered = 0
    if !@@_404_gathered.include?( path.hash )
      generators.each.with_index do |generator, i|
        @@_404[path][i] ||= {}

        precision.times {
          get_async( generator.call, :follow_redirect => true ) do |res|
            gathered += 1

            if gathered == generators.size * precision
              @@_404_gathered << path.hash
              callback.call is_404?( path, body )
            else
              @@_404[path][i]['rdiff_now'] ||= false

              if !@@_404[path][i]['body']
                @@_404[path][i]['body'] = res.body
              else
                @@_404[path][i]['rdiff_now'] = true
              end

              if @@_404[path][i]['rdiff_now'] && !@@_404[path][i]['rdiff']
                @@_404[path][i]['rdiff'] = Rex::Text.refine( @@_404[path][i]['body'], res.body )
              end
            end
          end
        }
      end
    else
      callback.call is_404?( path, body )
    end
  end

  nil
end

#get(url, opts = {}) ⇒ Response^?

Sends a synchronous GET request.

Parameters:

• url (String, URI) —

  The URL to request.

• opts (Hash) (defaults to: {}) —

  Additional request options.

Returns:

• (Response, nil) —

  The received response.

# File 'lib/msf/core/auxiliary/web/http.rb', line 251

def get( url, opts = {} )
  request( url, opts.merge( :method => :get ) )
end

#get_async(url, opts = {}) {|response| ... } ⇒ Queue

Enqueues a GET request.

Parameters:

• url (String, URI) —

  The URL to request.

• opts (Hash) (defaults to: {}) —

  Additional request options.

Yields:

• (response) —

  Processes the response after execution.

Returns:

• (Queue) —

  The internal request queue.

# File 'lib/msf/core/auxiliary/web/http.rb', line 232

def get_async( url, opts = {}, &callback )
  request_async( url, opts.merge( :method => :get ), &callback )
end

#if_not_custom_404(path, body) { ... } ⇒ void

This method returns an undefined value.

Yields only when the supplied response body does not appear to be a custom 404 page.

Parameters:

• path (String) —

  The original request path.

• body (String) —

  The response body to compare.

Yields:

• Runs when the body is not identified as a custom 404.

# File 'lib/msf/core/auxiliary/web/http.rb', line 270

def if_not_custom_404( path, body, &callback )
  custom_404?( path, body ) { |b| callback.call if !b }
end

#post(url, opts = {}) ⇒ Response^?

Sends a synchronous POST request.

Parameters:

• url (String, URI) —

  The URL to request.

• opts (Hash) (defaults to: {}) —

  Additional request options.

Returns:

• (Response, nil) —

  The received response.

# File 'lib/msf/core/auxiliary/web/http.rb', line 260

def post( url, opts = {} )
  request( url, opts.merge( :method => :post ) )
end

#post_async(url, opts = {}) {|response| ... } ⇒ Queue

Enqueues a POST request.

Parameters:

• url (String, URI) —

  The URL to request.

• opts (Hash) (defaults to: {}) —

  Additional request options.

Yields:

• (response) —

  Processes the response after execution.

Returns:

• (Queue) —

  The internal request queue.

# File 'lib/msf/core/auxiliary/web/http.rb', line 242

def post_async( url, opts = {}, &callback )
  request_async( url, opts.merge( :method => :post ), &callback )
end

#request(url, opts = {}) ⇒ Response^?

Sends an HTTP request and optionally follows redirect responses.

Parameters:

• url (String, URI) —

  The URL to request.

• opts (Hash) (defaults to: {}) —

  Request options forwarded to #_request.

Options Hash (opts):

• :follow_redirect (Boolean) —

  Whether to follow Location headers.

Returns:

• (Response, nil) —

  The final response, or nil when the redirect limit is exceeded.

# File 'lib/msf/core/auxiliary/web/http.rb', line 204

def request( url, opts = {} )
  rlimit = self.redirect_limit

  while rlimit >= 0
    rlimit -= 1
    res = _request( url, opts )
    return res if !opts[:follow_redirect] || !url = res.headers['location']
  end
  nil
end

#request_async(url, opts = {}) {|response| ... } ⇒ Queue

Enqueues a request to be sent later by #run.

Parameters:

• url (String, URI) —

  The URL to request.

• opts (Hash) (defaults to: {}) —

  Request options.

Yields:

• (response) —

  Processes the response after execution.

Yield Parameters:

• response (Response) —

  The completed response.

Returns:

• (Queue) —

  The internal request queue.

# File 'lib/msf/core/auxiliary/web/http.rb', line 222

def request_async( url, opts = {}, &callback )
  queue Request.new( url, opts, &callback )
end

#run ⇒ void

This method returns an undefined value.

Executes all queued asynchronous requests using the configured thread pool size.

Callback exceptions are reported through the parent module and isolated from the rest of the queue processing.

# File 'lib/msf/core/auxiliary/web/http.rb', line 172

def run
  return if @queue.empty?

  tl = []
  loop do
    while tl.size <= (opts[:max_threads] || 5) && !@queue.empty? && (req = @queue.pop)
      tl << framework.threads.spawn( "#{self.class.name} - #{req})", false, req ) do |request|
        # Keep callback failures isolated.
        begin
          request.handle_response request( request.url, request.opts )
        rescue => e
          print_error e.to_s
          e.backtrace.each { |l| print_error l }
        end
      end
    end

    break if tl.empty?
    tl.reject! { |t| !t.alive? }

    select( nil, nil, nil, 0.05 )
  end

  call_after_run_blocks
end