Module: Msf::Exploit::PgAdmin
Instance Attribute Summary
#client, #cookie_jar
Instance Method Summary
collapse
#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #sslkeylogfile, #strip_tags, #target_uri, #validate_fingerprint, #vhost
#configure_login_scanner
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Instance Method Details
#authenticate(username, password) ⇒ Object
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# File 'lib/msf/core/exploit/pgadmin.rb', line 52
def authenticate(username, password)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'authenticate/login'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' => {
'csrf_token' => csrf_token,
'email' => username,
'password' => password,
'language' => 'en',
'internal_button' => 'Login'
}
})
unless res&.code == 302 && res&.&.[]('Location') != normalize_uri(target_uri.path, 'login')
fail_with(Msf::Exploit::Failure::NoAccess, 'Failed to authenticate to pgAdmin')
end
print_good('Successfully authenticated to pgAdmin')
res
end
|
#check_version(patched_version, low_bound = 0) ⇒ Object
#csrf_token ⇒ Object
35
36
37
38
39
40
41
42
|
# File 'lib/msf/core/exploit/pgadmin.rb', line 35
def csrf_token
return @csrf_token if @csrf_token
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
set_csrf_token_from_login_page(res)
fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token
@csrf_token
end
|
#get_version ⇒ Object
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# File 'lib/msf/core/exploit/pgadmin.rb', line 13
def get_version
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
return unless res&.code == 200
html_document = res.get_html_document
return unless html_document.xpath('//title').text == 'pgAdmin 4'
versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ }
return unless versioned_link
set_csrf_token_from_login_page(res)
Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")
end
|
#set_csrf_token_from_login_page(res) ⇒ Object
44
45
46
47
48
49
50
|
# File 'lib/msf/core/exploit/pgadmin.rb', line 44
def set_csrf_token_from_login_page(res)
if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/
@csrf_token = Regexp.last_match(1)
elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first)
@csrf_token = element['value']
end
end
|