Module: Msf::Exploit::Remote::HTTP::Splunk::Login

Included in:
Msf::Exploit::Remote::HTTP::Splunk
Defined in:
lib/msf/core/exploit/remote/http/splunk/login.rb

Overview

Module with Splunk login related methods

Instance Method Summary collapse

Instance Method Details

#splunk_default_credsArray?

Return the default credentials if found

Returns:

  • (Array, nil)

    username, password if found, nil otherwise



64
65
66
67
68
69
# File 'lib/msf/core/exploit/remote/http/splunk/login.rb', line 64

def splunk_default_creds
  p = %r{Splunk's default credentials are </p><p>username: <span>(.+)</span><br />password: <span>(.+)</span>}
  res = send_request_raw({ 'uri' => target_uri.path })
  user, pass = res.body.scan(p).flatten
  return [user, pass] if user && pass
end

#splunk_is_auth_required?Boolean

The free version of Splunk does not require authentication. Instead, it’ll log the user right in as ‘admin’. If that’s the case, no point to brute-force, either.

Returns:

  • (Boolean)

    true if auth is required, false otherwise



51
52
53
54
55
56
57
58
59
# File 'lib/msf/core/exploit/remote/http/splunk/login.rb', line 51

def splunk_is_auth_required?
  cookie = splunk_helper_extract_token
  res = send_request_raw({
    'uri' => splunk_home,
    'cookie' => cookie
  })

  !(res && res.body =~ /Logged in as (.+)/)
end

#splunk_login(username, password, timeout = 20) ⇒ String?

performs a splunk login

Parameters:

  • username (String)

    Username

  • password (String)

    Password

  • timeout (Integer) (defaults to: 20)

    The maximum number of seconds to wait before the request times out

Returns:

  • (String, nil)

    the session cookies as a single string on successful login, nil otherwise



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# File 'lib/msf/core/exploit/remote/http/splunk/login.rb', line 11

def (username, password, timeout = 20)
  # gets cval cookies
  cookie = splunk_helper_extract_token(timeout)
  if cookie.nil?
    vprint_error('Unable to extract login tokens')
    return nil
  end

  cval_value = cookie.match(/cval=([^;]*)/)[1]
  # login post, should get back the splunkd_port and splunkweb_csrf_token_port cookies
  res = send_request_cgi({
    'uri' => ,
    'method' => 'POST',
    'cookie' => cookie,
    'vars_post' =>
      {
        'username' => username,
        'password' => password,
        'cval' => cval_value
      }
  }, timeout)

  unless res
    vprint_error("FAILED LOGIN. '#{username}' : '#{password}' returned no response")
    return nil
  end

  unless res.code == 303 || (res.code == 200 && res.body.to_s.index('{"status":0}'))
    vprint_error("FAILED LOGIN. '#{username}' : '#{password}' with code #{res.code}")
    return nil
  end

  print_good("SUCCESSFUL LOGIN. '#{username}' : '#{password}'")
  return cookie << " #{res.get_cookies}"
end

#splunk_login_with_default_credsString?

Extract and test the default credentials, if found

Returns:

  • (String, nil)

    the session cookies as a single string on successful login, nil otherwise



74
75
76
77
# File 'lib/msf/core/exploit/remote/http/splunk/login.rb', line 74

def 
  user, pass = splunk_default_creds
  (user, pass) if user && pass
end