Module: Msf::Exploit::Remote::HttpClient
- Includes:
- Auxiliary::LoginScanner, Auxiliary::Report, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage
- Included in:
- Metasploit::Framework::Aws::Client, Auxiliary::CNPILOT, Auxiliary::EPMP, Cacti, Git::SmartHttp, PgAdmin, Msf::Exploit::Remote::HTTP::AcronisCyber, Msf::Exploit::Remote::HTTP::Drupal, Msf::Exploit::Remote::HTTP::Exchange, Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell, Msf::Exploit::Remote::HTTP::Gitea, Msf::Exploit::Remote::HTTP::Gitlab, Msf::Exploit::Remote::HTTP::JBoss, Msf::Exploit::Remote::HTTP::Joomla, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::Login, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::TargetInfo, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::URIs, Msf::Exploit::Remote::HTTP::Moodle, Msf::Exploit::Remote::HTTP::NagiosXi, Msf::Exploit::Remote::HTTP::Nifi, Msf::Exploit::Remote::HTTP::Nifi::Auth, Msf::Exploit::Remote::HTTP::Nifi::Dbconnectionpool, Msf::Exploit::Remote::HTTP::Nifi::Processor, Msf::Exploit::Remote::HTTP::Pihole, Msf::Exploit::Remote::HTTP::Pretalx, Msf::Exploit::Remote::HTTP::SCCM, Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth, Msf::Exploit::Remote::HTTP::Sharepoint, Msf::Exploit::Remote::HTTP::Spip, Msf::Exploit::Remote::HTTP::Splunk, Msf::Exploit::Remote::HTTP::Typo3, Msf::Exploit::Remote::HTTP::Webmin, Msf::Exploit::Remote::HTTP::Wordpress, MSSQL_SQLI, VIMSoap, Web, WinRM
- Defined in:
- lib/msf/core/exploit/remote/http_client.rb
Overview
This module provides methods for acting as an HTTP client when exploiting an HTTP server.
Instance Attribute Summary collapse
-
#client ⇒ Object
protected
Returns the value of attribute client.
-
#cookie_jar ⇒ Object
readonly
Returns the value of attribute cookie_jar.
Instance Method Summary collapse
-
#basic_auth(username, password) ⇒ Object
Combine the user/pass into an auth string for the HTTP Client.
-
#cleanup ⇒ Object
Performs cleanup as necessary, disconnecting the HTTP client if it’s still established.
-
#configure_http_login_scanner(conf) ⇒ Object
Converts datastore options into configuration parameters for the Metasploit::LoginScanner::Http class.
-
#connect(opts = {}) ⇒ Object
Connects to an HTTP server.
-
#connect_ws(opts = {}, timeout = 20) ⇒ Rex::Proto::Http::WebSocket::Interface
Establish a WebSocket connection to the remote server.
- #deregister_http_client_options ⇒ Object
-
#disconnect(nclient = self.client) ⇒ Object
Disconnects the HTTP client.
-
#download(url) ⇒ Object
Downloads a URL.
-
#full_uri(custom_uri = nil, vhost_uri: false) ⇒ Object
Returns the complete URI as string including the scheme, port and host.
-
#handler(nsock = nil) ⇒ Object
Passes the client connection down to the handler to see if it’s of any use.
-
#http_fingerprint(opts = {}) ⇒ String
Record various things about an HTTP server that we can glean from the response to a single request.
-
#initialize(info = {}) ⇒ Object
Initializes an exploit module that exploits a vulnerability in an HTTP server.
-
#lookup_http_fingerprints(opts = {}) ⇒ Object
Lookup HTTP fingerprints from the database that match the current destination host and port.
-
#normalize_uri(*strs) ⇒ Object
Returns a modified version of the URI that: 1.
-
#path_from_uri(uri) ⇒ Object
Returns the Path+Query from a full URI String, nil on error.
-
#peer ⇒ Object
Returns the Host and Port as a string.
-
#proxies ⇒ Object
Returns the configured proxy list.
-
#reconfig_redirect_opts!(res, opts) ⇒ void
Modifies the HTTP request options for a redirection.
-
#request_opts_from_url(url) ⇒ Object
Returns a hash of request opts from a URL string.
-
#request_url(url, keepalive = false) ⇒ Object
Returns response from a simple URL call.
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#send_request_cgi(opts = {}, timeout = 20, disconnect = true) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
-
#send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response if a redirect (HTTP 30x response) is received it will attempt to follow the direct and retrieve that URI.
-
#send_request_raw(opts = {}, timeout = 20, disconnect = false) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
- #service_details ⇒ Object
-
#setup ⇒ Object
For HTTP Client exploits, we often want to verify that the server info matches some regex before firing a giant binary exploit blob at it.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_version ⇒ Object
Returns the string indicating SSL version.
-
#sslkeylogfile ⇒ String
Returns the SSL key log file path.
-
#strip_tags(html) ⇒ Object
removes HTML tags from a provided string.
-
#target_uri ⇒ Object
Returns the target URI.
-
#validate_fingerprint ⇒ Object
This method is meant to be overridden in the exploit module to specify a set of regexps to attempt to match against.
-
#vhost ⇒ Object
Returns the VHOST of the HTTP server.
Methods included from Kerberos::ServiceAuthenticator::Options
Methods included from Kerberos::Ticket::Storage
#kerberos_storage_options, #kerberos_ticket_storage, store_ccache
Methods included from Auxiliary::LoginScanner
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Instance Attribute Details
#client ⇒ Object (protected)
Returns the value of attribute client.
990 991 992 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 990 def client @client end |
#cookie_jar ⇒ Object
Returns the value of attribute cookie_jar.
987 988 989 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 987 def @cookie_jar end |
Instance Method Details
#basic_auth(username, password) ⇒ Object
Combine the user/pass into an auth string for the HTTP Client
560 561 562 563 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 560 def basic_auth(username, password) auth_str = Rex::Text.encode_base64("#{username}:#{password}") "Basic #{auth_str}" end |
#cleanup ⇒ Object
Performs cleanup as necessary, disconnecting the HTTP client if it’s still established.
383 384 385 386 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 383 def cleanup super disconnect end |
#configure_http_login_scanner(conf) ⇒ Object
Converts datastore options into configuration parameters for the Metasploit::LoginScanner::Http class. Any parameters passed into this method will override the defaults.
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 305 def configure_http_login_scanner(conf) configure_login_scanner( { vhost: vhost, user_agent: datastore['UserAgent'], evade_uri_encode_mode: datastore['HTTP::uri_encode_mode'], evade_uri_full_url: datastore['HTTP::uri_full_url'], evade_pad_method_uri_count: datastore['HTTP::pad_method_uri_count'], evade_pad_uri_version_count: datastore['HTTP::pad_uri_version_count'], evade_pad_method_uri_type: datastore['HTTP::pad_method_uri_type'], evade_pad_uri_version_type: datastore['HTTP::pad_uri_version_type'], evade_method_random_valid: datastore['HTTP::method_random_valid'], evade_method_random_invalid: datastore['HTTP::method_random_invalid'], evade_method_random_case: datastore['HTTP::method_random_case'], evade_version_random_valid: datastore['HTTP::version_random_valid'], evade_version_random_invalid: datastore['HTTP::version_random_invalid'], evade_uri_dir_self_reference: datastore['HTTP::uri_dir_self_reference'], evade_uri_dir_fake_relative: datastore['HTTP::uri_dir_fake_relative'], evade_uri_use_backslashes: datastore['HTTP::uri_use_backslashes'], evade_pad_fake_headers: datastore['HTTP::pad_fake_headers'], evade_pad_fake_headers_count: datastore['HTTP::pad_fake_headers_count'], evade_pad_get_params: datastore['HTTP::pad_get_params'], evade_pad_get_params_count: datastore['HTTP::pad_get_params_count'], evade_pad_post_params: datastore['HTTP::pad_post_params'], evade_pad_post_params_count: datastore['HTTP::pad_post_params_count'], evade_shuffle_get_params: datastore['HTTP::shuffle_get_params'], evade_shuffle_post_params: datastore['HTTP::shuffle_post_params'], evade_uri_fake_end: datastore['HTTP::uri_fake_end'], evade_uri_fake_params_start: datastore['HTTP::uri_fake_params_start'], evade_header_folding: datastore['HTTP::header_folding'], ntlm_domain: datastore['DOMAIN'], digest_auth_iis: datastore['DigestAuthIIS'], }.merge(conf) ) end |
#connect(opts = {}) ⇒ Object
Connects to an HTTP server.
149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 149 def connect(opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl end client_username = opts['username'] || datastore['HttpUsername'] || '' client_password = opts['password'] || datastore['HttpPassword'] || '' http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self) kerberos_authenticator = nil if datastore['HTTP::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS fail_with(Msf::Exploit::Failure::BadConfig, 'The HTTP::Rhostname option is required when using Kerberos authentication.') if datastore['HTTP::Rhostname'].blank? fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank? offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['HTTP::KrbOfferedEncryptionTypes']) fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty? kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new( host: datastore['DomainControllerRhost'], hostname: datastore['HTTP::Rhostname'], proxies: datastore['Proxies'], realm: datastore['DOMAIN'], username: datastore['HttpUsername'], password: datastore['HttpPassword'], framework: framework, framework_module: self, cache_file: datastore['HTTP::Krb5Ccname'].blank? ? nil : datastore['HTTP::Krb5Ccname'], mutual_auth: true, use_gss_checksum: true, ticket_storage: kerberos_ticket_storage, offered_etypes: offered_etypes ) end nclient = Rex::Proto::Http::Client.new( opts['rhost'] || rhost, (opts['rport'] || rport).to_i, { 'Msf' => framework, 'MsfExploit' => self, }, dossl, ssl_version, proxies, client_username, client_password, kerberos_authenticator: kerberos_authenticator, comm: opts['comm'], subscriber: http_logger_subscriber, sslkeylogfile: sslkeylogfile ) # Configure the HTTP client with the supplied parameter vhost = opts['vhost'] || opts['rhost'] || self.vhost nclient.set_config( 'vhost' => vhost, 'ssl_server_name_indication' => datastore['SSLServerNameIndication'] || vhost, 'agent' => datastore['UserAgent'], 'partial' => opts['partial'], 'uri_encode_mode' => datastore['HTTP::uri_encode_mode'], 'uri_full_url' => datastore['HTTP::uri_full_url'], 'pad_method_uri_count' => datastore['HTTP::pad_method_uri_count'], 'pad_uri_version_count' => datastore['HTTP::pad_uri_version_count'], 'pad_method_uri_type' => datastore['HTTP::pad_method_uri_type'], 'pad_uri_version_type' => datastore['HTTP::pad_uri_version_type'], 'method_random_valid' => datastore['HTTP::method_random_valid'], 'method_random_invalid' => datastore['HTTP::method_random_invalid'], 'method_random_case' => datastore['HTTP::method_random_case'], 'version_random_valid' => datastore['HTTP::version_random_valid'], 'version_random_invalid' => datastore['HTTP::version_random_invalid'], 'uri_dir_self_reference' => datastore['HTTP::uri_dir_self_reference'], 'uri_dir_fake_relative' => datastore['HTTP::uri_dir_fake_relative'], 'uri_use_backslashes' => datastore['HTTP::uri_use_backslashes'], 'pad_fake_headers' => datastore['HTTP::pad_fake_headers'], 'pad_fake_headers_count' => datastore['HTTP::pad_fake_headers_count'], 'pad_get_params' => datastore['HTTP::pad_get_params'], 'pad_get_params_count' => datastore['HTTP::pad_get_params_count'], 'pad_post_params' => datastore['HTTP::pad_post_params'], 'pad_post_params_count' => datastore['HTTP::pad_post_params_count'], 'shuffle_get_params' => datastore['HTTP::shuffle_get_params'], 'shuffle_post_params' => datastore['HTTP::shuffle_post_params'], 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], 'header_folding' => datastore['HTTP::header_folding'], 'domain' => datastore['DOMAIN'], 'DigestAuthIIS' => datastore['DigestAuthIIS'] ) # NOTE: Please use opts['headers'] to programmatically set headers if datastore['HttpRawHeaders'] && File.readable?(datastore['HttpRawHeaders']) # Templatize with ERB headers = ERB.new(File.read(datastore['HttpRawHeaders'])).result(binding) # Append templatized headers to existing headers nclient.set_config('raw_headers' => headers) end # If this connection is global, persist it # Required for findsock on these sockets if (opts['global']) if (self.client) disconnect end end self.client = nclient return nclient end |
#connect_ws(opts = {}, timeout = 20) ⇒ Rex::Proto::Http::WebSocket::Interface
Establish a WebSocket connection to the remote server.
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 268 def connect_ws(opts={}, timeout = 20) # As per the spec (RFC6455 Section 11.3.1), a Sec-WebSocket-Key is a 16 byte value that has been Base64 encoded. ws_key = Rex::Text.encode_base64(SecureRandom.bytes(16)) opts['headers'] = opts.fetch('headers', {}).merge({ 'Connection' => 'Upgrade', 'Upgrade' => 'WebSocket', 'Sec-WebSocket-Version' => 13, 'Sec-WebSocket-Key' => ws_key }) if (http_client = opts['client']).nil? opts['client'] = http_client = connect(opts) raise Rex::Proto::Http::WebSocket::ConnectionError.new if http_client.nil? end res = send_request_raw(opts, timeout, false) unless res&.code == 101 disconnect raise Rex::Proto::Http::WebSocket::ConnectionError.new(http_response: res) end # see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept accept_ws_key = Rex::Text.encode_base64(OpenSSL::Digest::SHA1.digest(ws_key + '258EAFA5-E914-47DA-95CA-C5AB0DC85B11')) unless res.headers['Sec-WebSocket-Accept'] == accept_ws_key disconnect raise Rex::Proto::Http::WebSocket::ConnectionError.new(msg: 'Invalid Sec-WebSocket-Accept header', http_response: res) end socket = http_client.conn socket.extend(Rex::Proto::Http::WebSocket::Interface) end |
#deregister_http_client_options ⇒ Object
102 103 104 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 102 def ('RHOST', 'RPORT', 'VHOST', 'SSL', 'SSLServerNameIndication', 'Proxies') end |
#disconnect(nclient = self.client) ⇒ Object
Disconnects the HTTP client
365 366 367 368 369 370 371 372 373 374 375 376 377 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 365 def disconnect(nclient = self.client) if (nclient) nclient.close end if (nclient == self.client) if self.client.respond_to?(:close) self.client.close end self.client = nil end end |
#download(url) ⇒ Object
Downloads a URL
678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 678 def download(url) print_status "Downloading '#{url}'" begin target = URI.parse url raise 'Invalid URL' unless target.scheme =~ /https?/ raise 'Invalid URL' if target.host.to_s.eql? '' rescue => e print_error "Could not parse URL: #{e}" return nil end res = request_url(url) unless res print_error 'Connection failed' return nil end print_status "- HTTP #{res.code} - #{res.body.length} bytes" res.code == 200 ? res.body : nil end |
#full_uri(custom_uri = nil, vhost_uri: false) ⇒ Object
Returns the complete URI as string including the scheme, port and host
587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 587 def full_uri(custom_uri = nil, vhost_uri: false) uri_scheme = ssl ? 'https' : 'http' if (rport == 80 && !ssl) || (rport == 443 && ssl) uri_port = '' else uri_port = ":#{rport}" end uri = normalize_uri(custom_uri || target_uri.to_s) if vhost_uri && datastore['VHOST'] uri_host = datastore['VHOST'] elsif Rex::Socket.is_ipv6?(rhost) uri_host = "[#{rhost}]" else uri_host = rhost end "#{uri_scheme}://#{uri_host}#{uri_port}#{uri}" end |
#handler(nsock = nil) ⇒ Object
Passes the client connection down to the handler to see if it’s of any use.
345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 345 def handler(nsock = nil) # If no socket was provided, try the global one. if ((!nsock) and (self.client)) nsock = self.client.conn end # If the parent claims the socket associated with the HTTP client, then # we rip the socket out from under the HTTP client. if (((rv = super(nsock)) == Handler::Claimed) and (self.client) and (nsock == self.client.conn)) self.client.conn = nil end rv end |
#http_fingerprint(opts = {}) ⇒ String
Record various things about an HTTP server that we can glean from the response to a single request. If this method is passed a response, it will use it directly, otherwise it will check the database for a previous fingerprint. Failing that, it will make a request for /.
Other options are passed directly to #connect if :response is not given
823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 823 def http_fingerprint(opts={}) res = nil uri = opts[:uri] || '/' method = opts[:method] || 'GET' # Short-circuit the fingerprint lookup and HTTP request if a response has # already been provided by the caller. if opts[:response] res = opts[:response] else fprints = lookup_http_fingerprints(opts) if fprints.length > 0 # Grab the most recent fingerprint available for this service, uri, and method fprint = fprints.last # Return the full HTTP fingerprint if requested by the caller return fprint if opts[:full] # Otherwise just return the signature string for compatibility return fprint[:signature] end # Go ahead and send a request to the target for fingerprinting connect(opts) res = send_request_raw( { 'uri' => uri, 'method' => method }) rescue nil end # Bail if the request did not receive a readable response return if not res # This section handles a few simple cases of pattern matching and service # classification. This logic should be deprecated in favor of Recog-based # fingerprint databases, but has been left in place for backward compat. extras = [] if res.headers['Set-Cookie'] =~ /^vmware_soap_session/ extras << "VMWare Web Services" end if (res.headers['X-Powered-By']) extras << "Powered by " + res.headers['X-Powered-By'] end if (res.headers['Via']) extras << "Via-" + res.headers['Via'] end if (res.headers['X-AspNet-Version']) extras << "AspNet-Version-" + res.headers['X-AspNet-Version'] end case res.body when nil # Nothing when /openAboutWindow.*\>DD\-WRT ([^\<]+)\<|Authorization.*please note that the default username is \"root\" in/ extras << "DD-WRT #{$1.to_s.strip}".strip when /ID_ESX_Welcome/, /ID_ESX_VIClientDesc/ extras << "VMware ESX Server" when /Test Page for.*Fedora/ extras << "Fedora Default Page" when /Placeholder page/ extras << "Debian Default Page" when /Welcome to Windows Small Business Server (\d+)/ extras << "Windows SBS #{$1}" when /Asterisk@Home/ extras << "Asterisk" when /swfs\/Shell\.html/ extras << "BPS-1000" end if datastore['RPORT'].to_i == 3790 if res.code == 302 and res.headers and res.headers['Location'] =~ /[\x5c\x2f](login|setup)$/n if res['Server'] =~ /^(thin.*No Hup)|(nginx[\x5c\x2f][\d\.]+)$/n extras << "Metasploit" end end end # # This HTTP response code tracking is used by a few modules and the MSP logic # to identify and bruteforce certain types of servers. In the long run we # should deprecate this and use the http.fingerprint fields instead. # case res.code when 301,302 extras << "#{res.code}-#{res.headers['Location']}" when 401 extras << "#{res.code}-#{res.headers['WWW-Authenticate']}" when 403 extras << "#{res.code}-#{res.headers['WWW-Authenticate']||res.}" when 500 .. 599 extras << "#{res.code}-#{res.}" end # Build a human-readable string to store in service.info and http.fingerprint[:signature] info = res.headers['Server'].to_s.dup info << " ( #{extras.join(", ")} )" if extras.length > 0 # Create a new fingerprint structure to track this response fprint = { :uri => uri, :method => method, :server_port => rport, :code => res.code.to_s, :message => res..to_s, :signature => info } res.headers.each_pair do |k,v| hname = k.to_s.downcase.tr('-', '_').gsub(/[^a-z0-9_]+/, '') next unless hname.length > 0 # Set-Cookie > :header_set_cookie => JSESSIONID=AAASD23423452 # Server > :header_server => Apache/1.3.37 # WWW-Authenticate > :header_www_authenticate => basic realm='www' fprint["header_#{hname}".intern] = v end # Store the first 64k of the HTTP body as well fprint[:content] = res.body.to_s[0,65535] # Report a new http.fingerprint note report_note( :host => rhost, :port => rport, :proto => 'tcp', :ntype => 'http.fingerprint', :data => fprint, # Limit reporting to one stored note per host/service combination :update => :unique ) # Report here even if info is empty since the fact that we didn't # return early means we at least got a connection and the service is up report_web_site(:host => rhost, :port => rport, :ssl => ssl, :vhost => vhost, :info => info.dup) # Return the full HTTP fingerprint if requested by the caller return fprint if opts[:full] # Otherwise just return the signature string for compatibility fprint[:signature] end |
#initialize(info = {}) ⇒ Object
Initializes an exploit module that exploits a vulnerability in an HTTP server.
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 25 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT(80), OptString.new('VHOST', [ false, "HTTP server virtual host" ]), OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), Opt::Proxies ], self.class ) ( [ *(protocol: 'HTTP'), *(protocol: 'HTTP', auth_methods: Msf::Exploit::Remote::AuthOption::HTTP_OPTIONS), OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests', Rex::UserAgent.session_agent ]), OptString.new('HttpUsername', [false, 'The HTTP username to specify for authentication', '']), OptString.new('HttpPassword', [false, 'The HTTP password to specify for authentication', '']), OptPath.new('HttpRawHeaders', [false, 'Path to ERB-templatized raw headers to append to existing headers']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), Opt::SSLVersion, OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]), OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION']), OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']), OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false]), OptBool.new('HttpTraceHeadersOnly', [false, 'Show HTTP headers only in HttpTrace', false]), OptString.new('HttpTraceColors', [false, 'HTTP request and response colors for HttpTrace (unset to disable)', 'red/blu']), OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]), OptString.new('SSLKeyLogFile', [ false, 'The SSL key log file', ENV['SSLKeyLogFile']]), ], self.class ) ( [ OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-noslashes', 'hex-random', 'hex-all', 'u-normal', 'u-all', 'u-random']]), OptBool.new('HTTP::uri_full_url', [false, 'Use the full URL for all HTTP requests', false]), OptInt.new('HTTP::pad_method_uri_count', [false, 'How many whitespace characters to use between the method and uri', 1]), OptInt.new('HTTP::pad_uri_version_count', [false, 'How many whitespace characters to use between the uri and version', 1]), OptEnum.new('HTTP::pad_method_uri_type', [false, 'What type of whitespace to use between the method and uri', 'space', ['space', 'tab', 'apache']]), OptEnum.new('HTTP::pad_uri_version_type', [false, 'What type of whitespace to use between the uri and version', 'space', ['space', 'tab', 'apache']]), OptBool.new('HTTP::method_random_valid', [false, 'Use a random, but valid, HTTP method for request', false]), OptBool.new('HTTP::method_random_invalid', [false, 'Use a random invalid, HTTP method for request', false]), OptBool.new('HTTP::method_random_case', [false, 'Use random casing for the HTTP method', false]), OptBool.new('HTTP::version_random_valid', [false, 'Use a random, but valid, HTTP version for request', false]), OptBool.new('HTTP::version_random_invalid', [false, 'Use a random invalid, HTTP version for request', false]), OptBool.new('HTTP::uri_dir_self_reference', [false, 'Insert self-referential directories into the uri', false]), OptBool.new('HTTP::uri_dir_fake_relative', [false, 'Insert fake relative directories into the uri', false]), OptBool.new('HTTP::uri_use_backslashes', [false, 'Use back slashes instead of forward slashes in the uri ', false]), OptBool.new('HTTP::pad_fake_headers', [false, 'Insert random, fake headers into the HTTP request', false]), OptInt.new('HTTP::pad_fake_headers_count', [false, 'How many fake headers to insert into the HTTP request', 0]), OptBool.new('HTTP::pad_get_params', [false, 'Insert random, fake query string variables into the request', false]), OptInt.new('HTTP::pad_get_params_count', [false, 'How many fake query string variables to insert into the request', 16]), OptBool.new('HTTP::pad_post_params', [false, 'Insert random, fake post variables into the request', false]), OptInt.new('HTTP::pad_post_params_count', [false, 'How many fake post variables to insert into the request', 16]), OptBool.new('HTTP::shuffle_get_params', [false, 'Randomize order of GET parameters', false]), OptBool.new('HTTP::shuffle_post_params', [false, 'Randomize order of POST parameters', false]), OptBool.new('HTTP::uri_fake_end', [false, 'Add a fake end of URI (eg: /%20HTTP/1.0/../../)', false]), OptBool.new('HTTP::uri_fake_params_start', [false, 'Add a fake start of params to the URI (eg: /%3fa=b/../)', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]) # # Remaining evasions to implement # # OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', false]), # OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]), ], self.class ) register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ]) register_autofilter_services(%W{ http https }) # Initialize an empty cookie jar to keep cookies self. = Msf::Exploit::Remote::HTTP::HttpCookieJar.new end |
#lookup_http_fingerprints(opts = {}) ⇒ Object
Lookup HTTP fingerprints from the database that match the current destination host and port. This method falls back to using the old service.info field to represent the HTTP Server header.
775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 775 def lookup_http_fingerprints(opts={}) uri = opts[:uri] || '/' method = opts[:method] || 'GET' fprints = [] return fprints unless framework.db.active ::ApplicationRecord.connection_pool.with_connection { wspace = datastore['WORKSPACE'] ? framework.db.find_workspace(datastore['WORKSPACE']) : framework.db.workspace # only one result can be returned, as the +port+ field restricts potential results to a single service service = framework.db.services(:workspace => wspace, :hosts => {address: rhost}, :proto => 'tcp', :port => rport).first return fprints unless service # Order by note_id descending so the first value is the most recent service.notes.where(:ntype => 'http.fingerprint').order("notes.id DESC").each do |n| next unless n.data && n.data.kind_of?(::Hash) next unless n.data[:uri] == uri && n.data[:method] == method # Append additional fingerprints to the results as found fprints.unshift n.data.dup end } fprints end |
#normalize_uri(*strs) ⇒ Object
Returns a modified version of the URI that:
-
Always has a starting slash
-
Removes all the double slashes
614 615 616 617 618 619 620 621 622 623 624 625 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 614 def normalize_uri(*strs) new_str = strs * "/" new_str = new_str.gsub!("//", "/") while new_str.index("//") # Makes sure there's a starting slash unless new_str[0,1] == '/' new_str = '/' + new_str end new_str end |
#path_from_uri(uri) ⇒ Object
Returns the Path+Query from a full URI String, nil on error
628 629 630 631 632 633 634 635 636 637 638 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 628 def path_from_uri(uri) begin temp = URI(uri) ret_uri = temp.path ret_uri << "?#{temp.query}" unless temp.query.nil? or temp.query.empty? return ret_uri rescue URI::Error print_error "Invalid URI: #{uri}" return nil end end |
#peer ⇒ Object
Returns the Host and Port as a string
726 727 728 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 726 def peer "#{rhost}:#{rport}" end |
#proxies ⇒ Object
Returns the configured proxy list
762 763 764 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 762 def proxies datastore['Proxies'] end |
#reconfig_redirect_opts!(res, opts) ⇒ void
This method returns an undefined value.
Modifies the HTTP request options for a redirection.
503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 503 def reconfig_redirect_opts!(res, opts) # XXX: https://github.com/rapid7/metasploit-framework/issues/12281 if opts['method'] == 'POST' opts['method'] = 'GET' opts['data'] = nil opts['vars_post'] = {} end location = res.redirection if location.relative? if location.path.start_with?('/') # path starting with /, not relative to the current path, but starts from the root opts['redirect_uri'] = location.path opts['uri'] = location.path else parent_path = File.dirname(opts['uri'].to_s) parent_path = '/' if parent_path == '.' new_redirect_uri = normalize_uri(parent_path, location.path.gsub(/^\./, '')) opts['redirect_uri'] = new_redirect_uri opts['uri'] = new_redirect_uri end opts['rhost'] = datastore['RHOST'] opts['vhost'] = opts['vhost'] || self.vhost() || opts['rhost'] opts['ssl_server_name_indication'] = datastore['SSLServerNameIndication'] || opts['vhost'] opts['rport'] = datastore['RPORT'] opts['SSL'] = ssl else disconnect opts['redirect_uri'] = location opts['uri'] = location.path opts['rhost'] = location.host opts['vhost'] = location.host opts['ssl_server_name_indication'] = opts['vhost'] opts['rport'] = location.port if location.scheme == 'https' opts['SSL'] = true else opts['SSL'] = false end end # Don't forget any GET parameters if location.query opts['query'] = location.query else opts['query'] = '' end end |
#request_opts_from_url(url) ⇒ Object
Returns a hash of request opts from a URL string
642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 642 def request_opts_from_url(url) # verify and extract components from the URL begin tgt = URI.parse(url) raise 'Invalid URL' unless tgt.scheme =~ %r{https?} raise 'Invalid URL' if tgt.host.to_s.eql? '' rescue => e print_error "Could not parse URL: #{e}" return nil end opts = { 'rhost' => tgt.host, 'rport' => tgt.port, 'uri' => tgt.request_uri } opts['SSL'] = true if tgt.scheme == 'https' if tgt.query and tgt.query.size > 13 # Assming that this is going to be mostly used for GET requests as string -> req opts['vars_get'] = {} tgt.query.split('&').each do |pair| k,v = pair.split('=',2) opts['vars_get'][k] = v end end return opts end |
#request_url(url, keepalive = false) ⇒ Object
Returns response from a simple URL call
668 669 670 671 672 673 674 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 668 def request_url(url, keepalive = false) opts = request_opts_from_url(url) return nil if opts.nil? res = send_request_raw(opts) disconnect unless keepalive return res end |
#rhost ⇒ Object
Returns the target host
712 713 714 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 712 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
719 720 721 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 719 def rport datastore['RPORT'] end |
#send_request_cgi(opts = {}, timeout = 20, disconnect = true) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response
If a Msf::Exploit::Remote::HTTP::HttpCookieJar
instance is passed in the opts
dict under a ‘cookie’ key, said CookieJar will be used in the request instead of the module cookie_jar
. Any other object passed under the ‘cookie` key will be converted to a string using to_s
and set as the cookie header of the request.
Passes ‘opts` through directly to Rex::Proto::Http::Client#request_cgi. Set `opts` to keep cookies from responses for reuse in requests. Cookies returned by the server will be stored in cookie_jar
Set ‘opts` to false in order to disable automatic removal of expired cookies
456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 456 def send_request_cgi(opts = {}, timeout = 20, disconnect = true) if opts.has_key?('cookie') if opts['cookie'].is_a?(Msf::Exploit::Remote::HTTP::HttpCookieJar) opts.merge({ 'cookie' => opts['cookie']..join('; ') }) else opts.merge({ 'cookie' => opts['cookie'].to_s }) end elsif !.empty? .cleanup unless opts['expire_cookies'] == false opts = opts.merge({ 'cookie' => ..join('; ') }) end res = send_request_raw(opts.merge('cgi' => true), timeout, disconnect) return unless res if opts['keep_cookies'] && res.headers['Set-Cookie'].present? .parse_and_merge(res.headers['Set-Cookie'], "http#{ssl ? 's' : ''}://#{vhost}:#{rport}") end res end |
#send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) ⇒ Object
'opts` will be updated to the updated location and `opts` will contain the full URI.
Connects to the server, creates a request, sends the request, reads the response if a redirect (HTTP 30x response) is received it will attempt to follow the direct and retrieve that URI.
486 487 488 489 490 491 492 493 494 495 496 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 486 def send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) res = send_request_cgi(opts, timeout) return unless res return res unless res.redirect? && res.redirection && redirect_depth > 0 redirect_depth -= 1 reconfig_redirect_opts!(res, opts) send_request_cgi!(opts, timeout, redirect_depth) end |
#send_request_raw(opts = {}, timeout = 20, disconnect = false) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
In certain cases such as when the response is a 401 and the client is configured for authentication, more than one request may be sent to the server. A degree of control over disconnecting the client’s underlying socket can be obtained by toggling the disconnect option.
Passes opts
through directly to Rex::Proto::Http::Client#request_raw.
400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 400 def send_request_raw(opts = {}, timeout = 20, disconnect = false) if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0 actual_timeout = datastore['HttpClientTimeout'] else actual_timeout = opts[:timeout] || timeout end unless opts.key?('preferred_auth') case datastore['HTTP::Auth'] when Msf::Exploit::Remote::AuthOption::AUTO opts['preferred_auth'] = nil when Msf::Exploit::Remote::AuthOption::KERBEROS opts['preferred_auth'] = 'Kerberos' when Msf::Exploit::Remote::AuthOption::NTLM opts['preferred_auth'] = 'NTLM' when Msf::Exploit::Remote::AuthOption::PLAINTEXT # Basic auth might as well be plaintext right? opts['preferred_auth'] = 'Basic' when Msf::Exploit::Remote::AuthOption::NONE opts['preferred_auth'] = 'None' end end c = opts['client'] || connect(opts) r = opts['cgi'] ? c.request_cgi(opts) : c.request_raw(opts) res = c.send_recv(r, actual_timeout) disconnect(c) if disconnect res rescue ::Errno::EPIPE, ::Timeout::Error => e print_line(e.) if datastore['HttpTrace'] nil rescue Rex::ConnectionError => e vprint_error(e.to_s) nil rescue ::Exception => e print_line(e.) if datastore['HttpTrace'] raise e end |
#service_details ⇒ Object
977 978 979 980 981 982 983 984 985 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 977 def service_details { origin_type: :service, protocol: 'tcp', service_name: (ssl ? 'https' : 'http'), address: rhost, port: rport } end |
#setup ⇒ Object
For HTTP Client exploits, we often want to verify that the server info matches some regex before firing a giant binary exploit blob at it. We override setup() here to accomplish that.
110 111 112 113 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 110 def setup validate_fingerprint super end |
#ssl ⇒ Object
Returns the boolean indicating SSL
740 741 742 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 740 def ssl ((datastore.default?('SSL') and [443,3790].include?(rport.to_i)) or datastore['SSL']) end |
#ssl_version ⇒ Object
Returns the string indicating SSL version
747 748 749 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 747 def ssl_version datastore['SSLVersion'] end |
#sslkeylogfile ⇒ String
Returns the SSL key log file path
755 756 757 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 755 def sslkeylogfile datastore['SSLKeyLogFile'] end |
#strip_tags(html) ⇒ Object
removes HTML tags from a provided string. The string is html-unescaped before the tags are removed Leading whitespaces and double linebreaks are removed too
705 706 707 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 705 def (html) Rex::Text.html_decode(html).gsub(/<\/?[^>]*>/, '').gsub(/^\s+/, '').strip end |
#target_uri ⇒ Object
Returns the target URI
574 575 576 577 578 579 580 581 582 583 584 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 574 def target_uri begin # In case TARGETURI is empty, at least we default to '/' u = datastore['TARGETURI'] u = "/" if u.nil? or u.empty? URI(u) rescue ::URI::InvalidURIError print_error "Invalid URI: #{datastore['TARGETURI'].inspect}" raise Msf::OptionValidateError.new(['TARGETURI']) end end |
#validate_fingerprint ⇒ Object
This method is meant to be overridden in the exploit module to specify a set of regexps to attempt to match against. A failure to match any of them results in a RuntimeError exception being raised.
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 120 def validate_fingerprint() # Don't bother checking if there's no database active. if (framework.db.active and datastore['FingerprintCheck'] and self.class.const_defined?('HttpFingerprint')) # Get the module-specific config opts = self.class.const_get('HttpFingerprint') # # XXX: Ideally we could have more structured matches, but doing that requires # a more structured response cache. # info = http_fingerprint(opts) if info and opts[:pattern] opts[:pattern].each do |re| if not re.match(info) err = "The target server fingerprint \"#{info}\" does not match \"#{re.to_s}\", use 'set FingerprintCheck false' to disable this check." fail_with(::Msf::Module::Failure::NotFound, err) end end elsif info.nil? err = "The target server did not respond to fingerprinting, use 'set FingerprintCheck false' to disable this check." fail_with(::Msf::Module::Failure::Unreachable, err) end end end |
#vhost ⇒ Object
Returns the VHOST of the HTTP server.
733 734 735 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 733 def vhost datastore['VHOST'] || datastore['RHOST'] end |