CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/chef_webui.rb
Views: 1904
1require 'metasploit/framework/login_scanner/http'23module Metasploit4module Framework5module LoginScanner67# The ChefWebUI HTTP LoginScanner class provides methods to authenticate to Chef WebUI8class ChefWebUI < HTTP910DEFAULT_PORT = 8011PRIVATE_TYPES = [ :password ]1213# @!attribute session_name14# @return [String] Cookie name for session_id15attr_accessor :session_name1617# @!attribute session_id18# @return [String] Cookie value19attr_accessor :session_id2021# Decides which login routine and returns the results22#23# @param credential [Metasploit::Framework::Credential] The credential object24# @return [Result]25def attempt_login(credential)26result_opts = {27credential: credential,28status: Metasploit::Model::Login::Status::INCORRECT,29proof: nil,30host: host,31port: port,32protocol: 'tcp'33}3435begin36status = try_login(credential)37result_opts.merge!(status)38rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e39result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)40end4142Result.new(result_opts)43end4445# (see Base#check_setup)46def check_setup47begin48res = send_request({49'uri' => normalize_uri('/users/login')50})51return "Connection failed" if res.nil?5253if res.code != 20054return "Unexpected HTTP response code #{res.code} (is this really Chef WebUI?)"55end5657if res.body.to_s !~ /<title>Chef Server<\/title>/58return "Unexpected HTTP body (is this really Chef WebUI?)"59end6061rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error62return "Unable to connect to target"63end6465false66end6768# Sends a HTTP request with Rex69#70# @param (see Rex::Proto::Http::Request#request_raw)71# @return [Rex::Proto::Http::Response] The HTTP response72def send_request(opts)73res = super(opts)7475# Save the session ID cookie76if res && res.get_cookies =~ /(_\w+_session)=([^;$]+)/i77self.session_name = $178self.session_id = $279end8081res82end8384# Sends a login request85#86# @param credential [Metasploit::Framework::Credential] The credential object87# @return [Rex::Proto::Http::Response] The HTTP auth response88def try_credential(csrf_token, credential)8990data = "utf8=%E2%9C%93" # ✓91data << "&authenticity_token=#{Rex::Text.uri_encode(csrf_token)}"92data << "&name=#{Rex::Text.uri_encode(credential.public)}"93data << "&password=#{Rex::Text.uri_encode(credential.private)}"94data << "&commit=login"9596opts = {97'uri' => normalize_uri('/users/login_exec'),98'method' => 'POST',99'data' => data,100'headers' => {101'Content-Type' => 'application/x-www-form-urlencoded',102'Cookie' => "#{self.session_name}=#{self.session_id}"103}104}105106send_request(opts)107end108109110# Tries to login to Chef WebUI111#112# @param credential [Metasploit::Framework::Credential] The credential object113# @return [Hash]114# * :status [Metasploit::Model::Login::Status]115# * :proof [String] the HTTP response body116def try_login(credential)117118# Obtain a CSRF token first119res = send_request({120'uri' => normalize_uri('/users/login')121})122unless (res && res.code == 200 && res.body =~ /input name="authenticity_token" type="hidden" value="([^"]+)"/m)123return {:status => Metasploit::Model::Login::Status::UNTRIED, :proof => res.body}124end125126csrf_token = $1127128res = try_credential(csrf_token, credential)129if res && res.code == 302130opts = {131'uri' => normalize_uri("/users/#{credential.public}/edit"),132'method' => 'GET',133'headers' => {134'Cookie' => "#{self.session_name}=#{self.session_id}"135}136}137res = send_request(opts)138if (res && res.code == 200 && res.body.to_s =~ /New password for the User/)139return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}140end141end142143{:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}144end145146end147end148end149end150151152153