CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/directadmin.rb
Views: 1904
require 'metasploit/framework/login_scanner/http'12module Metasploit3module Framework4module LoginScanner56class DirectAdmin < HTTP78DEFAULT_PORT = 4439PRIVATE_TYPES = [ :password ]101112# Checks if the target is Direct Admin Web Control Panel. The login module should call this.13#14# @return [Boolean] TrueClass if target is DAWCP, otherwise FalseClass15def check_setup16login_uri = normalize_uri("#{uri}/CMD_LOGIN")17res = send_request({'uri'=> login_uri})1819if res && res.body.include?('DirectAdmin Login')20return true21end2223false24end252627# Returns the latest sid from DirectAdmin Control Panel28#29# @return [String] The PHP Session ID for DirectAdmin Web Control login30def get_last_sid31@last_sid ||= lambda {32# We don't have a session ID. Well, let's grab one right quick from the login page.33# This should probably only happen once (initially).34login_uri = normalize_uri("#{uri}/CMD_LOGIN")35res = send_request({'uri' => login_uri})3637return '' unless res3839cookies = res.get_cookies40@last_sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''41}.call42end434445# Actually doing the login. Called by #attempt_login46#47# @param username [String] The username to try48# @param password [String] The password to try49# @return [Hash]50# * :status [Metasploit::Model::Login::Status]51# * :proof [String] the HTTP response body52def get_login_state(username, password)53# Prep the data needed for login54sid = get_last_sid55protocol = ssl ? 'https' : 'http'56peer = "#{host}:#{port}"57login_uri = normalize_uri("#{uri}/CMD_LOGIN")5859res = send_request({60'uri' => login_uri,61'method' => 'POST',62'cookie' => sid,63'headers' => {64'Referer' => "#{protocol}://#{peer}/#{login_uri}"65},66'vars_post' => {67'username' => username,68'password' => password,69'referer' => '%2F'70}71})7273unless res74return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.to_s}75end7677# After login, the application should give us a new SID78cookies = res.get_cookies79sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''80@last_sid = sid # Update our SID8182if res.headers['Location'].to_s.include?('/') && !sid.blank?83return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s}84end8586{:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s}87end888990# Attempts to login to DirectAdmin Web Control Panel. This is called first.91#92# @param credential [Metasploit::Framework::Credential] The credential object93# @return [Result] A Result object indicating success or failure94def attempt_login(credential)95result_opts = {96credential: credential,97status: Metasploit::Model::Login::Status::INCORRECT,98proof: nil,99host: host,100port: port,101protocol: 'tcp',102service_name: ssl ? 'https' : 'http'103}104105begin106result_opts.merge!(get_login_state(credential.public, credential.private))107rescue ::Rex::ConnectionError => e108# Something went wrong during login. 'e' knows what's up.109result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e.message)110end111112Result.new(result_opts)113end114115end116end117end118end119120121