Class: Metasploit::Framework::LoginScanner::DirectAdmin

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/directadmin.rb

Constant Summary collapse

DEFAULT_PORT =
443
PRIVATE_TYPES =
[ :password ]

Constants inherited from HTTP

HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to DirectAdmin Web Control Panel. This is called first.

Parameters:

Returns:

  • (Result)

    A Result object indicating success or failure



95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 95

def (credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp',
    service_name: ssl ? 'https' : 'http'
  }

  begin
    result_opts.merge!((credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    # Something went wrong during login. 'e' knows what's up.
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setupBoolean

Checks if the target is Direct Admin Web Control Panel. The login module should call this.

Returns:

  • (Boolean)

    TrueClass if target is DAWCP, otherwise FalseClass



16
17
18
19
20
21
22
23
24
25
# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 16

def check_setup
   = normalize_uri("#{uri}/CMD_LOGIN")
  res = send_request({'uri'=> })

  if res && res.body.include?('DirectAdmin Login')
    return true
  end

  false
end

#get_last_sidString

Returns the latest sid from DirectAdmin Control Panel

Returns:

  • (String)

    The PHP Session ID for DirectAdmin Web Control login



31
32
33
34
35
36
37
38
39
40
41
42
43
# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 31

def get_last_sid
  @last_sid ||= lambda {
    # We don't have a session ID. Well, let's grab one right quick from the login page.
    # This should probably only happen once (initially).
     = normalize_uri("#{uri}/CMD_LOGIN")
    res = send_request({'uri' => })

    return '' unless res

    cookies = res.get_cookies
    @last_sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''
  }.call
end

#get_login_state(username, password) ⇒ Hash

Actually doing the login. Called by #attempt_login

Parameters:

  • username (String)

    The username to try

  • password (String)

    The password to try

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 53

def (username, password)
  # Prep the data needed for login
  sid       = get_last_sid
  protocol  = ssl ? 'https' : 'http'
  peer      = "#{host}:#{port}"
   = normalize_uri("#{uri}/CMD_LOGIN")

  res = send_request({
    'uri' => ,
    'method' => 'POST',
    'cookie' => sid,
    'headers' => {
      'Referer' => "#{protocol}://#{peer}/#{}"
    },
    'vars_post' => {
      'username' => username,
      'password' => password,
      'referer' => '%2F'
    }
  })

  unless res
    return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.to_s}
  end

  # After login, the application should give us a new SID
  cookies = res.get_cookies
  sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''
  @last_sid = sid # Update our SID

  if res.headers['Location'].to_s.include?('/') && !sid.blank?
    return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s}
end