Class: Metasploit::Framework::LoginScanner::GitLab
- Defined in:
- lib/metasploit/framework/login_scanner/gitlab.rb
Overview
GitLab login scanner
Constant Summary collapse
- CAN_GET_SESSION =
Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
false- DEFAULT_PORT =
80- PRIVATE_TYPES =
[ :password ]
Constants inherited from HTTP
HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY
Instance Attribute Summary
Attributes inherited from HTTP
#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost
Instance Method Summary collapse
Methods inherited from HTTP
#authentication_required?, #check_setup, #send_request
Instance Method Details
permalink #attempt_login(credential) ⇒ Object
[View source] [View on GitHub]
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# File 'lib/metasploit/framework/login_scanner/gitlab.rb', line 21 def attempt_login(credential) result_opts = { credential: credential, host: host, port: port, protocol: 'tcp', service_name: ssl ? 'https' : 'http' } begin # Get a valid session cookie and authenticity_token for the next step res = send_request( 'method' => 'GET', 'cookie' => 'request_method=GET', 'uri' => uri ) if res.body.include? 'user[email]' user_field = 'user[email]' elsif res.body.include? 'user[login]' user_field = 'user[login]' else fail RuntimeError, 'Not a valid GitLab login page' end = res..scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0] auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0] # New versions of GitLab use an alternative scheme # Try it, if the old one was not successful auth_token = res.body.scan(/<input type="hidden" name="authenticity_token" value="(.*?)"/).flatten[0] unless auth_token fail RuntimeError, 'Unable to get Session Cookie' unless fail RuntimeError, 'Unable to get Authentication Token' unless auth_token # Perform the actual login res = send_request( 'method' => 'POST', 'cookie' => , 'uri' => uri, 'vars_post' => { 'utf8' => "\xE2\x9C\x93", 'authenticity_token' => auth_token, "#{user_field}" => credential.public, 'user[password]' => credential.private, 'user[remember_me]' => 0 } ) if res && res.code == 302 result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers) else result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res) end rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) end Result.new(result_opts) end |
permalink #set_sane_defaults ⇒ Object
[View source] [View on GitHub]
14 15 16 17 18 19 |
# File 'lib/metasploit/framework/login_scanner/gitlab.rb', line 14 def set_sane_defaults self.uri = '/users/sign_in' if uri.nil? self.method = 'POST' if method.nil? super end |