Class: Metasploit::Framework::LoginScanner::Glassfish
- Defined in:
- lib/metasploit/framework/login_scanner/glassfish.rb
Overview
The Glassfish HTTP LoginScanner class provides methods to do login routines for Glassfish 2, 3 and 4.
Constant Summary collapse
- DEFAULT_PORT =
4848
- PRIVATE_TYPES =
[ :password ]
Constants inherited from HTTP
HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY
Instance Attribute Summary collapse
- #http_password ⇒ Object
- #http_username ⇒ Object
-
#jsession ⇒ String
Cookie session.
-
#version ⇒ String
Glassfish version.
Attributes inherited from HTTP
#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_success_codes, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost
Instance Method Summary collapse
-
#attempt_login(credential) ⇒ Result
Decides which login routine and returns the results.
- #check_setup ⇒ Object
-
#extract_version(banner) ⇒ String?
Extract the target’s glassfish version from the HTTP Server Sun Java System Application Server 9.1header (ex: Sun Java System Application Server 9.x).
-
#is_secure_admin_disabled?(res) ⇒ boolean
As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn’t allowed to login remotely.
-
#send_request(opts) ⇒ Rex::Proto::Http::Response
Sends a HTTP request with Rex.
-
#try_glassfish_2(credential) ⇒ Hash
Tries to login to Glassfish version 2.
-
#try_glassfish_3(credential) ⇒ Hash
Tries to login to Glassfish version 3 or 4 (as of now it’s the latest).
-
#try_glassfish_9(credential) ⇒ Hash
Tries to login to Glassfish version 9.
-
#try_login(credential) ⇒ Rex::Proto::Http::Response
Sends a login request.
Instance Attribute Details
#http_password ⇒ Object
28 29 30 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 28 def http_password @http_password end |
#http_username ⇒ Object
24 25 26 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 24 def http_username @http_username end |
#jsession ⇒ String
Returns Cookie session.
21 22 23 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 21 def jsession @jsession end |
#version ⇒ String
Returns Glassfish version.
17 18 19 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 17 def version @version end |
Instance Method Details
#attempt_login(credential) ⇒ Result
Decides which login routine and returns the results
205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 205 def attempt_login(credential) result_opts = { credential: credential } begin case self.version when /^2\.x$/ status = try_glassfish_2(credential) result_opts.merge!(status) when /^[34]\./ status = try_glassfish_3(credential) result_opts.merge!(status) when /^9\.x$/ status = try_glassfish_9(credential) result_opts.merge!(status) end rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) end Result.new(result_opts) end |
#check_setup ⇒ Object
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 31 def check_setup begin res = send_request({ 'uri' => '/common/index.jsf', }) return "Connection failed" if res.nil? if !([200, 302].include?(res.code)) return "Unexpected HTTP response code #{res.code} (is this really Glassfish?)" end # If remote login is enabled on 4.x, it redirects to https on the # same port. if !self.ssl && res.headers['Location'] =~ /^https:/ self.ssl = true res = send_request({ 'uri' => '/common/index.jsf', 'cgi' => false }) if res.nil? return "Connection failed after SSL redirection" end if res.code != 200 return "Unexpected HTTP response code #{res.code} after SSL redirection (is this really Glassfish?)" end end res = send_request({ 'uri' => '/login.jsf', 'cgi' => false }) return "Connection failed" if res.nil? extract_version(res.headers['Server']) if @version.nil? || @version !~ /^[2349]/ return "Unsupported version ('#{@version}')" end rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error return "Unable to connect to target" end false end |
#extract_version(banner) ⇒ String?
Extract the target’s glassfish version from the HTTP Server Sun Java System Application Server 9.1header (ex: Sun Java System Application Server 9.x)
234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 234 def extract_version() # Set version. Some GlassFish servers return banner "GlassFish v3". if =~ /(GlassFish Server|Open Source Edition)[[:blank:]]*(\d\.\d)/ @version = $2 elsif =~ /GlassFish v(\d)/ @version = $1 elsif =~ /Sun GlassFish Enterprise Server v2/ @version = '2.x' elsif =~ /Sun Java System Application Server 9/ @version = '9.x' else @version = nil end return @version end |
#is_secure_admin_disabled?(res) ⇒ boolean
As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn’t allowed to login remotely. However, the authentication will still run and hint whether the password is correct or not.
96 97 98 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 96 def is_secure_admin_disabled?(res) return (res.body =~ /Secure Admin must be enabled/i) ? true : false end |
#send_request(opts) ⇒ Rex::Proto::Http::Response
Sends a HTTP request with Rex
78 79 80 81 82 83 84 85 86 87 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 78 def send_request(opts) res = super(opts) # Found a cookie? Set it. We're going to need it. if res && res. =~ /JSESSIONID=(\w*);/i self.jsession = $1 end res end |
#try_glassfish_2(credential) ⇒ Hash
Tries to login to Glassfish version 2
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 131 def try_glassfish_2(credential) res = try_login(credential) if res && res.code == 302 opts = { 'uri' => '/applications/upload.jsf', 'method' => 'GET', 'headers' => { 'Cookie' => "JSESSIONID=#{self.jsession}" }, 'cgi' => false } res = send_request(opts) p = /<title>Deploy Enterprise Applications\/Modules/ if (res && res.code.to_i == 200 && res.body.match(p) != nil) return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body} end end {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body} end |
#try_glassfish_3(credential) ⇒ Hash
Tries to login to Glassfish version 3 or 4 (as of now it’s the latest)
174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 174 def try_glassfish_3(credential) res = try_login(credential) if res && res.code == 302 opts = { 'uri' => '/common/applications/uploadFrame.jsf', 'method' => 'GET', 'headers' => { 'Cookie' => "JSESSIONID=#{self.jsession}" }, 'cgi' => false } res = send_request(opts) p = /<title>Deploy Applications or Modules/ if (res && res.code.to_i == 200 && res.body.match(p) != nil) return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body} end elsif res && is_secure_admin_disabled?(res) return {:status => Metasploit::Model::Login::Status::DENIED_ACCESS, :proof => res.body} elsif res && res.code == 400 return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.body} end {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body} end |
#try_glassfish_9(credential) ⇒ Hash
Tries to login to Glassfish version 9
159 160 161 162 163 164 165 166 167 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 159 def try_glassfish_9(credential) res = try_login(credential) if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/ return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body} end {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body} end |
#try_login(credential) ⇒ Rex::Proto::Http::Response
Sends a login request
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 105 def try_login(credential) data = "j_username=#{Rex::Text.uri_encode(credential.public)}&" data << "j_password=#{Rex::Text.uri_encode(credential.private)}&" data << 'loginButton=Login' opts = { 'uri' => '/j_security_check', 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded', 'Cookie' => "JSESSIONID=#{self.jsession}", }, 'cgi' => false } send_request(opts) end |