Module: Msf::Auxiliary::Web

Includes:
Report
Defined in:
lib/msf/core/auxiliary/web.rb,
lib/msf/core/auxiliary/web/form.rb,
lib/msf/core/auxiliary/web/path.rb,
lib/msf/core/auxiliary/web/fuzzable.rb,
lib/msf/core/auxiliary/web/analysis/taint.rb,
lib/msf/core/auxiliary/web/analysis/timing.rb,
lib/msf/core/auxiliary/web/analysis/differential.rb

Overview

Represents a webpage path.

Defined Under Namespace

Modules: Analysis Classes: Form, Fuzzable, HTTP, Path, Target

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Attribute Details

#httpObject (readonly)

Returns the value of attribute http


23
24
25
# File 'lib/msf/core/auxiliary/web.rb', line 23

def http
  @http
end

#pageObject (readonly)

Returns the value of attribute page


25
26
27
# File 'lib/msf/core/auxiliary/web.rb', line 25

def page
  @page
end

#parentObject (readonly)

Returns the value of attribute parent


24
25
26
# File 'lib/msf/core/auxiliary/web.rb', line 24

def parent
  @parent
end

#targetObject (readonly)

Returns the value of attribute target


22
23
24
# File 'lib/msf/core/auxiliary/web.rb', line 22

def target
  @target
end

Class Method Details

.configure_exploit(exploit, vuln) ⇒ Object

Must return a configuration Hash for the given exploit and vulnerability.


56
# File 'lib/msf/core/auxiliary/web.rb', line 56

def self.configure_exploit(exploit, vuln); end

.exploitsObject

Should be overridden to return the exploits to use for this vulnerability type as an Array of Strings.


53
# File 'lib/msf/core/auxiliary/web.rb', line 53

def self.exploits; end

Instance Method Details

#auditableObject

Returns an Array of elements prepared to be audited.


83
84
85
86
87
88
# File 'lib/msf/core/auxiliary/web.rb', line 83

def auditable
  target.auditable.map do |element|
    element.fuzzer = self
    element
  end
end

#calculate_confidence(_vuln) ⇒ Object

Should be overridden and return an Integer (0-100) denoting the confidence in the accuracy of the logged vuln.


150
151
152
# File 'lib/msf/core/auxiliary/web.rb', line 150

def calculate_confidence(_vuln)
  100
end

#checked(id) ⇒ Object

String id to push to the #checklist


32
33
34
# File 'lib/msf/core/auxiliary/web.rb', line 32

def checked(id)
  parent.checklist << "#{shortname}#{id}".hash
end

#checked?(id) ⇒ Boolean

String id to check against the #checklist

Returns:

  • (Boolean)

37
38
39
# File 'lib/msf/core/auxiliary/web.rb', line 37

def checked?(id)
  parent.checklist.include? "#{shortname}#{id}".hash
end

#directory_exist?(path) ⇒ Boolean

Checks whether a directory exists based on a path String.

Returns:

  • (Boolean)

98
99
100
101
102
# File 'lib/msf/core/auxiliary/web.rb', line 98

def directory_exist?(path)
  dir = path.dup
  dir << '/' if !dir.end_with?('/')
  resource_exist?(dir)
end

#find_proof(response, _element) ⇒ Object

Serves as a default detection method for when performing taint analysis.

Uses the Regexp in #signature against the response body in order to identify vulnerabilities and return a String that proves it.

Override it if you need more complex processing, but remember to return the proof as a String.

response - Auxiliary::Web::HTTP::Response element - the submitted element


135
136
137
138
139
140
141
142
# File 'lib/msf/core/auxiliary/web.rb', line 135

def find_proof(response, _element)
  return if !signature

  m = response.body.match(signature).to_s
  return if !m || m.empty?

  m.gsub(/[\r\n]/, ' ')
end

#increment_request_counterObject


144
145
146
# File 'lib/msf/core/auxiliary/web.rb', line 144

def increment_request_counter
  parent.increment_request_counter
end

#initialize(info = {}) ⇒ Object


27
28
29
# File 'lib/msf/core/auxiliary/web.rb', line 27

def initialize(info = {})
  super
end

#log_directory_if_exists(path) ⇒ Object

Logs the existence of the directory in the path String.


111
112
113
114
115
# File 'lib/msf/core/auxiliary/web.rb', line 111

def log_directory_if_exists(path)
  dir = path.dup
  dir << '/' if !dir.end_with?('/')
  log_resource_if_exists(dir)
end

#log_fingerprint(opts = {}) ⇒ Object


154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# File 'lib/msf/core/auxiliary/web.rb', line 154

def log_fingerprint(opts = {})
  mode  = name
  vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?(vhash)

  location = opts[:location] ?
    page.url.merge(URI(opts[:location].to_s)) : page.url

  info = {
    web_site: target.site,
    path: location.path,
    query: location.query,
    method: 'GET',
    params: [],
    pname: 'path',
    proof: opts[:fingerprint],
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    owner: self
  }

  info[:confidence] = calculate_confidence(info)
  parent.vulns[mode][vhash] = info

  report_web_vuln(info)

  opts[:print_fingerprint] = true if !opts.include?(:print_fingerprint)

  print_good "	FOUND(#{mode}) URL(#{location})"
  print_good "		 PROOF(#{opts[:fingerprint]})" if opts[:print_fingerprint]
end

#log_resource(opts = {}) ⇒ Object


192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# File 'lib/msf/core/auxiliary/web.rb', line 192

def log_resource(opts = {})
  mode  = name
  vhash = [target.to_url, mode, opts[:location]]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?(vhash)

  location = URI(opts[:location].to_s)
  info = {
    web_site: target.site,
    path: location.path,
    query: location.query,
    method: 'GET',
    params: [],
    pname: 'path',
    proof: opts[:location],
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    owner: self
  }

  info[:confidence] = calculate_confidence(info)
  parent.vulns[mode][vhash] = info

  report_web_vuln(info)

  print_good "	VULNERABLE(#{mode}) URL(#{target.to_url})"
  print_good "		 PROOF(#{opts[:location]})"
end

#log_resource_if_exists(path) ⇒ Object Also known as: log_file_if_exists

Logs the existence of a resource in the path String.


105
106
107
# File 'lib/msf/core/auxiliary/web.rb', line 105

def log_resource_if_exists(path)
  log_resource(location: path) if resource_exist?(path)
end

#match_and_log_fingerprint(fingerprint, options = {}) ⇒ Object

Matches fingerprint pattern against the current page's body and logs matches


118
119
120
121
# File 'lib/msf/core/auxiliary/web.rb', line 118

def match_and_log_fingerprint(fingerprint, options = {})
  return if (match = page.body.to_s.match(fingerprint).to_s).empty?
  log_fingerprint(options.merge(fingerprint: match))
end

#payloadsObject

Should be overridden to return the payloads used for this vulnerability type as an Array of Strings.


60
# File 'lib/msf/core/auxiliary/web.rb', line 60

def payloads; end

#process_vulnerability(element, proof, opts = {}) ⇒ Object


226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
# File 'lib/msf/core/auxiliary/web.rb', line 226

def process_vulnerability(element, proof, opts = {})
  mode  = name
  vhash = [target.to_url, mode, element.altered]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return parent.vulns[mode][vhash] if parent.vulns[mode][vhash]

  parent.vulns[mode][vhash] = {
    target: target,
    method: element.method.to_s.upcase,
    params: element.params.to_a,
    mode: mode,
    pname: element.altered,
    proof: proof.to_s,
    form: element.model,
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description]
  }

  confidence = calculate_confidence(parent.vulns[mode][vhash])

  parent.vulns[mode][vhash][:confidence] = confidence

  if !(payload = opts[:payload])
    if payloads
      payload = payloads.select do |p|
        element.altered_value.include?(p)
      end.max_by(&:size)
    end
  end

  uri = URI(element.action)
  info = {
    web_site: element.model.web_site,
    path: uri.path,
    query: uri.query,
    method: element.method.to_s.upcase,
    params: element.params.to_a,
    pname: element.altered,
    proof: proof.to_s,
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    confidence: confidence,
    payload: payload,
    owner: self
  }

  report_web_vuln(info)

  print_good "	VULNERABLE(#{mode}) URL(#{target.to_url})" \
             " PARAMETER(#{element.altered}) VALUES(#{element.params})"
  print_good "		 PROOF(#{proof})"
end

#resource_exist?(path) ⇒ Boolean Also known as: file_exist?

Checks whether a resource exists based on a path String.

Returns:

  • (Boolean)

91
92
93
94
# File 'lib/msf/core/auxiliary/web.rb', line 91

def resource_exist?(path)
  res = http.get(path)
  res.code.to_i == 200 && !http.custom_404?(path, res.body)
end

#runObject

Default #run, will audit all elements using taint analysis and log results based on #find_proof return values.


78
79
80
# File 'lib/msf/core/auxiliary/web.rb', line 78

def run
  auditable.each(&:taint_analysis)
end

#setup(opts = {}) ⇒ Object

Called directly before 'run'


44
45
46
47
48
49
# File 'lib/msf/core/auxiliary/web.rb', line 44

def setup(opts = {})
  @parent = opts[:parent]
  @target = opts[:target]
  @page   = opts[:page]
  @http   = opts[:http]
end

#signatureObject

Should be overridden to return a pattern to be matched against response bodies in order to identify a vulnerability.

You can go one deeper and override #find_proof for more complex processing.


72
# File 'lib/msf/core/auxiliary/web.rb', line 72

def signature; end

#tokenObject


62
63
64
# File 'lib/msf/core/auxiliary/web.rb', line 62

def token
  "xssmsfpro"
end