Module: Msf::Auxiliary::Web

Includes:
Report
Defined in:
lib/msf/core/auxiliary/web.rb,
lib/msf/core/auxiliary/web/form.rb,
lib/msf/core/auxiliary/web/path.rb,
lib/msf/core/auxiliary/web/fuzzable.rb,
lib/msf/core/auxiliary/web/analysis/taint.rb,
lib/msf/core/auxiliary/web/analysis/timing.rb,
lib/msf/core/auxiliary/web/analysis/differential.rb

Overview

Represents a webpage path.

Defined Under Namespace

Modules: Analysis Classes: Form, Fuzzable, HTTP, Path, Target

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Attribute Details

#httpObject (readonly)

Returns the value of attribute http


17
18
19
# File 'lib/msf/core/auxiliary/web.rb', line 17

def http
  @http
end

#pageObject (readonly)

Returns the value of attribute page


19
20
21
# File 'lib/msf/core/auxiliary/web.rb', line 19

def page
  @page
end

#parentObject (readonly)

Returns the value of attribute parent


18
19
20
# File 'lib/msf/core/auxiliary/web.rb', line 18

def parent
  @parent
end

#targetObject (readonly)

Returns the value of attribute target


16
17
18
# File 'lib/msf/core/auxiliary/web.rb', line 16

def target
  @target
end

Class Method Details

.configure_exploit(exploit, vuln) ⇒ Object

Must return a configuration Hash for the given exploit and vulnerability.


50
# File 'lib/msf/core/auxiliary/web.rb', line 50

def self.configure_exploit(exploit, vuln); end

.exploitsObject

Should be overridden to return the exploits to use for this vulnerability type as an Array of Strings.


47
# File 'lib/msf/core/auxiliary/web.rb', line 47

def self.exploits; end

Instance Method Details

#auditableObject

Returns an Array of elements prepared to be audited.


77
78
79
80
81
82
# File 'lib/msf/core/auxiliary/web.rb', line 77

def auditable
  target.auditable.map do |element|
    element.fuzzer = self
    element
  end
end

#calculate_confidence(_vuln) ⇒ Object

Should be overridden and return an Integer (0-100) denoting the confidence in the accuracy of the logged vuln.


144
145
146
# File 'lib/msf/core/auxiliary/web.rb', line 144

def calculate_confidence(_vuln)
  100
end

#checked(id) ⇒ Object

String id to push to the #checklist


26
27
28
# File 'lib/msf/core/auxiliary/web.rb', line 26

def checked(id)
  parent.checklist << "#{shortname}#{id}".hash
end

#checked?(id) ⇒ Boolean

String id to check against the #checklist

Returns:

  • (Boolean)

31
32
33
# File 'lib/msf/core/auxiliary/web.rb', line 31

def checked?(id)
  parent.checklist.include? "#{shortname}#{id}".hash
end

#directory_exist?(path) ⇒ Boolean

Checks whether a directory exists based on a path String.

Returns:

  • (Boolean)

92
93
94
95
96
# File 'lib/msf/core/auxiliary/web.rb', line 92

def directory_exist?(path)
  dir = path.dup
  dir << '/' if !dir.end_with?('/')
  resource_exist?(dir)
end

#find_proof(response, _element) ⇒ Object

Serves as a default detection method for when performing taint analysis.

Uses the Regexp in #signature against the response body in order to identify vulnerabilities and return a String that proves it.

Override it if you need more complex processing, but remember to return the proof as a String.

response - Auxiliary::Web::HTTP::Response element - the submitted element


129
130
131
132
133
134
135
136
# File 'lib/msf/core/auxiliary/web.rb', line 129

def find_proof(response, _element)
  return if !signature

  m = response.body.match(signature).to_s
  return if !m || m.empty?

  m.gsub(/[\r\n]/, ' ')
end

#increment_request_counterObject


138
139
140
# File 'lib/msf/core/auxiliary/web.rb', line 138

def increment_request_counter
  parent.increment_request_counter
end

#initialize(info = {}) ⇒ Object


21
22
23
# File 'lib/msf/core/auxiliary/web.rb', line 21

def initialize(info = {})
  super
end

#log_directory_if_exists(path) ⇒ Object

Logs the existence of the directory in the path String.


105
106
107
108
109
# File 'lib/msf/core/auxiliary/web.rb', line 105

def log_directory_if_exists(path)
  dir = path.dup
  dir << '/' if !dir.end_with?('/')
  log_resource_if_exists(dir)
end

#log_fingerprint(opts = {}) ⇒ Object


148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# File 'lib/msf/core/auxiliary/web.rb', line 148

def log_fingerprint(opts = {})
  mode  = name
  vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?(vhash)

  location = opts[:location] ?
    page.url.merge(URI(opts[:location].to_s)) : page.url

  info = {
    web_site: target.site,
    path: location.path,
    query: location.query,
    method: 'GET',
    params: [],
    pname: 'path',
    proof: opts[:fingerprint],
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    owner: self
  }

  info[:confidence] = calculate_confidence(info)
  parent.vulns[mode][vhash] = info

  report_web_vuln(info)

  opts[:print_fingerprint] = true if !opts.include?(:print_fingerprint)

  print_good "	FOUND(#{mode}) URL(#{location})"
  print_good "		 PROOF(#{opts[:fingerprint]})" if opts[:print_fingerprint]
end

#log_resource(opts = {}) ⇒ Object


186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# File 'lib/msf/core/auxiliary/web.rb', line 186

def log_resource(opts = {})
  mode  = name
  vhash = [target.to_url, mode, opts[:location]]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?(vhash)

  location = URI(opts[:location].to_s)
  info = {
    web_site: target.site,
    path: location.path,
    query: location.query,
    method: 'GET',
    params: [],
    pname: 'path',
    proof: opts[:location],
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    owner: self
  }

  info[:confidence] = calculate_confidence(info)
  parent.vulns[mode][vhash] = info

  report_web_vuln(info)

  print_good "	VULNERABLE(#{mode}) URL(#{target.to_url})"
  print_good "		 PROOF(#{opts[:location]})"
end

#log_resource_if_exists(path) ⇒ Object Also known as: log_file_if_exists

Logs the existence of a resource in the path String.


99
100
101
# File 'lib/msf/core/auxiliary/web.rb', line 99

def log_resource_if_exists(path)
  log_resource(location: path) if resource_exist?(path)
end

#match_and_log_fingerprint(fingerprint, options = {}) ⇒ Object

Matches fingerprint pattern against the current page's body and logs matches


112
113
114
115
# File 'lib/msf/core/auxiliary/web.rb', line 112

def match_and_log_fingerprint(fingerprint, options = {})
  return if (match = page.body.to_s.match(fingerprint).to_s).empty?
  log_fingerprint(options.merge(fingerprint: match))
end

#payloadsObject

Should be overridden to return the payloads used for this vulnerability type as an Array of Strings.


54
# File 'lib/msf/core/auxiliary/web.rb', line 54

def payloads; end

#process_vulnerability(element, proof, opts = {}) ⇒ Object


220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
# File 'lib/msf/core/auxiliary/web.rb', line 220

def process_vulnerability(element, proof, opts = {})
  mode  = name
  vhash = [target.to_url, mode, element.altered]
          .map(&:to_s).join('|').hash

  parent.vulns[mode] ||= {}
  return parent.vulns[mode][vhash] if parent.vulns[mode][vhash]

  parent.vulns[mode][vhash] = {
    target: target,
    method: element.method.to_s.upcase,
    params: element.params.to_a,
    mode: mode,
    pname: element.altered,
    proof: proof.to_s,
    form: element.model,
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description]
  }

  confidence = calculate_confidence(parent.vulns[mode][vhash])

  parent.vulns[mode][vhash][:confidence] = confidence

  if !(payload = opts[:payload])
    if payloads
      payload = payloads.select do |p|
        element.altered_value.include?(p)
      end.max_by(&:size)
    end
  end

  uri = URI(element.action)
  info = {
    web_site: element.model.web_site,
    path: uri.path,
    query: uri.query,
    method: element.method.to_s.upcase,
    params: element.params.to_a,
    pname: element.altered,
    proof: proof.to_s,
    risk: details[:risk],
    name: details[:name],
    blame: details[:blame],
    category: details[:category],
    description: details[:description],
    confidence: confidence,
    payload: payload,
    owner: self
  }

  report_web_vuln(info)

  print_good "	VULNERABLE(#{mode}) URL(#{target.to_url})" \
             " PARAMETER(#{element.altered}) VALUES(#{element.params})"
  print_good "		 PROOF(#{proof})"
end

#resource_exist?(path) ⇒ Boolean Also known as: file_exist?

Checks whether a resource exists based on a path String.

Returns:

  • (Boolean)

85
86
87
88
# File 'lib/msf/core/auxiliary/web.rb', line 85

def resource_exist?(path)
  res = http.get(path)
  res.code.to_i == 200 && !http.custom_404?(path, res.body)
end

#runObject

Default #run, will audit all elements using taint analysis and log results based on #find_proof return values.


72
73
74
# File 'lib/msf/core/auxiliary/web.rb', line 72

def run
  auditable.each(&:taint_analysis)
end

#setup(opts = {}) ⇒ Object

Called directly before 'run'


38
39
40
41
42
43
# File 'lib/msf/core/auxiliary/web.rb', line 38

def setup(opts = {})
  @parent = opts[:parent]
  @target = opts[:target]
  @page   = opts[:page]
  @http   = opts[:http]
end

#signatureObject

Should be overridden to return a pattern to be matched against response bodies in order to identify a vulnerability.

You can go one deeper and override #find_proof for more complex processing.


66
# File 'lib/msf/core/auxiliary/web.rb', line 66

def signature; end

#tokenObject


56
57
58
# File 'lib/msf/core/auxiliary/web.rb', line 56

def token
  "xssmsfpro"
end