Module: Msf::Auxiliary::Web

Includes:
Report
Defined in:
lib/msf/core/auxiliary/web.rb,
lib/msf/core/auxiliary/web/path.rb,
lib/msf/core/auxiliary/web/form.rb,
lib/msf/core/auxiliary/web/fuzzable.rb,
lib/msf/core/auxiliary/web/analysis/taint.rb,
lib/msf/core/auxiliary/web/analysis/timing.rb,
lib/msf/core/auxiliary/web/analysis/differential.rb

Overview

Represents a webpage form.

Defined Under Namespace

Modules: Analysis Classes: Form, Fuzzable, HTTP, Path, Target

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Report

#db, #get_client, #get_host, #inside_workspace_boundary?, #mytask, #myworkspace, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Instance Attribute Details

#httpObject (readonly)

Returns the value of attribute http


24
25
26
# File 'lib/msf/core/auxiliary/web.rb', line 24

def http
  @http
end

#pageObject (readonly)

Returns the value of attribute page


26
27
28
# File 'lib/msf/core/auxiliary/web.rb', line 26

def page
  @page
end

#parentObject (readonly)

Returns the value of attribute parent


25
26
27
# File 'lib/msf/core/auxiliary/web.rb', line 25

def parent
  @parent
end

#targetObject (readonly)

Returns the value of attribute target


23
24
25
# File 'lib/msf/core/auxiliary/web.rb', line 23

def target
  @target
end

Class Method Details

.configure_exploit(exploit, vuln) ⇒ Object

Must return a configuration Hash for the given exploit and vulnerability.


58
59
# File 'lib/msf/core/auxiliary/web.rb', line 58

def self.configure_exploit( exploit, vuln )
end

.exploitsObject

Should be overridden to return the exploits to use for this vulnerability type as an Array of Strings.


54
55
# File 'lib/msf/core/auxiliary/web.rb', line 54

def self.exploits
end

Instance Method Details

#auditableObject

Returns an Array of elements prepared to be audited.


88
89
90
91
92
93
# File 'lib/msf/core/auxiliary/web.rb', line 88

def auditable
  target.auditable.map do |element|
    element.fuzzer = self
    element
  end
end

#calculate_confidence(vuln) ⇒ Object

Should be overridden and return an Integer (0-100) denoting the confidence in the accuracy of the logged vuln.


155
156
157
# File 'lib/msf/core/auxiliary/web.rb', line 155

def calculate_confidence( vuln )
  100
end

#checked(id) ⇒ Object

String id to push to the #checklist


33
34
35
# File 'lib/msf/core/auxiliary/web.rb', line 33

def checked( id )
  parent.checklist << "#{shortname}#{id}".hash
end

#checked?(id) ⇒ Boolean

String id to check against the #checklist

Returns:

  • (Boolean)

38
39
40
# File 'lib/msf/core/auxiliary/web.rb', line 38

def checked?( id )
  parent.checklist.include? "#{shortname}#{id}".hash
end

#directory_exist?(path) ⇒ Boolean

Checks whether a directory exists based on a path String.

Returns:

  • (Boolean)

103
104
105
106
107
# File 'lib/msf/core/auxiliary/web.rb', line 103

def directory_exist?( path )
  dir = path.dup
  dir << '/' if !dir.end_with?( '/' )
  resource_exist?( dir )
end

#find_proof(response, element) ⇒ Object

Serves as a default detection method for when performing taint analysis.

Uses the Regexp in #signature against the response body in order to identify vulnerabilities and return a String that proves it.

Override it if you need more complex processing, but remember to return the proof as a String.

response - Auxiliary::Web::HTTP::Response element - the submitted element


140
141
142
143
144
145
146
147
# File 'lib/msf/core/auxiliary/web.rb', line 140

def find_proof( response, element )
  return if !signature

  m = response.body.match( signature ).to_s
  return if !m || m.size < 1

  m.gsub( /[\r\n]/, ' ' )
end

#increment_request_counterObject


149
150
151
# File 'lib/msf/core/auxiliary/web.rb', line 149

def increment_request_counter
  parent.increment_request_counter
end

#initialize(info = {}) ⇒ Object


28
29
30
# File 'lib/msf/core/auxiliary/web.rb', line 28

def initialize( info = {} )
  super
end

#log_directory_if_exists(path) ⇒ Object

Logs the existence of the directory in the path String.


116
117
118
119
120
# File 'lib/msf/core/auxiliary/web.rb', line 116

def log_directory_if_exists( path )
  dir = path.dup
  dir << '/' if !dir.end_with?( '/' )
  log_resource_if_exists( dir )
end

#log_fingerprint(opts = {}) ⇒ Object


159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
# File 'lib/msf/core/auxiliary/web.rb', line 159

def log_fingerprint( opts = {} )
  mode  = name
  vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]].
    map { |x| x.to_s }.join( '|' ).hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?( vhash )

  location = opts[:location] ?
    page.url.merge( URI( opts[:location].to_s )) : page.url

  info = {
    :web_site   => target.site,
    :path		=> location.path,
    :query		=> location.query,
    :method		=> 'GET',
    :params		=> [],
    :pname		=> 'path',
    :proof		=> opts[:fingerprint],
    :risk		=> details[:risk],
    :name		=> details[:name],
    :blame		=> details[:blame],
    :category	=> details[:category],
    :description => details[:description],
    :owner	  => self
  }

  info[:confidence]  = calculate_confidence( info )
  parent.vulns[mode][vhash] = info

  report_web_vuln( info )

  opts[:print_fingerprint] = true if !opts.include?( :print_fingerprint )

  print_good "	FOUND(#{mode.to_s}) URL(#{location})"
  print_good "		 PROOF(#{opts[:fingerprint]})" if opts[:print_fingerprint]
end

#log_resource(opts = {}) ⇒ Object


197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# File 'lib/msf/core/auxiliary/web.rb', line 197

def log_resource( opts = {} )
  mode  = name
  vhash = [target.to_url, mode, opts[:location]].
    map { |x| x.to_s }.join( '|' ).hash

  parent.vulns[mode] ||= {}
  return if parent.vulns[mode].include?( vhash )

  location = URI( opts[:location].to_s )
  info = {
    :web_site	 => target.site,
    :path		 => location.path,
    :query		 => location.query,
    :method		 => 'GET',
    :params		 => [],
    :pname		 => 'path',
    :proof		 => opts[:location],
    :risk		 => details[:risk],
    :name		 => details[:name],
    :blame		 => details[:blame],
    :category	 => details[:category],
    :description => details[:description],
    :owner		 => self
  }

  info[:confidence]  = calculate_confidence( info )
  parent.vulns[mode][vhash] = info

  report_web_vuln( info )

  print_good "	VULNERABLE(#{mode.to_s}) URL(#{target.to_url})"
  print_good "		 PROOF(#{opts[:location]})"
end

#log_resource_if_exists(path) ⇒ Object Also known as: log_file_if_exists

Logs the existence of a resource in the path String.


110
111
112
# File 'lib/msf/core/auxiliary/web.rb', line 110

def log_resource_if_exists( path )
  log_resource( :location => path ) if resource_exist?( path )
end

#match_and_log_fingerprint(fingerprint, options = {}) ⇒ Object

Matches fingerprint pattern against the current page's body and logs matches


123
124
125
126
# File 'lib/msf/core/auxiliary/web.rb', line 123

def match_and_log_fingerprint( fingerprint, options = {} )
  return if (match = page.body.to_s.match( fingerprint ).to_s).empty?
  log_fingerprint( options.merge( :fingerprint => match ) )
end

#payloadsObject

Should be overridden to return the payloads used for this vulnerability type as an Array of Strings.


63
64
# File 'lib/msf/core/auxiliary/web.rb', line 63

def payloads
end

#process_vulnerability(element, proof, opts = {}) ⇒ Object


231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# File 'lib/msf/core/auxiliary/web.rb', line 231

def process_vulnerability( element, proof, opts = {} )
  mode  = name
  vhash = [target.to_url, mode, element.altered].
    map{ |x| x.to_s }.join( '|' ).hash

  parent.vulns[mode] ||= {}
  return parent.vulns[mode][vhash] if parent.vulns[mode][vhash]

  parent.vulns[mode][vhash] = {
    :target		 => target,
    :method		 => element.method.to_s.upcase,
    :params		 => element.params.to_a,
    :mode		 => mode,
    :pname		 => element.altered,
    :proof		 => proof.to_s,
    :form		 => element.model,
    :risk		 => details[:risk],
    :name		 => details[:name],
    :blame		 => details[:blame],
    :category	 => details[:category],
    :description => details[:description]
  }

  confidence = calculate_confidence( parent.vulns[mode][vhash] )

  parent.vulns[mode][vhash].merge!( :confidence => confidence )

  if !(payload = opts[:payload])
    if payloads
      payload = payloads.select { |p|
        element.altered_value.include?( p )
      }.sort_by { |p| p.size }.last
    end
  end

  uri = URI( element.action )
  info = {
    :web_site	 => element.model.web_site,
    :path		 => uri.path,
    :query		 => uri.query,
    :method		 => element.method.to_s.upcase,
    :params		 => element.params.to_a,
    :pname		 => element.altered,
    :proof		 => proof.to_s,
    :risk		 => details[:risk],
    :name		 => details[:name],
    :blame		 => details[:blame],
    :category	 => details[:category],
    :description => details[:description],
    :confidence  => confidence,
    :payload	 => payload,
    :owner		 => self
  }

  report_web_vuln( info )

  print_good "	VULNERABLE(#{mode.to_s}) URL(#{target.to_url})" +
          " PARAMETER(#{element.altered}) VALUES(#{element.params})"
  print_good "		 PROOF(#{proof})"
end

#resource_exist?(path) ⇒ Boolean Also known as: file_exist?

Checks whether a resource exists based on a path String.

Returns:

  • (Boolean)

96
97
98
99
# File 'lib/msf/core/auxiliary/web.rb', line 96

def resource_exist?( path )
  res = http.get( path )
  res.code.to_i == 200 && !http.custom_404?( path, res.body )
end

#runObject

Default #run, will audit all elements using taint analysis and log results based on #find_proof return values.


83
84
85
# File 'lib/msf/core/auxiliary/web.rb', line 83

def run
  auditable.each { |element| element.taint_analysis }
end

#setup(opts = {}) ⇒ Object

Called directly before 'run'


45
46
47
48
49
50
# File 'lib/msf/core/auxiliary/web.rb', line 45

def setup( opts = {} )
  @parent = opts[:parent]
  @target = opts[:target]
  @page   = opts[:page]
  @http   = opts[:http]
end

#signatureObject

Should be overridden to return a pattern to be matched against response bodies in order to identify a vulnerability.

You can go one deeper and override #find_proof for more complex processing.


76
77
# File 'lib/msf/core/auxiliary/web.rb', line 76

def signature
end

#tokenObject


66
67
68
# File 'lib/msf/core/auxiliary/web.rb', line 66

def token
  "xssmsfpro"
end