Module: Msf::Exploit::Remote::HTTP::Pihole

Includes:
Msf::Exploit::Remote::HttpClient
Defined in:
lib/msf/core/exploit/remote/http/pihole.rb

Overview

This module provides a way of interacting with pihole installations

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#get_token(tab) ⇒ String?

Attempts to retrieve a CSRF token from the tab.

Parameters:

  • tab (String)

    Which tab to load on the admin/settings page

Returns:

  • (String, nil)

    String of the token, nil otherwise


87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'lib/msf/core/exploit/remote/http/pihole.rb', line 87

def get_token(tab)
  res = send_request_cgi(
    'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
    'vars_get' => {
      'tab' => tab
    },
    'keep_cookies' => 'true'
  )
  return nil unless res or res.code == 200
  # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk=">
  # may also include /
  # from version 3.3 <div id="token" hidden>f5al5pNfFj9YOCSdX159tXjttdHUOAuxOJDgwcgnUHs=</div>
  if (%r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body ||
    %r{div id="token" hidden>(?<token>[\w+=/]+)</div>} =~ res.body)
    return token
  end

  nil
end

#get_versions(String, String, String)?

Extracts the Pihole version information from the admin page

Returns:

  • ((String, String, String), nil)

    Pihole versions if found (version, web_version, ftl_version), nil otherwise


24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# File 'lib/msf/core/exploit/remote/http/pihole.rb', line 24

def get_versions
  res = send_request_cgi(
    'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
    'method' => 'GET',
    'keep_cookies' => 'true'
  )
  return nil if res.nil? || res.code != 200

  # Verified against:
  # (current) 5.7, 5.12.1, 5.9
  # 5.2.2, 5.2.2, 5.3.3
  # 4.4, 4.3.3, 4.3.1
  # 4.3.2, 4.3, 4.3.1

  unless %r{<(?:strong|b)>Pi-hole(?: Version)?\s*</(?:strong|b)>\s*(?:<a .*?>)?v(?<version>[\d.]{1,8})\s*<}m =~ res.body
    # vDev versions
    %r{<(?:strong|b)>Pi-hole(?: Version)?\s*</(?:strong|b)>\s*(?:<a .*?>)?vDev \(\w+, v(?<version>[\d.]{1,8})[\w-]+\)<}m =~ res.body
  end
  %r{<(?:strong|b)>Web Interface(?: Version)?\s*</(?:strong|b)>\s*(?:<a .*?>)?v(?<web_version>[\d.]{1,8})\s*<}m =~ res.body
  %r{<(?:strong|b)>FTL(?: Version)?\s*</(?:strong|b)>\s*(?:<a .*?>)?v(?<ftl_version>[\d.]{1,8})\s*<}m =~ res.body
  return version, web_version, ftl_version
end

#initialize(info = {}) ⇒ Object


11
12
13
14
15
16
17
18
19
# File 'lib/msf/core/exploit/remote/http/pihole.rb', line 11

def initialize(info = {})
  super

  register_options(
    [
      OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', ''])
    ], Msf::Exploit::Remote::HTTP::Pihole
  )
end

#login(password) ⇒ String?

Performs a login to pihole

Parameters:

  • pass (String)

    Password

Returns:

  • (String, nil)

    cookie if login was successful, nil otherwise


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/msf/core/exploit/remote/http/pihole.rb', line 51

def (password)
  vprint_status('Attempting login.')
  res = send_request_cgi(
    'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
    'vars_get' => {
      'login' => ''
    },
    'vars_post' => {
      'pw' => password
    },
    'method' => 'POST',
    'keep_cookies' => 'true'
  )
  if res && res.code == 200 && res.body.exclude?('Sign in to start your session')
    return res.get_cookies
  end

  vprint_error('Incorrect Password')
  nil
end

#update_gravityHTTPResponse?

Performs a gravity update

Returns:

  • (HTTPResponse, nil)

    HTTPResponse


75
76
77
78
79
80
81
# File 'lib/msf/core/exploit/remote/http/pihole.rb', line 75

def update_gravity
  vprint_status('Forcing gravity pull')
  send_request_cgi(
    'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', 'gravity.sh.php'),
    'keep_cookies' => 'true'
  )
end