Module: Msf::Exploit::Remote::HttpClient
- Includes:
- Auxiliary::LoginScanner, Auxiliary::Report
- Included in:
- Metasploit::Framework::Aws::Client, Auxiliary::CNPILOT, Auxiliary::EPMP, Cacti, Git::SmartHttp, Msf::Exploit::Remote::HTTP::AcronisCyber, Msf::Exploit::Remote::HTTP::Drupal, Msf::Exploit::Remote::HTTP::Exchange, Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell, Msf::Exploit::Remote::HTTP::Gitea, Msf::Exploit::Remote::HTTP::Gitlab, Msf::Exploit::Remote::HTTP::JBoss, Msf::Exploit::Remote::HTTP::Joomla, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::Login, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::TargetInfo, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::URIs, Msf::Exploit::Remote::HTTP::Moodle, Msf::Exploit::Remote::HTTP::NagiosXi, Msf::Exploit::Remote::HTTP::Nifi, Msf::Exploit::Remote::HTTP::Nifi::Auth, Msf::Exploit::Remote::HTTP::Nifi::Dbconnectionpool, Msf::Exploit::Remote::HTTP::Nifi::Processor, Msf::Exploit::Remote::HTTP::Pihole, Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth, Msf::Exploit::Remote::HTTP::Sharepoint, Msf::Exploit::Remote::HTTP::Spip, Msf::Exploit::Remote::HTTP::Splunk, Msf::Exploit::Remote::HTTP::Typo3, Msf::Exploit::Remote::HTTP::Webmin, Msf::Exploit::Remote::HTTP::Wordpress, MSSQL_SQLI, VIMSoap, Web, WinRM
- Defined in:
- lib/msf/core/exploit/remote/http_client.rb
Overview
This module provides methods for acting as an HTTP client when exploiting an HTTP server.
Instance Attribute Summary collapse
-
#client ⇒ Object
protected
Returns the value of attribute client.
-
#cookie_jar ⇒ Object
readonly
Returns the value of attribute cookie_jar.
Instance Method Summary collapse
-
#basic_auth(username, password) ⇒ Object
Combine the user/pass into an auth string for the HTTP Client.
-
#cleanup ⇒ Object
Performs cleanup as necessary, disconnecting the HTTP client if it’s still established.
-
#configure_http_login_scanner(conf) ⇒ Object
Converts datastore options into configuration parameters for the Metasploit::LoginScanner::Http class.
-
#connect(opts = {}) ⇒ Object
Connects to an HTTP server.
-
#connect_ws(opts = {}, timeout = 20) ⇒ Rex::Proto::Http::WebSocket::Interface
Establish a WebSocket connection to the remote server.
- #deregister_http_client_options ⇒ Object
-
#disconnect(nclient = self.client) ⇒ Object
Disconnects the HTTP client.
-
#download(url) ⇒ Object
Downloads a URL.
-
#full_uri(custom_uri = nil, vhost_uri: false) ⇒ Object
Returns the complete URI as string including the scheme, port and host.
-
#handler(nsock = nil) ⇒ Object
Passes the client connection down to the handler to see if it’s of any use.
-
#http_fingerprint(opts = {}) ⇒ String
Record various things about an HTTP server that we can glean from the response to a single request.
-
#initialize(info = {}) ⇒ Object
Initializes an exploit module that exploits a vulnerability in an HTTP server.
-
#lookup_http_fingerprints(opts = {}) ⇒ Object
Lookup HTTP fingerprints from the database that match the current destination host and port.
-
#normalize_uri(*strs) ⇒ Object
Returns a modified version of the URI that: 1.
-
#path_from_uri(uri) ⇒ Object
Returns the Path+Query from a full URI String, nil on error.
-
#peer ⇒ Object
Returns the Host and Port as a string.
-
#proxies ⇒ Object
Returns the configured proxy list.
-
#reconfig_redirect_opts!(res, opts) ⇒ void
Modifies the HTTP request options for a redirection.
-
#request_opts_from_url(url) ⇒ Object
Returns a hash of request opts from a URL string.
-
#request_url(url, keepalive = false) ⇒ Object
Returns response from a simple URL call.
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#send_request_cgi(opts = {}, timeout = 20, disconnect = true) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
-
#send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response if a redirect (HTTP 30x response) is received it will attempt to follow the direct and retrieve that URI.
-
#send_request_raw(opts = {}, timeout = 20, disconnect = false) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
- #service_details ⇒ Object
-
#setup ⇒ Object
For HTTP Client exploits, we often want to verify that the server info matches some regex before firing a giant binary exploit blob at it.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_version ⇒ Object
Returns the string indicating SSL version.
-
#strip_tags(html) ⇒ Object
removes HTML tags from a provided string.
-
#target_uri ⇒ Object
Returns the target URI.
-
#validate_fingerprint ⇒ Object
This method is meant to be overridden in the exploit module to specify a set of regexps to attempt to match against.
-
#vhost ⇒ Object
Returns the VHOST of the HTTP server.
Methods included from Auxiliary::LoginScanner
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Instance Attribute Details
#client ⇒ Object (protected)
Returns the value of attribute client.
930 931 932 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 930 def client @client end |
#cookie_jar ⇒ Object
Returns the value of attribute cookie_jar.
927 928 929 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 927 def @cookie_jar end |
Instance Method Details
#basic_auth(username, password) ⇒ Object
Combine the user/pass into an auth string for the HTTP Client
508 509 510 511 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 508 def basic_auth(username, password) auth_str = Rex::Text.encode_base64("#{username}:#{password}") "Basic #{auth_str}" end |
#cleanup ⇒ Object
Performs cleanup as necessary, disconnecting the HTTP client if it’s still established.
351 352 353 354 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 351 def cleanup super disconnect end |
#configure_http_login_scanner(conf) ⇒ Object
Converts datastore options into configuration parameters for the Metasploit::LoginScanner::Http class. Any parameters passed into this method will override the defaults.
273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 273 def configure_http_login_scanner(conf) configure_login_scanner( { vhost: vhost, user_agent: datastore['UserAgent'], evade_uri_encode_mode: datastore['HTTP::uri_encode_mode'], evade_uri_full_url: datastore['HTTP::uri_full_url'], evade_pad_method_uri_count: datastore['HTTP::pad_method_uri_count'], evade_pad_uri_version_count: datastore['HTTP::pad_uri_version_count'], evade_pad_method_uri_type: datastore['HTTP::pad_method_uri_type'], evade_pad_uri_version_type: datastore['HTTP::pad_uri_version_type'], evade_method_random_valid: datastore['HTTP::method_random_valid'], evade_method_random_invalid: datastore['HTTP::method_random_invalid'], evade_method_random_case: datastore['HTTP::method_random_case'], evade_version_random_valid: datastore['HTTP::version_random_valid'], evade_version_random_invalid: datastore['HTTP::version_random_invalid'], evade_uri_dir_self_reference: datastore['HTTP::uri_dir_self_reference'], evade_uri_dir_fake_relative: datastore['HTTP::uri_dir_fake_relative'], evade_uri_use_backslashes: datastore['HTTP::uri_use_backslashes'], evade_pad_fake_headers: datastore['HTTP::pad_fake_headers'], evade_pad_fake_headers_count: datastore['HTTP::pad_fake_headers_count'], evade_pad_get_params: datastore['HTTP::pad_get_params'], evade_pad_get_params_count: datastore['HTTP::pad_get_params_count'], evade_pad_post_params: datastore['HTTP::pad_post_params'], evade_pad_post_params_count: datastore['HTTP::pad_post_params_count'], evade_shuffle_get_params: datastore['HTTP::shuffle_get_params'], evade_shuffle_post_params: datastore['HTTP::shuffle_post_params'], evade_uri_fake_end: datastore['HTTP::uri_fake_end'], evade_uri_fake_params_start: datastore['HTTP::uri_fake_params_start'], evade_header_folding: datastore['HTTP::header_folding'], ntlm_domain: datastore['DOMAIN'], digest_auth_iis: datastore['DigestAuthIIS'], }.merge(conf) ) end |
#connect(opts = {}) ⇒ Object
Connects to an HTTP server.
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 144 def connect(opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl end client_username = opts['username'] || datastore['HttpUsername'] || '' client_password = opts['password'] || datastore['HttpPassword'] || '' http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self) nclient = Rex::Proto::Http::Client.new( opts['rhost'] || rhost, (opts['rport'] || rport).to_i, { 'Msf' => framework, 'MsfExploit' => self, }, dossl, ssl_version, proxies, client_username, client_password, comm: opts['comm'], subscriber: http_logger_subscriber ) # Configure the HTTP client with the supplied parameter vhost = opts['vhost'] || opts['rhost'] || self.vhost nclient.set_config( 'vhost' => vhost, 'ssl_server_name_indication' => datastore['SSLServerNameIndication'] || vhost, 'agent' => datastore['UserAgent'], 'partial' => opts['partial'], 'uri_encode_mode' => datastore['HTTP::uri_encode_mode'], 'uri_full_url' => datastore['HTTP::uri_full_url'], 'pad_method_uri_count' => datastore['HTTP::pad_method_uri_count'], 'pad_uri_version_count' => datastore['HTTP::pad_uri_version_count'], 'pad_method_uri_type' => datastore['HTTP::pad_method_uri_type'], 'pad_uri_version_type' => datastore['HTTP::pad_uri_version_type'], 'method_random_valid' => datastore['HTTP::method_random_valid'], 'method_random_invalid' => datastore['HTTP::method_random_invalid'], 'method_random_case' => datastore['HTTP::method_random_case'], 'version_random_valid' => datastore['HTTP::version_random_valid'], 'version_random_invalid' => datastore['HTTP::version_random_invalid'], 'uri_dir_self_reference' => datastore['HTTP::uri_dir_self_reference'], 'uri_dir_fake_relative' => datastore['HTTP::uri_dir_fake_relative'], 'uri_use_backslashes' => datastore['HTTP::uri_use_backslashes'], 'pad_fake_headers' => datastore['HTTP::pad_fake_headers'], 'pad_fake_headers_count' => datastore['HTTP::pad_fake_headers_count'], 'pad_get_params' => datastore['HTTP::pad_get_params'], 'pad_get_params_count' => datastore['HTTP::pad_get_params_count'], 'pad_post_params' => datastore['HTTP::pad_post_params'], 'pad_post_params_count' => datastore['HTTP::pad_post_params_count'], 'shuffle_get_params' => datastore['HTTP::shuffle_get_params'], 'shuffle_post_params' => datastore['HTTP::shuffle_post_params'], 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], 'header_folding' => datastore['HTTP::header_folding'], 'domain' => datastore['DOMAIN'], 'DigestAuthIIS' => datastore['DigestAuthIIS'] ) # NOTE: Please use opts['headers'] to programmatically set headers if datastore['HttpRawHeaders'] && File.readable?(datastore['HttpRawHeaders']) # Templatize with ERB headers = ERB.new(File.read(datastore['HttpRawHeaders'])).result(binding) # Append templatized headers to existing headers nclient.set_config('raw_headers' => headers) end # If this connection is global, persist it # Required for findsock on these sockets if (opts['global']) if (self.client) disconnect end end self.client = nclient return nclient end |
#connect_ws(opts = {}, timeout = 20) ⇒ Rex::Proto::Http::WebSocket::Interface
Establish a WebSocket connection to the remote server.
237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 237 def connect_ws(opts={}, timeout = 20) ws_key = Rex::Text.rand_text_alphanumeric(20) opts['headers'] = opts.fetch('headers', {}).merge({ 'Connection' => 'Upgrade', 'Upgrade' => 'WebSocket', 'Sec-WebSocket-Version' => 13, 'Sec-WebSocket-Key' => ws_key }) if (http_client = opts['client']).nil? opts['client'] = http_client = connect(opts) raise Rex::Proto::Http::WebSocket::ConnectionError.new if http_client.nil? end res = send_request_raw(opts, timeout, false) unless res&.code == 101 disconnect raise Rex::Proto::Http::WebSocket::ConnectionError.new(http_response: res) end # see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept accept_ws_key = Rex::Text.encode_base64(OpenSSL::Digest::SHA1.digest(ws_key + '258EAFA5-E914-47DA-95CA-C5AB0DC85B11')) unless res.headers['Sec-WebSocket-Accept'] == accept_ws_key disconnect raise Rex::Proto::Http::WebSocket::ConnectionError.new(msg: 'Invalid Sec-WebSocket-Accept header', http_response: res) end socket = http_client.conn socket.extend(Rex::Proto::Http::WebSocket::Interface) end |
#deregister_http_client_options ⇒ Object
97 98 99 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 97 def ('RHOST', 'RPORT', 'VHOST', 'SSL', 'SSLServerNameIndication', 'Proxies') end |
#disconnect(nclient = self.client) ⇒ Object
Disconnects the HTTP client
333 334 335 336 337 338 339 340 341 342 343 344 345 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 333 def disconnect(nclient = self.client) if (nclient) nclient.close end if (nclient == self.client) if self.client.respond_to?(:close) self.client.close end self.client = nil end end |
#download(url) ⇒ Object
Downloads a URL
626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 626 def download(url) print_status "Downloading '#{url}'" begin target = URI.parse url raise 'Invalid URL' unless target.scheme =~ /https?/ raise 'Invalid URL' if target.host.to_s.eql? '' rescue => e print_error "Could not parse URL: #{e}" return nil end res = request_url(url) unless res print_error 'Connection failed' return nil end print_status "- HTTP #{res.code} - #{res.body.length} bytes" res.code == 200 ? res.body : nil end |
#full_uri(custom_uri = nil, vhost_uri: false) ⇒ Object
Returns the complete URI as string including the scheme, port and host
535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 535 def full_uri(custom_uri = nil, vhost_uri: false) uri_scheme = ssl ? 'https' : 'http' if (rport == 80 && !ssl) || (rport == 443 && ssl) uri_port = '' else uri_port = ":#{rport}" end uri = normalize_uri(custom_uri || target_uri.to_s) if vhost_uri && datastore['VHOST'] uri_host = datastore['VHOST'] elsif Rex::Socket.is_ipv6?(rhost) uri_host = "[#{rhost}]" else uri_host = rhost end "#{uri_scheme}://#{uri_host}#{uri_port}#{uri}" end |
#handler(nsock = nil) ⇒ Object
Passes the client connection down to the handler to see if it’s of any use.
313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 313 def handler(nsock = nil) # If no socket was provided, try the global one. if ((!nsock) and (self.client)) nsock = self.client.conn end # If the parent claims the socket associated with the HTTP client, then # we rip the socket out from under the HTTP client. if (((rv = super(nsock)) == Handler::Claimed) and (self.client) and (nsock == self.client.conn)) self.client.conn = nil end rv end |
#http_fingerprint(opts = {}) ⇒ String
Record various things about an HTTP server that we can glean from the response to a single request. If this method is passed a response, it will use it directly, otherwise it will check the database for a previous fingerprint. Failing that, it will make a request for /.
Other options are passed directly to #connect if :response is not given
763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 763 def http_fingerprint(opts={}) res = nil uri = opts[:uri] || '/' method = opts[:method] || 'GET' # Short-circuit the fingerprint lookup and HTTP request if a response has # already been provided by the caller. if opts[:response] res = opts[:response] else fprints = lookup_http_fingerprints(opts) if fprints.length > 0 # Grab the most recent fingerprint available for this service, uri, and method fprint = fprints.last # Return the full HTTP fingerprint if requested by the caller return fprint if opts[:full] # Otherwise just return the signature string for compatibility return fprint[:signature] end # Go ahead and send a request to the target for fingerprinting connect(opts) res = send_request_raw( { 'uri' => uri, 'method' => method }) rescue nil end # Bail if the request did not receive a readable response return if not res # This section handles a few simple cases of pattern matching and service # classification. This logic should be deprecated in favor of Recog-based # fingerprint databases, but has been left in place for backward compat. extras = [] if res.headers['Set-Cookie'] =~ /^vmware_soap_session/ extras << "VMWare Web Services" end if (res.headers['X-Powered-By']) extras << "Powered by " + res.headers['X-Powered-By'] end if (res.headers['Via']) extras << "Via-" + res.headers['Via'] end if (res.headers['X-AspNet-Version']) extras << "AspNet-Version-" + res.headers['X-AspNet-Version'] end case res.body when nil # Nothing when /openAboutWindow.*\>DD\-WRT ([^\<]+)\<|Authorization.*please note that the default username is \"root\" in/ extras << "DD-WRT #{$1.to_s.strip}".strip when /ID_ESX_Welcome/, /ID_ESX_VIClientDesc/ extras << "VMware ESX Server" when /Test Page for.*Fedora/ extras << "Fedora Default Page" when /Placeholder page/ extras << "Debian Default Page" when /Welcome to Windows Small Business Server (\d+)/ extras << "Windows SBS #{$1}" when /Asterisk@Home/ extras << "Asterisk" when /swfs\/Shell\.html/ extras << "BPS-1000" end if datastore['RPORT'].to_i == 3790 if res.code == 302 and res.headers and res.headers['Location'] =~ /[\x5c\x2f](login|setup)$/n if res['Server'] =~ /^(thin.*No Hup)|(nginx[\x5c\x2f][\d\.]+)$/n extras << "Metasploit" end end end # # This HTTP response code tracking is used by a few modules and the MSP logic # to identify and bruteforce certain types of servers. In the long run we # should deprecate this and use the http.fingerprint fields instead. # case res.code when 301,302 extras << "#{res.code}-#{res.headers['Location']}" when 401 extras << "#{res.code}-#{res.headers['WWW-Authenticate']}" when 403 extras << "#{res.code}-#{res.headers['WWW-Authenticate']||res.}" when 500 .. 599 extras << "#{res.code}-#{res.}" end # Build a human-readable string to store in service.info and http.fingerprint[:signature] info = res.headers['Server'].to_s.dup info << " ( #{extras.join(", ")} )" if extras.length > 0 # Create a new fingerprint structure to track this response fprint = { :uri => uri, :method => method, :server_port => rport, :code => res.code.to_s, :message => res..to_s, :signature => info } res.headers.each_pair do |k,v| hname = k.to_s.downcase.tr('-', '_').gsub(/[^a-z0-9_]+/, '') next unless hname.length > 0 # Set-Cookie > :header_set_cookie => JSESSIONID=AAASD23423452 # Server > :header_server => Apache/1.3.37 # WWW-Authenticate > :header_www_authenticate => basic realm='www' fprint["header_#{hname}".intern] = v end # Store the first 64k of the HTTP body as well fprint[:content] = res.body.to_s[0,65535] # Report a new http.fingerprint note report_note( :host => rhost, :port => rport, :proto => 'tcp', :ntype => 'http.fingerprint', :data => fprint, # Limit reporting to one stored note per host/service combination :update => :unique ) # Report here even if info is empty since the fact that we didn't # return early means we at least got a connection and the service is up report_web_site(:host => rhost, :port => rport, :ssl => ssl, :vhost => vhost, :info => info.dup) # Return the full HTTP fingerprint if requested by the caller return fprint if opts[:full] # Otherwise just return the signature string for compatibility fprint[:signature] end |
#initialize(info = {}) ⇒ Object
Initializes an exploit module that exploits a vulnerability in an HTTP server.
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 23 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT(80), OptString.new('VHOST', [ false, "HTTP server virtual host" ]), OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), Opt::Proxies ], self.class ) ( [ OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests', Rex::UserAgent.session_agent ]), OptString.new('HttpUsername', [false, 'The HTTP username to specify for authentication', '']), OptString.new('HttpPassword', [false, 'The HTTP password to specify for authentication', '']), OptPath.new('HttpRawHeaders', [false, 'Path to ERB-templatized raw headers to append to existing headers']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), Opt::SSLVersion, OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]), OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION']), OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']), OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false]), OptBool.new('HttpTraceHeadersOnly', [false, 'Show HTTP headers only in HttpTrace', false]), OptString.new('HttpTraceColors', [false, 'HTTP request and response colors for HttpTrace (unset to disable)', 'red/blu']), OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]), ], self.class ) ( [ OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-noslashes', 'hex-random', 'hex-all', 'u-normal', 'u-all', 'u-random']]), OptBool.new('HTTP::uri_full_url', [false, 'Use the full URL for all HTTP requests', false]), OptInt.new('HTTP::pad_method_uri_count', [false, 'How many whitespace characters to use between the method and uri', 1]), OptInt.new('HTTP::pad_uri_version_count', [false, 'How many whitespace characters to use between the uri and version', 1]), OptEnum.new('HTTP::pad_method_uri_type', [false, 'What type of whitespace to use between the method and uri', 'space', ['space', 'tab', 'apache']]), OptEnum.new('HTTP::pad_uri_version_type', [false, 'What type of whitespace to use between the uri and version', 'space', ['space', 'tab', 'apache']]), OptBool.new('HTTP::method_random_valid', [false, 'Use a random, but valid, HTTP method for request', false]), OptBool.new('HTTP::method_random_invalid', [false, 'Use a random invalid, HTTP method for request', false]), OptBool.new('HTTP::method_random_case', [false, 'Use random casing for the HTTP method', false]), OptBool.new('HTTP::version_random_valid', [false, 'Use a random, but valid, HTTP version for request', false]), OptBool.new('HTTP::version_random_invalid', [false, 'Use a random invalid, HTTP version for request', false]), OptBool.new('HTTP::uri_dir_self_reference', [false, 'Insert self-referential directories into the uri', false]), OptBool.new('HTTP::uri_dir_fake_relative', [false, 'Insert fake relative directories into the uri', false]), OptBool.new('HTTP::uri_use_backslashes', [false, 'Use back slashes instead of forward slashes in the uri ', false]), OptBool.new('HTTP::pad_fake_headers', [false, 'Insert random, fake headers into the HTTP request', false]), OptInt.new('HTTP::pad_fake_headers_count', [false, 'How many fake headers to insert into the HTTP request', 0]), OptBool.new('HTTP::pad_get_params', [false, 'Insert random, fake query string variables into the request', false]), OptInt.new('HTTP::pad_get_params_count', [false, 'How many fake query string variables to insert into the request', 16]), OptBool.new('HTTP::pad_post_params', [false, 'Insert random, fake post variables into the request', false]), OptInt.new('HTTP::pad_post_params_count', [false, 'How many fake post variables to insert into the request', 16]), OptBool.new('HTTP::shuffle_get_params', [false, 'Randomize order of GET parameters', false]), OptBool.new('HTTP::shuffle_post_params', [false, 'Randomize order of POST parameters', false]), OptBool.new('HTTP::uri_fake_end', [false, 'Add a fake end of URI (eg: /%20HTTP/1.0/../../)', false]), OptBool.new('HTTP::uri_fake_params_start', [false, 'Add a fake start of params to the URI (eg: /%3fa=b/../)', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]) # # Remaining evasions to implement # # OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', false]), # OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]), ], self.class ) register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ]) register_autofilter_services(%W{ http https }) # Initialize an empty cookie jar to keep cookies self. = Msf::Exploit::Remote::HTTP::HttpCookieJar.new end |
#lookup_http_fingerprints(opts = {}) ⇒ Object
Lookup HTTP fingerprints from the database that match the current destination host and port. This method falls back to using the old service.info field to represent the HTTP Server header.
715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 715 def lookup_http_fingerprints(opts={}) uri = opts[:uri] || '/' method = opts[:method] || 'GET' fprints = [] return fprints unless framework.db.active ::ApplicationRecord.connection_pool.with_connection { wspace = datastore['WORKSPACE'] ? framework.db.find_workspace(datastore['WORKSPACE']) : framework.db.workspace # only one result can be returned, as the +port+ field restricts potential results to a single service service = framework.db.services(:workspace => wspace, :hosts => {address: rhost}, :proto => 'tcp', :port => rport).first return fprints unless service # Order by note_id descending so the first value is the most recent service.notes.where(:ntype => 'http.fingerprint').order("notes.id DESC").each do |n| next unless n.data && n.data.kind_of?(::Hash) next unless n.data[:uri] == uri && n.data[:method] == method # Append additional fingerprints to the results as found fprints.unshift n.data.dup end } fprints end |
#normalize_uri(*strs) ⇒ Object
Returns a modified version of the URI that:
-
Always has a starting slash
-
Removes all the double slashes
562 563 564 565 566 567 568 569 570 571 572 573 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 562 def normalize_uri(*strs) new_str = strs * "/" new_str = new_str.gsub!("//", "/") while new_str.index("//") # Makes sure there's a starting slash unless new_str[0,1] == '/' new_str = '/' + new_str end new_str end |
#path_from_uri(uri) ⇒ Object
Returns the Path+Query from a full URI String, nil on error
576 577 578 579 580 581 582 583 584 585 586 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 576 def path_from_uri(uri) begin temp = URI(uri) ret_uri = temp.path ret_uri << "?#{temp.query}" unless temp.query.nil? or temp.query.empty? return ret_uri rescue URI::Error print_error "Invalid URI: #{uri}" return nil end end |
#peer ⇒ Object
Returns the Host and Port as a string
674 675 676 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 674 def peer "#{rhost}:#{rport}" end |
#proxies ⇒ Object
Returns the configured proxy list
702 703 704 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 702 def proxies datastore['Proxies'] end |
#reconfig_redirect_opts!(res, opts) ⇒ void
This method returns an undefined value.
Modifies the HTTP request options for a redirection.
455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 455 def reconfig_redirect_opts!(res, opts) # XXX: https://github.com/rapid7/metasploit-framework/issues/12281 if opts['method'] == 'POST' opts['method'] = 'GET' opts['data'] = nil opts['vars_post'] = {} end location = res.redirection if location.relative? if location.path.start_with?('/') # path starting with /, not relative to the current path, but starts from the root opts['redirect_uri'] = location.path opts['uri'] = location.path else parent_path = File.dirname(opts['uri'].to_s) parent_path = '/' if parent_path == '.' new_redirect_uri = normalize_uri(parent_path, location.path.gsub(/^\./, '')) opts['redirect_uri'] = new_redirect_uri opts['uri'] = new_redirect_uri end opts['rhost'] = datastore['RHOST'] opts['vhost'] = opts['vhost'] || self.vhost() || opts['rhost'] opts['ssl_server_name_indication'] = datastore['SSLServerNameIndication'] || opts['vhost'] opts['rport'] = datastore['RPORT'] opts['SSL'] = ssl else disconnect opts['redirect_uri'] = location opts['uri'] = location.path opts['rhost'] = location.host opts['vhost'] = location.host opts['ssl_server_name_indication'] = opts['vhost'] opts['rport'] = location.port if location.scheme == 'https' opts['SSL'] = true else opts['SSL'] = false end end # Don't forget any GET parameters opts['query'] ||= location.query if location.query end |
#request_opts_from_url(url) ⇒ Object
Returns a hash of request opts from a URL string
590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 590 def request_opts_from_url(url) # verify and extract components from the URL begin tgt = URI.parse(url) raise 'Invalid URL' unless tgt.scheme =~ %r{https?} raise 'Invalid URL' if tgt.host.to_s.eql? '' rescue => e print_error "Could not parse URL: #{e}" return nil end opts = { 'rhost' => tgt.host, 'rport' => tgt.port, 'uri' => tgt.request_uri } opts['SSL'] = true if tgt.scheme == 'https' if tgt.query and tgt.query.size > 13 # Assming that this is going to be mostly used for GET requests as string -> req opts['vars_get'] = {} tgt.query.split('&').each do |pair| k,v = pair.split('=',2) opts['vars_get'][k] = v end end return opts end |
#request_url(url, keepalive = false) ⇒ Object
Returns response from a simple URL call
616 617 618 619 620 621 622 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 616 def request_url(url, keepalive = false) opts = request_opts_from_url(url) return nil if opts.nil? res = send_request_raw(opts) disconnect unless keepalive return res end |
#rhost ⇒ Object
Returns the target host
660 661 662 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 660 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
667 668 669 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 667 def rport datastore['RPORT'] end |
#send_request_cgi(opts = {}, timeout = 20, disconnect = true) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response
If a Msf::Exploit::Remote::HTTP::HttpCookieJar
instance is passed in the opts
dict under a ‘cookie’ key, said CookieJar will be used in the request instead of the module cookie_jar
. Any other object passed under the ‘cookie` key will be converted to a string using to_s
and set as the cookie header of the request.
Passes ‘opts` through directly to Rex::Proto::Http::Client#request_cgi. Set `opts` to keep cookies from responses for reuse in requests. Cookies returned by the server will be stored in cookie_jar
Set ‘opts` to false in order to disable automatic removal of expired cookies
408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 408 def send_request_cgi(opts = {}, timeout = 20, disconnect = true) if opts.has_key?('cookie') if opts['cookie'].is_a?(Msf::Exploit::Remote::HTTP::HttpCookieJar) opts.merge({ 'cookie' => opts['cookie']..join('; ') }) else opts.merge({ 'cookie' => opts['cookie'].to_s }) end elsif !.empty? .cleanup unless opts['expire_cookies'] == false opts = opts.merge({ 'cookie' => ..join('; ') }) end res = send_request_raw(opts.merge('cgi' => true), timeout, disconnect) return unless res if opts['keep_cookies'] && res.headers['Set-Cookie'].present? .parse_and_merge(res.headers['Set-Cookie'], "http#{ssl ? 's' : ''}://#{vhost}:#{rport}") end res end |
#send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) ⇒ Object
'opts` will be updated to the updated location and `opts` will contain the full URI.
Connects to the server, creates a request, sends the request, reads the response if a redirect (HTTP 30x response) is received it will attempt to follow the direct and retrieve that URI.
438 439 440 441 442 443 444 445 446 447 448 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 438 def send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) res = send_request_cgi(opts, timeout) return unless res return res unless res.redirect? && res.redirection && redirect_depth > 0 redirect_depth -= 1 reconfig_redirect_opts!(res, opts) send_request_cgi!(opts, timeout, redirect_depth) end |
#send_request_raw(opts = {}, timeout = 20, disconnect = false) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
In certain cases such as when the response is a 401 and the client is configured for authentication, more than one request may be sent to the server. A degree of control over disconnecting the client’s underlying socket can be obtained by toggling the disconnect option.
Passes opts
through directly to Rex::Proto::Http::Client#request_raw.
368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 368 def send_request_raw(opts = {}, timeout = 20, disconnect = false) if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0 actual_timeout = datastore['HttpClientTimeout'] else actual_timeout = opts[:timeout] || timeout end c = opts['client'] || connect(opts) r = opts['cgi'] ? c.request_cgi(opts) : c.request_raw(opts) res = c.send_recv(r, actual_timeout) disconnect(c) if disconnect res rescue ::Errno::EPIPE, ::Timeout::Error => e print_line(e.) if datastore['HttpTrace'] nil rescue Rex::ConnectionError => e vprint_error(e.to_s) nil rescue ::Exception => e print_line(e.) if datastore['HttpTrace'] raise e end |
#service_details ⇒ Object
917 918 919 920 921 922 923 924 925 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 917 def service_details { origin_type: :service, protocol: 'tcp', service_name: (ssl ? 'https' : 'http'), address: rhost, port: rport } end |
#setup ⇒ Object
For HTTP Client exploits, we often want to verify that the server info matches some regex before firing a giant binary exploit blob at it. We override setup() here to accomplish that.
105 106 107 108 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 105 def setup validate_fingerprint super end |
#ssl ⇒ Object
Returns the boolean indicating SSL
688 689 690 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 688 def ssl ((datastore.default?('SSL') and [443,3790].include?(rport.to_i)) or datastore['SSL']) end |
#ssl_version ⇒ Object
Returns the string indicating SSL version
695 696 697 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 695 def ssl_version datastore['SSLVersion'] end |
#strip_tags(html) ⇒ Object
removes HTML tags from a provided string. The string is html-unescaped before the tags are removed Leading whitespaces and double linebreaks are removed too
653 654 655 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 653 def (html) Rex::Text.html_decode(html).gsub(/<\/?[^>]*>/, '').gsub(/^\s+/, '').strip end |
#target_uri ⇒ Object
Returns the target URI
522 523 524 525 526 527 528 529 530 531 532 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 522 def target_uri begin # In case TARGETURI is empty, at least we default to '/' u = datastore['TARGETURI'] u = "/" if u.nil? or u.empty? URI(u) rescue ::URI::InvalidURIError print_error "Invalid URI: #{datastore['TARGETURI'].inspect}" raise Msf::OptionValidateError.new(['TARGETURI']) end end |
#validate_fingerprint ⇒ Object
This method is meant to be overridden in the exploit module to specify a set of regexps to attempt to match against. A failure to match any of them results in a RuntimeError exception being raised.
115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 115 def validate_fingerprint() # Don't bother checking if there's no database active. if (framework.db.active and datastore['FingerprintCheck'] and self.class.const_defined?('HttpFingerprint')) # Get the module-specific config opts = self.class.const_get('HttpFingerprint') # # XXX: Ideally we could have more structured matches, but doing that requires # a more structured response cache. # info = http_fingerprint(opts) if info and opts[:pattern] opts[:pattern].each do |re| if not re.match(info) err = "The target server fingerprint \"#{info}\" does not match \"#{re.to_s}\", use 'set FingerprintCheck false' to disable this check." fail_with(::Msf::Module::Failure::NotFound, err) end end elsif info.nil? err = "The target server did not respond to fingerprinting, use 'set FingerprintCheck false' to disable this check." fail_with(::Msf::Module::Failure::Unreachable, err) end end end |
#vhost ⇒ Object
Returns the VHOST of the HTTP server.
681 682 683 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 681 def vhost datastore['VHOST'] || datastore['RHOST'] end |