Module: Msf::Exploit::Remote::HttpClient
- Includes:
- Auxiliary::Report
- Included in:
- Metasploit::Framework::Aws::Client, Auxiliary::CNPILOT, Auxiliary::EPMP, Git::SmartHttp, Msf::Exploit::Remote::HTTP::Drupal, Msf::Exploit::Remote::HTTP::Exchange, Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell, Msf::Exploit::Remote::HTTP::Gitea, Msf::Exploit::Remote::HTTP::Gitlab, Msf::Exploit::Remote::HTTP::JBoss, Msf::Exploit::Remote::HTTP::Joomla, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::Login, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::TargetInfo, Msf::Exploit::Remote::HTTP::ManageEngineAdauditPlus::URIs, Msf::Exploit::Remote::HTTP::Moodle, Msf::Exploit::Remote::HTTP::NagiosXi, Msf::Exploit::Remote::HTTP::Nifi, Msf::Exploit::Remote::HTTP::Nifi::Auth, Msf::Exploit::Remote::HTTP::Nifi::Dbconnectionpool, Msf::Exploit::Remote::HTTP::Nifi::Processor, Msf::Exploit::Remote::HTTP::Pihole, Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth, Msf::Exploit::Remote::HTTP::Sharepoint, Msf::Exploit::Remote::HTTP::Typo3, Msf::Exploit::Remote::HTTP::Webmin, Msf::Exploit::Remote::HTTP::Wordpress, MSSQL_SQLI, VIMSoap, Web, WinRM
- Defined in:
- lib/msf/core/exploit/remote/http_client.rb
Overview
This module provides methods for acting as an HTTP client when exploiting an HTTP server.
Instance Attribute Summary collapse
-
#client ⇒ Object
protected
Returns the value of attribute client.
-
#cookie_jar ⇒ Object
readonly
Returns the value of attribute cookie_jar.
Instance Method Summary collapse
-
#basic_auth(username, password) ⇒ Object
Combine the user/pass into an auth string for the HTTP Client.
-
#cleanup ⇒ Object
Performs cleanup as necessary, disconnecting the HTTP client if it’s still established.
-
#configure_http_login_scanner(conf) ⇒ Object
Converts datastore options into configuration parameters for the Metasploit::LoginScanner::Http class.
-
#connect(opts = {}) ⇒ Object
Connects to an HTTP server.
-
#connect_ws(opts = {}, timeout = 20) ⇒ Rex::Proto::Http::WebSocket::Interface
Establish a WebSocket connection to the remote server.
- #deregister_http_client_options ⇒ Object
-
#disconnect(nclient = self.client) ⇒ Object
Disconnects the HTTP client.
-
#download(url) ⇒ Object
Downloads a URL.
-
#full_uri(custom_uri = nil, vhost_uri: false) ⇒ Object
Returns the complete URI as string including the scheme, port and host.
-
#handler(nsock = nil) ⇒ Object
Passes the client connection down to the handler to see if it’s of any use.
-
#http_fingerprint(opts = {}) ⇒ String
Record various things about an HTTP server that we can glean from the response to a single request.
-
#initialize(info = {}) ⇒ Object
Initializes an exploit module that exploits a vulnerability in an HTTP server.
-
#lookup_http_fingerprints(opts = {}) ⇒ Object
Lookup HTTP fingerprints from the database that match the current destination host and port.
-
#normalize_uri(*strs) ⇒ Object
Returns a modified version of the URI that: 1.
-
#path_from_uri(uri) ⇒ Object
Returns the Path+Query from a full URI String, nil on error.
-
#peer ⇒ Object
Returns the Host and Port as a string.
-
#proxies ⇒ Object
Returns the configured proxy list.
-
#reconfig_redirect_opts!(res, opts) ⇒ void
Modifies the HTTP request options for a redirection.
-
#request_opts_from_url(url) ⇒ Object
Returns a hash of request opts from a URL string.
-
#request_url(url, keepalive = false) ⇒ Object
Returns response from a simple URL call.
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#send_request_cgi(opts = {}, timeout = 20, disconnect = true) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
-
#send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response if a redirect (HTTP 30x response) is received it will attempt to follow the direct and retrieve that URI.
-
#send_request_raw(opts = {}, timeout = 20, disconnect = false) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response.
- #service_details ⇒ Object
-
#setup ⇒ Object
For HTTP Client exploits, we often want to verify that the server info matches some regex before firing a giant binary exploit blob at it.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_version ⇒ Object
Returns the string indicating SSL version.
-
#strip_tags(html) ⇒ Object
removes HTML tags from a provided string.
-
#target_uri ⇒ Object
Returns the target URI.
-
#validate_fingerprint ⇒ Object
This method is meant to be overridden in the exploit module to specify a set of regexps to attempt to match against.
-
#vhost ⇒ Object
Returns the VHOST of the HTTP server.
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Instance Attribute Details
#client ⇒ Object (protected)
Returns the value of attribute client.
927 928 929 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 927 def client @client end |
#cookie_jar ⇒ Object
Returns the value of attribute cookie_jar.
924 925 926 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 924 def @cookie_jar end |
Instance Method Details
#basic_auth(username, password) ⇒ Object
Combine the user/pass into an auth string for the HTTP Client
505 506 507 508 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 505 def basic_auth(username, password) auth_str = Rex::Text.encode_base64("#{username}:#{password}") "Basic #{auth_str}" end |
#cleanup ⇒ Object
Performs cleanup as necessary, disconnecting the HTTP client if it’s still established.
355 356 357 358 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 355 def cleanup super disconnect end |
#configure_http_login_scanner(conf) ⇒ Object
Converts datastore options into configuration parameters for the Metasploit::LoginScanner::Http class. Any parameters passed into this method will override the defaults.
272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 272 def configure_http_login_scanner(conf) { host: rhost, port: rport, ssl: ssl, ssl_version: ssl_version, proxies: datastore['PROXIES'], framework: framework, framework_module: self, vhost: vhost, user_agent: datastore['UserAgent'], evade_uri_encode_mode: datastore['HTTP::uri_encode_mode'], evade_uri_full_url: datastore['HTTP::uri_full_url'], evade_pad_method_uri_count: datastore['HTTP::pad_method_uri_count'], evade_pad_uri_version_count: datastore['HTTP::pad_uri_version_count'], evade_pad_method_uri_type: datastore['HTTP::pad_method_uri_type'], evade_pad_uri_version_type: datastore['HTTP::pad_uri_version_type'], evade_method_random_valid: datastore['HTTP::method_random_valid'], evade_method_random_invalid: datastore['HTTP::method_random_invalid'], evade_method_random_case: datastore['HTTP::method_random_case'], evade_version_random_valid: datastore['HTTP::version_random_valid'], evade_version_random_invalid: datastore['HTTP::version_random_invalid'], evade_uri_dir_self_reference: datastore['HTTP::uri_dir_self_reference'], evade_uri_dir_fake_relative: datastore['HTTP::uri_dir_fake_relative'], evade_uri_use_backslashes: datastore['HTTP::uri_use_backslashes'], evade_pad_fake_headers: datastore['HTTP::pad_fake_headers'], evade_pad_fake_headers_count: datastore['HTTP::pad_fake_headers_count'], evade_pad_get_params: datastore['HTTP::pad_get_params'], evade_pad_get_params_count: datastore['HTTP::pad_get_params_count'], evade_pad_post_params: datastore['HTTP::pad_post_params'], evade_pad_post_params_count: datastore['HTTP::pad_post_params_count'], evade_shuffle_get_params: datastore['HTTP::shuffle_get_params'], evade_shuffle_post_params: datastore['HTTP::shuffle_post_params'], evade_uri_fake_end: datastore['HTTP::uri_fake_end'], evade_uri_fake_params_start: datastore['HTTP::uri_fake_params_start'], evade_header_folding: datastore['HTTP::header_folding'], ntlm_domain: datastore['DOMAIN'], digest_auth_iis: datastore['DigestAuthIIS'] }.merge(conf) end |
#connect(opts = {}) ⇒ Object
Connects to an HTTP server.
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 143 def connect(opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl end client_username = opts['username'] || datastore['HttpUsername'] || '' client_password = opts['password'] || datastore['HttpPassword'] || '' http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self) nclient = Rex::Proto::Http::Client.new( opts['rhost'] || rhost, (opts['rport'] || rport).to_i, { 'Msf' => framework, 'MsfExploit' => self, }, dossl, ssl_version, proxies, client_username, client_password, comm: opts['comm'], subscriber: http_logger_subscriber ) # Configure the HTTP client with the supplied parameter vhost = opts['vhost'] || opts['rhost'] || self.vhost nclient.set_config( 'vhost' => vhost, 'ssl_server_name_indication' => datastore['SSLServerNameIndication'] || vhost, 'agent' => datastore['UserAgent'], 'partial' => opts['partial'], 'uri_encode_mode' => datastore['HTTP::uri_encode_mode'], 'uri_full_url' => datastore['HTTP::uri_full_url'], 'pad_method_uri_count' => datastore['HTTP::pad_method_uri_count'], 'pad_uri_version_count' => datastore['HTTP::pad_uri_version_count'], 'pad_method_uri_type' => datastore['HTTP::pad_method_uri_type'], 'pad_uri_version_type' => datastore['HTTP::pad_uri_version_type'], 'method_random_valid' => datastore['HTTP::method_random_valid'], 'method_random_invalid' => datastore['HTTP::method_random_invalid'], 'method_random_case' => datastore['HTTP::method_random_case'], 'version_random_valid' => datastore['HTTP::version_random_valid'], 'version_random_invalid' => datastore['HTTP::version_random_invalid'], 'uri_dir_self_reference' => datastore['HTTP::uri_dir_self_reference'], 'uri_dir_fake_relative' => datastore['HTTP::uri_dir_fake_relative'], 'uri_use_backslashes' => datastore['HTTP::uri_use_backslashes'], 'pad_fake_headers' => datastore['HTTP::pad_fake_headers'], 'pad_fake_headers_count' => datastore['HTTP::pad_fake_headers_count'], 'pad_get_params' => datastore['HTTP::pad_get_params'], 'pad_get_params_count' => datastore['HTTP::pad_get_params_count'], 'pad_post_params' => datastore['HTTP::pad_post_params'], 'pad_post_params_count' => datastore['HTTP::pad_post_params_count'], 'shuffle_get_params' => datastore['HTTP::shuffle_get_params'], 'shuffle_post_params' => datastore['HTTP::shuffle_post_params'], 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], 'header_folding' => datastore['HTTP::header_folding'], 'domain' => datastore['DOMAIN'], 'DigestAuthIIS' => datastore['DigestAuthIIS'] ) # NOTE: Please use opts['headers'] to programmatically set headers if datastore['HttpRawHeaders'] && File.readable?(datastore['HttpRawHeaders']) # Templatize with ERB headers = ERB.new(File.read(datastore['HttpRawHeaders'])).result(binding) # Append templatized headers to existing headers nclient.set_config('raw_headers' => headers) end # If this connection is global, persist it # Required for findsock on these sockets if (opts['global']) if (self.client) disconnect end end self.client = nclient return nclient end |
#connect_ws(opts = {}, timeout = 20) ⇒ Rex::Proto::Http::WebSocket::Interface
Establish a WebSocket connection to the remote server.
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 236 def connect_ws(opts={}, timeout = 20) ws_key = Rex::Text.rand_text_alphanumeric(20) opts['headers'] = opts.fetch('headers', {}).merge({ 'Connection' => 'Upgrade', 'Upgrade' => 'WebSocket', 'Sec-WebSocket-Version' => 13, 'Sec-WebSocket-Key' => ws_key }) if (http_client = opts['client']).nil? opts['client'] = http_client = connect(opts) raise Rex::Proto::Http::WebSocket::ConnectionError.new if http_client.nil? end res = send_request_raw(opts, timeout, false) unless res&.code == 101 disconnect raise Rex::Proto::Http::WebSocket::ConnectionError.new(http_response: res) end # see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept accept_ws_key = Rex::Text.encode_base64(OpenSSL::Digest::SHA1.digest(ws_key + '258EAFA5-E914-47DA-95CA-C5AB0DC85B11')) unless res.headers['Sec-WebSocket-Accept'] == accept_ws_key disconnect raise Rex::Proto::Http::WebSocket::ConnectionError.new(msg: 'Invalid Sec-WebSocket-Accept header', http_response: res) end socket = http_client.conn socket.extend(Rex::Proto::Http::WebSocket::Interface) end |
#deregister_http_client_options ⇒ Object
96 97 98 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 96 def ('RHOST', 'RPORT', 'VHOST', 'SSL', 'SSLServerNameIndication', 'Proxies') end |
#disconnect(nclient = self.client) ⇒ Object
Disconnects the HTTP client
337 338 339 340 341 342 343 344 345 346 347 348 349 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 337 def disconnect(nclient = self.client) if (nclient) nclient.close end if (nclient == self.client) if self.client.respond_to?(:close) self.client.close end self.client = nil end end |
#download(url) ⇒ Object
Downloads a URL
623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 623 def download(url) print_status "Downloading '#{url}'" begin target = URI.parse url raise 'Invalid URL' unless target.scheme =~ /https?/ raise 'Invalid URL' if target.host.to_s.eql? '' rescue => e print_error "Could not parse URL: #{e}" return nil end res = request_url(url) unless res print_error 'Connection failed' return nil end print_status "- HTTP #{res.code} - #{res.body.length} bytes" res.code == 200 ? res.body : nil end |
#full_uri(custom_uri = nil, vhost_uri: false) ⇒ Object
Returns the complete URI as string including the scheme, port and host
532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 532 def full_uri(custom_uri = nil, vhost_uri: false) uri_scheme = ssl ? 'https' : 'http' if (rport == 80 && !ssl) || (rport == 443 && ssl) uri_port = '' else uri_port = ":#{rport}" end uri = normalize_uri(custom_uri || target_uri.to_s) if vhost_uri && datastore['VHOST'] uri_host = datastore['VHOST'] elsif Rex::Socket.is_ipv6?(rhost) uri_host = "[#{rhost}]" else uri_host = rhost end "#{uri_scheme}://#{uri_host}#{uri_port}#{uri}" end |
#handler(nsock = nil) ⇒ Object
Passes the client connection down to the handler to see if it’s of any use.
317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 317 def handler(nsock = nil) # If no socket was provided, try the global one. if ((!nsock) and (self.client)) nsock = self.client.conn end # If the parent claims the socket associated with the HTTP client, then # we rip the socket out from under the HTTP client. if (((rv = super(nsock)) == Handler::Claimed) and (self.client) and (nsock == self.client.conn)) self.client.conn = nil end rv end |
#http_fingerprint(opts = {}) ⇒ String
Record various things about an HTTP server that we can glean from the response to a single request. If this method is passed a response, it will use it directly, otherwise it will check the database for a previous fingerprint. Failing that, it will make a request for /.
Other options are passed directly to #connect if :response is not given
760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 760 def http_fingerprint(opts={}) res = nil uri = opts[:uri] || '/' method = opts[:method] || 'GET' # Short-circuit the fingerprint lookup and HTTP request if a response has # already been provided by the caller. if opts[:response] res = opts[:response] else fprints = lookup_http_fingerprints(opts) if fprints.length > 0 # Grab the most recent fingerprint available for this service, uri, and method fprint = fprints.last # Return the full HTTP fingerprint if requested by the caller return fprint if opts[:full] # Otherwise just return the signature string for compatibility return fprint[:signature] end # Go ahead and send a request to the target for fingerprinting connect(opts) res = send_request_raw( { 'uri' => uri, 'method' => method }) rescue nil end # Bail if the request did not receive a readable response return if not res # This section handles a few simple cases of pattern matching and service # classification. This logic should be deprecated in favor of Recog-based # fingerprint databases, but has been left in place for backward compat. extras = [] if res.headers['Set-Cookie'] =~ /^vmware_soap_session/ extras << "VMWare Web Services" end if (res.headers['X-Powered-By']) extras << "Powered by " + res.headers['X-Powered-By'] end if (res.headers['Via']) extras << "Via-" + res.headers['Via'] end if (res.headers['X-AspNet-Version']) extras << "AspNet-Version-" + res.headers['X-AspNet-Version'] end case res.body when nil # Nothing when /openAboutWindow.*\>DD\-WRT ([^\<]+)\<|Authorization.*please note that the default username is \"root\" in/ extras << "DD-WRT #{$1.to_s.strip}".strip when /ID_ESX_Welcome/, /ID_ESX_VIClientDesc/ extras << "VMware ESX Server" when /Test Page for.*Fedora/ extras << "Fedora Default Page" when /Placeholder page/ extras << "Debian Default Page" when /Welcome to Windows Small Business Server (\d+)/ extras << "Windows SBS #{$1}" when /Asterisk@Home/ extras << "Asterisk" when /swfs\/Shell\.html/ extras << "BPS-1000" end if datastore['RPORT'].to_i == 3790 if res.code == 302 and res.headers and res.headers['Location'] =~ /[\x5c\x2f](login|setup)$/n if res['Server'] =~ /^(thin.*No Hup)|(nginx[\x5c\x2f][\d\.]+)$/n extras << "Metasploit" end end end # # This HTTP response code tracking is used by a few modules and the MSP logic # to identify and bruteforce certain types of servers. In the long run we # should deprecate this and use the http.fingerprint fields instead. # case res.code when 301,302 extras << "#{res.code}-#{res.headers['Location']}" when 401 extras << "#{res.code}-#{res.headers['WWW-Authenticate']}" when 403 extras << "#{res.code}-#{res.headers['WWW-Authenticate']||res.}" when 500 .. 599 extras << "#{res.code}-#{res.}" end # Build a human-readable string to store in service.info and http.fingerprint[:signature] info = res.headers['Server'].to_s.dup info << " ( #{extras.join(", ")} )" if extras.length > 0 # Create a new fingerprint structure to track this response fprint = { :uri => uri, :method => method, :server_port => rport, :code => res.code.to_s, :message => res..to_s, :signature => info } res.headers.each_pair do |k,v| hname = k.to_s.downcase.tr('-', '_').gsub(/[^a-z0-9_]+/, '') next unless hname.length > 0 # Set-Cookie > :header_set_cookie => JSESSIONID=AAASD23423452 # Server > :header_server => Apache/1.3.37 # WWW-Authenticate > :header_www_authenticate => basic realm='www' fprint["header_#{hname}".intern] = v end # Store the first 64k of the HTTP body as well fprint[:content] = res.body.to_s[0,65535] # Report a new http.fingerprint note report_note( :host => rhost, :port => rport, :proto => 'tcp', :ntype => 'http.fingerprint', :data => fprint, # Limit reporting to one stored note per host/service combination :update => :unique ) # Report here even if info is empty since the fact that we didn't # return early means we at least got a connection and the service is up report_web_site(:host => rhost, :port => rport, :ssl => ssl, :vhost => vhost, :info => info.dup) # Return the full HTTP fingerprint if requested by the caller return fprint if opts[:full] # Otherwise just return the signature string for compatibility fprint[:signature] end |
#initialize(info = {}) ⇒ Object
Initializes an exploit module that exploits a vulnerability in an HTTP server.
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 22 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT(80), OptString.new('VHOST', [ false, "HTTP server virtual host" ]), OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), Opt::Proxies ], self.class ) ( [ OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests', Rex::UserAgent.session_agent ]), OptString.new('HttpUsername', [false, 'The HTTP username to specify for authentication', '']), OptString.new('HttpPassword', [false, 'The HTTP password to specify for authentication', '']), OptPath.new('HttpRawHeaders', [false, 'Path to ERB-templatized raw headers to append to existing headers']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), Opt::SSLVersion, OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]), OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION']), OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']), OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false]), OptBool.new('HttpTraceHeadersOnly', [false, 'Show HTTP headers only in HttpTrace', false]), OptString.new('HttpTraceColors', [false, 'HTTP request and response colors for HttpTrace (unset to disable)', 'red/blu']), OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]), ], self.class ) ( [ OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-noslashes', 'hex-random', 'hex-all', 'u-normal', 'u-all', 'u-random']]), OptBool.new('HTTP::uri_full_url', [false, 'Use the full URL for all HTTP requests', false]), OptInt.new('HTTP::pad_method_uri_count', [false, 'How many whitespace characters to use between the method and uri', 1]), OptInt.new('HTTP::pad_uri_version_count', [false, 'How many whitespace characters to use between the uri and version', 1]), OptEnum.new('HTTP::pad_method_uri_type', [false, 'What type of whitespace to use between the method and uri', 'space', ['space', 'tab', 'apache']]), OptEnum.new('HTTP::pad_uri_version_type', [false, 'What type of whitespace to use between the uri and version', 'space', ['space', 'tab', 'apache']]), OptBool.new('HTTP::method_random_valid', [false, 'Use a random, but valid, HTTP method for request', false]), OptBool.new('HTTP::method_random_invalid', [false, 'Use a random invalid, HTTP method for request', false]), OptBool.new('HTTP::method_random_case', [false, 'Use random casing for the HTTP method', false]), OptBool.new('HTTP::version_random_valid', [false, 'Use a random, but valid, HTTP version for request', false]), OptBool.new('HTTP::version_random_invalid', [false, 'Use a random invalid, HTTP version for request', false]), OptBool.new('HTTP::uri_dir_self_reference', [false, 'Insert self-referential directories into the uri', false]), OptBool.new('HTTP::uri_dir_fake_relative', [false, 'Insert fake relative directories into the uri', false]), OptBool.new('HTTP::uri_use_backslashes', [false, 'Use back slashes instead of forward slashes in the uri ', false]), OptBool.new('HTTP::pad_fake_headers', [false, 'Insert random, fake headers into the HTTP request', false]), OptInt.new('HTTP::pad_fake_headers_count', [false, 'How many fake headers to insert into the HTTP request', 0]), OptBool.new('HTTP::pad_get_params', [false, 'Insert random, fake query string variables into the request', false]), OptInt.new('HTTP::pad_get_params_count', [false, 'How many fake query string variables to insert into the request', 16]), OptBool.new('HTTP::pad_post_params', [false, 'Insert random, fake post variables into the request', false]), OptInt.new('HTTP::pad_post_params_count', [false, 'How many fake post variables to insert into the request', 16]), OptBool.new('HTTP::shuffle_get_params', [false, 'Randomize order of GET parameters', false]), OptBool.new('HTTP::shuffle_post_params', [false, 'Randomize order of POST parameters', false]), OptBool.new('HTTP::uri_fake_end', [false, 'Add a fake end of URI (eg: /%20HTTP/1.0/../../)', false]), OptBool.new('HTTP::uri_fake_params_start', [false, 'Add a fake start of params to the URI (eg: /%3fa=b/../)', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]) # # Remaining evasions to implement # # OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', false]), # OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]), ], self.class ) register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ]) register_autofilter_services(%W{ http https }) # Initialize an empty cookie jar to keep cookies self. = Msf::Exploit::Remote::HTTP::HttpCookieJar.new end |
#lookup_http_fingerprints(opts = {}) ⇒ Object
Lookup HTTP fingerprints from the database that match the current destination host and port. This method falls back to using the old service.info field to represent the HTTP Server header.
712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 712 def lookup_http_fingerprints(opts={}) uri = opts[:uri] || '/' method = opts[:method] || 'GET' fprints = [] return fprints unless framework.db.active ::ApplicationRecord.connection_pool.with_connection { wspace = datastore['WORKSPACE'] ? framework.db.find_workspace(datastore['WORKSPACE']) : framework.db.workspace # only one result can be returned, as the +port+ field restricts potential results to a single service service = framework.db.services(:workspace => wspace, :hosts => {address: rhost}, :proto => 'tcp', :port => rport).first return fprints unless service # Order by note_id descending so the first value is the most recent service.notes.where(:ntype => 'http.fingerprint').order("notes.id DESC").each do |n| next unless n.data && n.data.kind_of?(::Hash) next unless n.data[:uri] == uri && n.data[:method] == method # Append additional fingerprints to the results as found fprints.unshift n.data.dup end } fprints end |
#normalize_uri(*strs) ⇒ Object
Returns a modified version of the URI that:
-
Always has a starting slash
-
Removes all the double slashes
559 560 561 562 563 564 565 566 567 568 569 570 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 559 def normalize_uri(*strs) new_str = strs * "/" new_str = new_str.gsub!("//", "/") while new_str.index("//") # Makes sure there's a starting slash unless new_str[0,1] == '/' new_str = '/' + new_str end new_str end |
#path_from_uri(uri) ⇒ Object
Returns the Path+Query from a full URI String, nil on error
573 574 575 576 577 578 579 580 581 582 583 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 573 def path_from_uri(uri) begin temp = URI(uri) ret_uri = temp.path ret_uri << "?#{temp.query}" unless temp.query.nil? or temp.query.empty? return ret_uri rescue URI::Error print_error "Invalid URI: #{uri}" return nil end end |
#peer ⇒ Object
Returns the Host and Port as a string
671 672 673 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 671 def peer "#{rhost}:#{rport}" end |
#proxies ⇒ Object
Returns the configured proxy list
699 700 701 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 699 def proxies datastore['Proxies'] end |
#reconfig_redirect_opts!(res, opts) ⇒ void
This method returns an undefined value.
Modifies the HTTP request options for a redirection.
452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 452 def reconfig_redirect_opts!(res, opts) # XXX: https://github.com/rapid7/metasploit-framework/issues/12281 if opts['method'] == 'POST' opts['method'] = 'GET' opts['data'] = nil opts['vars_post'] = {} end location = res.redirection if location.relative? if location.path.start_with?('/') # path starting with /, not relative to the current path, but starts from the root opts['redirect_uri'] = location.path opts['uri'] = location.path else parent_path = File.dirname(opts['uri'].to_s) parent_path = '/' if parent_path == '.' new_redirect_uri = normalize_uri(parent_path, location.path.gsub(/^\./, '')) opts['redirect_uri'] = new_redirect_uri opts['uri'] = new_redirect_uri end opts['rhost'] = datastore['RHOST'] opts['vhost'] = opts['vhost'] || self.vhost() || opts['rhost'] opts['ssl_server_name_indication'] = datastore['SSLServerNameIndication'] || opts['vhost'] opts['rport'] = datastore['RPORT'] opts['SSL'] = ssl else disconnect opts['redirect_uri'] = location opts['uri'] = location.path opts['rhost'] = location.host opts['vhost'] = location.host opts['ssl_server_name_indication'] = opts['vhost'] opts['rport'] = location.port if location.scheme == 'https' opts['SSL'] = true else opts['SSL'] = false end end # Don't forget any GET parameters opts['query'] ||= location.query if location.query end |
#request_opts_from_url(url) ⇒ Object
Returns a hash of request opts from a URL string
587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 587 def request_opts_from_url(url) # verify and extract components from the URL begin tgt = URI.parse(url) raise 'Invalid URL' unless tgt.scheme =~ %r{https?} raise 'Invalid URL' if tgt.host.to_s.eql? '' rescue => e print_error "Could not parse URL: #{e}" return nil end opts = { 'rhost' => tgt.host, 'rport' => tgt.port, 'uri' => tgt.request_uri } opts['SSL'] = true if tgt.scheme == 'https' if tgt.query and tgt.query.size > 13 # Assming that this is going to be mostly used for GET requests as string -> req opts['vars_get'] = {} tgt.query.split('&').each do |pair| k,v = pair.split('=',2) opts['vars_get'][k] = v end end return opts end |
#request_url(url, keepalive = false) ⇒ Object
Returns response from a simple URL call
613 614 615 616 617 618 619 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 613 def request_url(url, keepalive = false) opts = request_opts_from_url(url) return nil if opts.nil? res = send_request_raw(opts) disconnect unless keepalive return res end |
#rhost ⇒ Object
Returns the target host
657 658 659 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 657 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
664 665 666 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 664 def rport datastore['RPORT'] end |
#send_request_cgi(opts = {}, timeout = 20, disconnect = true) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response
If a Msf::Exploit::Remote::HTTP::HttpCookieJar
instance is passed in the opts
dict under a ‘cookie’ key, said CookieJar will be used in the request instead of the module cookie_jar
. Any other object passed under the ‘cookie` key will be converted to a string using to_s
and set as the cookie header of the request.
Passes ‘opts` through directly to Rex::Proto::Http::Client#request_cgi. Set `opts` to keep cookies from responses for reuse in requests. Cookies returned by the server will be stored in cookie_jar
Set ‘opts` to false in order to disable automatic removal of expired cookies
405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 405 def send_request_cgi(opts = {}, timeout = 20, disconnect = true) if opts.has_key?('cookie') if opts['cookie'].is_a?(Msf::Exploit::Remote::HTTP::HttpCookieJar) opts.merge({ 'cookie' => opts['cookie']..join('; ') }) else opts.merge({ 'cookie' => opts['cookie'].to_s }) end elsif !.empty? .cleanup unless opts['expire_cookies'] == false opts = opts.merge({ 'cookie' => ..join('; ') }) end res = send_request_raw(opts.merge(cgi: true), timeout, disconnect) return unless res if opts['keep_cookies'] && res.headers['Set-Cookie'].present? .parse_and_merge(res.headers['Set-Cookie'], "http#{ssl ? 's' : ''}://#{vhost}:#{rport}") end res end |
#send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) ⇒ Object
'opts` will be updated to the updated location and `opts` will contain the full URI.
Connects to the server, creates a request, sends the request, reads the response if a redirect (HTTP 30x response) is received it will attempt to follow the direct and retrieve that URI.
435 436 437 438 439 440 441 442 443 444 445 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 435 def send_request_cgi!(opts = {}, timeout = 20, redirect_depth = 1) res = send_request_cgi(opts, timeout) return unless res return res unless res.redirect? && res.redirection && redirect_depth > 0 redirect_depth -= 1 reconfig_redirect_opts!(res, opts) send_request_cgi!(opts, timeout, redirect_depth) end |
#send_request_raw(opts = {}, timeout = 20, disconnect = false) ⇒ Object
Connects to the server, creates a request, sends the request, reads the response
Passes opts
through directly to Rex::Proto::Http::Client#request_raw.
365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 365 def send_request_raw(opts = {}, timeout = 20, disconnect = false) if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0 actual_timeout = datastore['HttpClientTimeout'] else actual_timeout = opts[:timeout] || timeout end c = opts['client'] || connect(opts) r = opts[:cgi] ? c.request_cgi(opts) : c.request_raw(opts) res = c.send_recv(r, actual_timeout) disconnect(c) if disconnect res rescue ::Errno::EPIPE, ::Timeout::Error => e print_line(e.) if datastore['HttpTrace'] nil rescue Rex::ConnectionError => e vprint_error(e.to_s) nil rescue ::Exception => e print_line(e.) if datastore['HttpTrace'] raise e end |
#service_details ⇒ Object
914 915 916 917 918 919 920 921 922 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 914 def service_details { origin_type: :service, protocol: 'tcp', service_name: (ssl ? 'https' : 'http'), address: rhost, port: rport } end |
#setup ⇒ Object
For HTTP Client exploits, we often want to verify that the server info matches some regex before firing a giant binary exploit blob at it. We override setup() here to accomplish that.
104 105 106 107 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 104 def setup validate_fingerprint super end |
#ssl ⇒ Object
Returns the boolean indicating SSL
685 686 687 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 685 def ssl ((datastore.default?('SSL') and [443,3790].include?(rport.to_i)) or datastore['SSL']) end |
#ssl_version ⇒ Object
Returns the string indicating SSL version
692 693 694 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 692 def ssl_version datastore['SSLVersion'] end |
#strip_tags(html) ⇒ Object
removes HTML tags from a provided string. The string is html-unescaped before the tags are removed Leading whitespaces and double linebreaks are removed too
650 651 652 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 650 def (html) Rex::Text.html_decode(html).gsub(/<\/?[^>]*>/, '').gsub(/^\s+/, '').strip end |
#target_uri ⇒ Object
Returns the target URI
519 520 521 522 523 524 525 526 527 528 529 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 519 def target_uri begin # In case TARGETURI is empty, at least we default to '/' u = datastore['TARGETURI'] u = "/" if u.nil? or u.empty? URI(u) rescue ::URI::InvalidURIError print_error "Invalid URI: #{datastore['TARGETURI'].inspect}" raise Msf::OptionValidateError.new(['TARGETURI']) end end |
#validate_fingerprint ⇒ Object
This method is meant to be overridden in the exploit module to specify a set of regexps to attempt to match against. A failure to match any of them results in a RuntimeError exception being raised.
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 114 def validate_fingerprint() # Don't bother checking if there's no database active. if (framework.db.active and datastore['FingerprintCheck'] and self.class.const_defined?('HttpFingerprint')) # Get the module-specific config opts = self.class.const_get('HttpFingerprint') # # XXX: Ideally we could have more structured matches, but doing that requires # a more structured response cache. # info = http_fingerprint(opts) if info and opts[:pattern] opts[:pattern].each do |re| if not re.match(info) err = "The target server fingerprint \"#{info}\" does not match \"#{re.to_s}\", use 'set FingerprintCheck false' to disable this check." fail_with(::Msf::Module::Failure::NotFound, err) end end elsif info.nil? err = "The target server did not respond to fingerprinting, use 'set FingerprintCheck false' to disable this check." fail_with(::Msf::Module::Failure::Unreachable, err) end end end |
#vhost ⇒ Object
Returns the VHOST of the HTTP server.
678 679 680 |
# File 'lib/msf/core/exploit/remote/http_client.rb', line 678 def vhost datastore['VHOST'] || datastore['RHOST'] end |