Module: Msf::Exploit::Remote::Web

Includes:
HttpClient, Tcp
Defined in:
lib/msf/core/exploit/remote/web.rb

Overview

This module exposes methods that may be useful to exploits that deal with webservers.

Constant Summary collapse

WEB_PAYLOAD_STUB =

Default value for #web_payload_stub

'!payload!'

Instance Attribute Summary collapse

Attributes included from HttpClient

#client, #cookie_jar

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#web_payload_stubObject

Optional stub to be replaced with the exploit payload.

Default stub is ‘WEB_PAYLOAD_STUB’.



23
24
25
 
# File 'lib/msf/core/exploit/remote/web.rb', line 23

def web_payload_stub
  @web_payload_stub
end

Instance Method Details

#checkObject 



65
66
67
68
69
70
71
72
73
74
 
# File 'lib/msf/core/exploit/remote/web.rb', line 65

def check
  path = datastore['PATH']
  print_status "Checking #{path}"

  response = send_request_raw( 'uri' => path )
  return Exploit::CheckCode::Detected if response.code == 200

  print_error "Server responded with #{response.code}"
  Exploit::CheckCode::Unknown
end

#cookiesObject 



53
54
55
 
# File 'lib/msf/core/exploit/remote/web.rb', line 53

def cookies
  substitute_web_payload_stub( datastore['COOKIES'], ',;' )
end

#exploitObject 



76
77
78
79
80
81
82
83
84
85
 
# File 'lib/msf/core/exploit/remote/web.rb', line 76

def exploit
  print_status "Sending HTTP request for #{path}"
  res = perform_request
  if res
    print_status "The server responded with HTTP status code #{res.code}."
  else
    print_status 'The server did not respond to our request.'
  end
  handler
end

#getObject 



45
46
47
 
# File 'lib/msf/core/exploit/remote/web.rb', line 45

def get
  substitute_in_hash( parse_query( datastore['GET'] ) )
end

#headersObject 



57
58
59
 
# File 'lib/msf/core/exploit/remote/web.rb', line 57

def headers
  substitute_in_hash( parse_query( datastore['HEADERS'] ) )
end

#initialize(info = {}) ⇒ Object

Creates an instance of a Telnet exploit module.



27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/msf/core/exploit/remote/web.rb', line 27

def initialize( info = {} )
  super

  register_options([
    OptString.new( 'PATH',    [ true,  'The path to the vulnerable script.', '/' ] ),
    OptString.new( 'GET',     [ false, "GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
    OptString.new( 'POST',    [ false, "POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
    OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
    OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
  ], self.class )

  self.web_payload_stub = WEB_PAYLOAD_STUB
end

#methodObject 



61
62
63
 
# File 'lib/msf/core/exploit/remote/web.rb', line 61

def method
  post.empty? ? 'GET' : 'POST'
end

#pathObject 



41
42
43
 
# File 'lib/msf/core/exploit/remote/web.rb', line 41

def path
  Rex::Text.uri_encode( substitute_web_payload_stub( datastore['PATH'] ) )
end

#postObject 



49
50
51
 
# File 'lib/msf/core/exploit/remote/web.rb', line 49

def post
  substitute_in_hash( parse_query( datastore['POST'] ) )
end

#triesObject 



87
88
89
 
# File 'lib/msf/core/exploit/remote/web.rb', line 87

def tries
  1
end