Module: Msf::Exploit::Remote::Web

Includes:
HttpClient, Tcp
Defined in:
lib/msf/core/exploit/web.rb

Overview

This module exposes methods that may be useful to exploits that deal with webservers.

Constant Summary collapse

WEB_PAYLOAD_STUB =

Default value for #web_payload_stub

'!payload!'

Constants included from HttpClient

HttpClient::NTLM_CONST, HttpClient::NTLM_CRYPT, HttpClient::NTLM_UTILS, HttpClient::NTLM_XCEPT

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from HttpClient

#basic_auth, #cleanup, #connect, #disconnect, #full_uri, #handler, #http_fingerprint, #make_cnonce, #normalize_uri, #path_from_uri, #peer, #proxies, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::Report

#db, #get_client, #get_host, #inside_workspace_boundary?, #mytask, #myworkspace, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#web_payload_stubObject

Optional stub to be replaced with the exploit payload.

Default stub is 'WEB_PAYLOAD_STUB'.


23
24
25
# File 'lib/msf/core/exploit/web.rb', line 23

def web_payload_stub
  @web_payload_stub
end

Instance Method Details

#checkObject


65
66
67
68
69
70
71
72
73
74
# File 'lib/msf/core/exploit/web.rb', line 65

def check
  path = datastore['PATH']
  print_status "Checking #{path}"

  response = send_request_raw( 'uri' => path )
  return Exploit::CheckCode::Detected if response.code == 200

  print_error "Server responded with #{response.code}"
  Exploit::CheckCode::Unknown
end

#cookiesObject


53
54
55
# File 'lib/msf/core/exploit/web.rb', line 53

def cookies
  substitute_web_payload_stub( datastore['COOKIES'], ',;' )
end

#exploitObject


76
77
78
79
80
81
82
83
84
85
# File 'lib/msf/core/exploit/web.rb', line 76

def exploit
  print_status "Sending HTTP request for #{path}"
  res = perform_request
  if res
    print_status "The server responded with HTTP status code #{res.code}."
  else
    print_status 'The server did not respond to our request.'
  end
  handler
end

#getObject


45
46
47
# File 'lib/msf/core/exploit/web.rb', line 45

def get
  substitute_in_hash( parse_query( datastore['GET'] ) )
end

#headersObject


57
58
59
# File 'lib/msf/core/exploit/web.rb', line 57

def headers
  substitute_in_hash( parse_query( datastore['HEADERS'] ) )
end

#initialize(info = {}) ⇒ Object

Creates an instance of a Telnet exploit module.


27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'lib/msf/core/exploit/web.rb', line 27

def initialize( info = {} )
  super

  register_options([
    OptString.new( 'PATH',    [ true,  'The path to the vulnerable script.', '/' ] ),
    OptString.new( 'GET',     [ false, "GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
    OptString.new( 'POST',    [ false, "POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
    OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
    OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
  ], self.class )

  self.web_payload_stub = WEB_PAYLOAD_STUB
end

#methodObject


61
62
63
# File 'lib/msf/core/exploit/web.rb', line 61

def method
  post.empty? ? 'GET' : 'POST'
end

#pathObject


41
42
43
# File 'lib/msf/core/exploit/web.rb', line 41

def path
  Rex::Text.uri_encode( substitute_web_payload_stub( datastore['PATH'] ) )
end

#postObject


49
50
51
# File 'lib/msf/core/exploit/web.rb', line 49

def post
  substitute_in_hash( parse_query( datastore['POST'] ) )
end

#triesObject


87
88
89
# File 'lib/msf/core/exploit/web.rb', line 87

def tries
  1
end