From 87d59b4512a28cf7fa215365ce15050cc36ffe67 Mon Sep 17 00:00:00 2001 From: et <> Date: Mon, 10 Aug 2009 00:01:38 +0000 Subject: [PATCH] More webdav modules to grab information git-svn-id: file:///home/svn/framework3/trunk@6947 4d416f70-5f16-0410-b530-b9f4589650da --- .../scanner/http/wmap_webdav_internal_ip.rb | 71 +++++++++++++++++++ .../http/wmap_webdav_website_content.rb | 71 +++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 modules/auxiliary/scanner/http/wmap_webdav_internal_ip.rb create mode 100644 modules/auxiliary/scanner/http/wmap_webdav_website_content.rb diff --git a/modules/auxiliary/scanner/http/wmap_webdav_internal_ip.rb b/modules/auxiliary/scanner/http/wmap_webdav_internal_ip.rb new file mode 100644 index 0000000000..a804d9d957 --- /dev/null +++ b/modules/auxiliary/scanner/http/wmap_webdav_internal_ip.rb @@ -0,0 +1,71 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::WMAPScanServer + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'HTTP WebDAV Internal IP Scanner', + 'Version' => '$Revision: 6485 $', + 'Description' => 'Detect webservers internal IPs though WebDAV', + 'Author' => ['et'], + 'License' => MSF_LICENSE + ) + + end + + def run_host(target_host) + + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'PROPFIND', + 'data' => '', + 'ctype' => 'text/xml', + 'version' => '1.0', + 'vhost' => '', + }, 10) + + + if res and res.body + # short regex + intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i + + #print_status("#{res.body}") + + result = res.body.scan(intipregex).uniq + + + result.each do |addr| + print_status("Found internal IP in WebDAV response (#{target_host}) #{addr}") + + rep_id = wmap_base_report_id( + wmap_target_host, + wmap_target_port, + wmap_target_ssl + ) + vuln_id = wmap_report(rep_id,'IP','INTERNAL ADDRESS',"#{addr}","Internal IP in WebDAV response found.") + end + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end + diff --git a/modules/auxiliary/scanner/http/wmap_webdav_website_content.rb b/modules/auxiliary/scanner/http/wmap_webdav_website_content.rb new file mode 100644 index 0000000000..557745949c --- /dev/null +++ b/modules/auxiliary/scanner/http/wmap_webdav_website_content.rb @@ -0,0 +1,71 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::WMAPScanServer + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'HTTP WebDAV Website Content Scanner', + 'Version' => '$Revision: 6485 $', + 'Description' => 'Detect webservers disclosing its content though WebDAV', + 'Author' => ['et'], + 'License' => MSF_LICENSE + ) + + end + + def run_host(target_host) + + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'PROPFIND', + 'data' => '', + 'ctype' => 'text/xml', + 'version' => '1.0', + 'vhost' => '', + }, 10) + + + if res and res.body + # short url regex + urlregex = /]*>(.*?)<\/a:href>/i + + #print_status("#{res.body}") + + result = res.body.scan(urlregex).uniq + + + result.each do |u| + print_status("Found file or directory in WebDAV response (#{target_host}) #{u}") + + rep_id = wmap_base_report_id( + wmap_target_host, + wmap_target_port, + wmap_target_ssl + ) + vuln_id = wmap_report(rep_id,'WEBDAV','FILE/DIRECTORY',"#{u}","File/Directory in WebDAV response found.") + end + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end +