Lucene search
K

HTTP WebDAV Internal IP Scanner

🗓️ 01 Feb 2010 02:12:30Reported by et <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 36 Views

HTTP WebDAV Internal IP Scanner. Detect webservers internal IPs through WebDAV

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2002-0422
29 May 201815:50
circl
CVE
CVE-2002-0422
11 Jun 200204:00
cve
Cvelist
CVE-2002-0422
11 Jun 200204:00
cvelist
Metasploit
Microsoft IIS HTTP Internal IP Disclosure
20 Feb 201204:44
metasploit
NVD
CVE-2002-0422
12 Aug 200204:00
nvd
OpenVAS
Private IP address Leaked using the PROPFIND method
3 Nov 200500:00
openvas
Packet Storm
Microsoft IIS HTTP Internal IP Disclosure
1 Sep 202400:00
packetstorm
Tenable Nessus
Web Server PROPFIND Method Internal IP Disclosure
18 Mar 200400:00
nessus
Rapid7 Blog
Metasploit Wrap-Up
5 Nov 202119:43
rapid7blog
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::WmapScanServer
  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'HTTP WebDAV Internal IP Scanner',
      'Description' => 'Detect webservers internal IPs though WebDAV',
      'Author'      => ['et'],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2002-0422' ]
        ]
    )

    register_options(
      [
        OptString.new("PATH", [true, "Path to use", '/']),
      ])
  end

  def run_host(target_host)

    begin
      res = send_request_cgi({
        'uri'          => normalize_uri(datastore['PATH']),
        'method'       => 'PROPFIND',
        'data'	=>	'',
        'ctype'   => 'text/xml',
        'version' => '1.0',
        'vhost' => '',
      }, 10)


      if res and res.body
        # short regex
        intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i

        #print_status("#{res.body}")

        result = res.body.scan(intipregex).uniq


        result.each do |addr|
          print_good("Found internal IP in WebDAV response (#{target_host}) #{addr}")

          report_note(
            :host	=> target_host,
            :proto => 'tcp',
            :sname => (ssl ? 'https' : 'http'),
            :port	=> rport,
            :type	=> 'INTERNAL_IP',
            :data	=> addr
          )
        end
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Jul 2018 22:34Current
6.7Medium risk
Vulners AI Score6.7
CVSS 22.6
EPSS0.44339
36