|
1 | | -require 'msf/core' |
| 1 | +## |
| 2 | +# This module requires Metasploit: https://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
2 | 5 |
|
3 | 6 | class MetasploitModule < Msf::Auxiliary |
4 | | - include Msf::Exploit::Remote::HttpClient |
5 | 7 | include Msf::Auxiliary::Scanner |
6 | | - include Msf::Auxiliary::Report |
| 8 | + include Msf::Exploit::Remote::HttpClient |
7 | 9 |
|
8 | 10 | def initialize(info = {}) |
9 | 11 | super( |
10 | 12 | update_info( |
11 | 13 | info, |
12 | 14 | 'Name' => 'ReDoc API Docs UI Exposed', |
13 | 15 | 'Description' => %q{ |
14 | | - Detects publicly exposed ReDoc API documentation pages which may reveal API surface, |
15 | | - endpoints, request/response models, and other implementation details useful to attackers. |
| 16 | + Detects publicly exposed ReDoc API documentation pages. |
| 17 | + The module performs safe, read-only GET requests and reports likely |
| 18 | + ReDoc instances based on HTML markers. |
16 | 19 | }, |
17 | 20 | 'Author' => [ |
18 | | - |
| 21 | + 'Hamza Sahin (@hamzasahin61)' |
19 | 22 | ], |
20 | | - 'License' => MSF_LICENSE, |
21 | | - 'References' => [ |
22 | | - [ 'URL', 'https://redocly.com/docs/redoc/' ] |
23 | | - ], |
24 | | - 'Actions' => [ [ 'Scan', { 'Description' => 'Scan for exposed ReDoc UI' } ] ], |
25 | | - 'DefaultAction' => 'Scan' |
| 23 | + 'License' => MSF_LICENSE |
26 | 24 | ) |
27 | 25 | ) |
28 | 26 |
|
29 | | - register_advanced_options([ |
30 | | - OptString.new('REDOC_PATHS', [ true, 'Comma-separated paths to probe', '/redoc,/docs,/api/docs,/openapi,/redoc/' ]) |
31 | | - ]) |
| 27 | + register_options( |
| 28 | + [ |
| 29 | + Opt::RPORT(80), |
| 30 | + OptBool.new('SSL', [true, 'Negotiate SSL/TLS for outgoing connections', false]), |
| 31 | + OptString.new('REDOC_PATHS', [ |
| 32 | + false, |
| 33 | + 'Comma-separated list of paths to probe (overrides defaults)', |
| 34 | + nil |
| 35 | + ]) |
| 36 | + ] |
| 37 | + ) |
32 | 38 | end |
33 | 39 |
|
34 | | - # Returns :yes if the path looks like a ReDoc page, else :no |
35 | | - def check_path(path) |
36 | | - res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(path) }, 10) |
37 | | - return :no if res.nil? |
| 40 | + # returns true if the response looks like a ReDoc page |
| 41 | + def redoc_like?(res) |
| 42 | + return false unless res && res.code.between?(200, 403) |
| 43 | + |
| 44 | + # Prefer DOM checks |
| 45 | + doc = res.get_html_document |
| 46 | + if doc |
| 47 | + return true if doc.at_css('redoc, redoc-, #redoc') |
| 48 | + return true if doc.css('script[src*="redoc"]').any? |
| 49 | + return true if doc.css('script[src*="redoc.standalone"]').any? |
| 50 | + end |
38 | 51 |
|
39 | | - code_ok = res.code && res.code.between?(200, 403) |
40 | | - body = res.body.to_s |
| 52 | + # Fallback to body/title heuristics |
| 53 | + title = res.get_html_title.to_s |
| 54 | + body = res.body.to_s |
41 | 55 |
|
42 | | - title_hit = body =~ /<\s*title[^>]*>[^<]*redoc[^<]*<\/\s*title\s*>/i |
43 | | - redoc_hit = body =~ /(redoc(?:\.standalone)?\.js|<\s*redoc-?)/i |
| 56 | + return true if title =~ /redoc/i |
| 57 | + return true if body =~ /<redoc-?/i |
| 58 | + return true if body =~ /redoc(\.standalone)?\.js/i |
44 | 59 |
|
45 | | - return :yes if code_ok && (title_hit || redoc_hit) |
46 | | - :no |
| 60 | + false |
| 61 | + end |
| 62 | + |
| 63 | + def check_path(path) |
| 64 | + res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(path) }) |
| 65 | + redoc_like?(res) |
47 | 66 | end |
48 | 67 |
|
49 | 68 | def run_host(ip) |
50 | 69 | vprint_status("#{ip} - scanning for ReDoc") |
51 | 70 |
|
52 | | - paths = (datastore['REDOC_PATHS'] || '').split(',').map(&:strip) |
53 | | - paths = ['/redoc', '/docs', '/api/docs', '/openapi', '/redoc/'] if paths.empty? |
54 | | - |
55 | | - hit = paths.find { |p| check_path(p) == :yes } |
| 71 | + paths = |
| 72 | + if (ds = datastore['REDOC_PATHS']) && !ds.empty? |
| 73 | + ds.split(',').map(&:strip) |
| 74 | + else |
| 75 | + ['/redoc', '/redoc/', '/docs', '/api/docs', '/openapi'] |
| 76 | + end |
56 | 77 |
|
| 78 | + hit = paths.find { |p| check_path(p) } |
57 | 79 | if hit |
58 | 80 | print_good("#{ip} - ReDoc likely exposed at #{hit}") |
59 | | - report_service( |
60 | | - host: ip, |
61 | | - port: rport, |
62 | | - proto: 'tcp', |
63 | | - name: (ssl ? 'https' : 'http') |
64 | | - ) |
65 | | - report_note( |
66 | | - host: ip, |
67 | | - port: rport, |
68 | | - proto: 'tcp', |
69 | | - type: 'http.redoc.exposed', |
70 | | - data: { path: hit } |
71 | | - ) |
| 81 | + report_service(host: ip, port: rport, proto: 'tcp', name: 'http') |
72 | 82 | else |
73 | 83 | vprint_status("#{ip} - no ReDoc found") |
74 | 84 | end |
|
0 commit comments