Land rapid7#3554, Typo3 mixin specs

Tod Beardsley · Tod Beardsley · commit 3e304536ea4d · 2014-07-25T16:06:40.000-05:00
diff --git a/lib/msf/http/typo3/login.rb b/lib/msf/http/typo3/login.rb
@@ -18,8 +18,20 @@ def typo3_backend_login(user, pass)
       return nil
     end
 
-    e = res_main.body.match(/<input type="hidden" id="rsa_e" name="e" value="(\d+)" \/>/)[1]
-    n = res_main.body.match(/<input type="hidden" id="rsa_n" name="n" value="(\w+)" \/>/)[1]
+    e_match = res_main.body.match(/<input type="hidden" id="rsa_e" name="e" value="(\d+)" \/>/)
+    if e_match.nil?
+      vprint_error('Can not find rsa_e value')
+      return nil
+    end
+    e = e_match[1]
+
+    n_match = res_main.body.match(/<input type="hidden" id="rsa_n" name="n" value="(\w+)" \/>/)
+    if n_match.nil?
+      vprint_error('Can not find rsa_n value')
+      return nil
+    end
+    n = n_match[1]
+
     vprint_debug("e: #{e}")
     vprint_debug("n: #{n}")
     rsa_enc = typo3_helper_login_rsa(e, n, pass)
diff --git a/spec/lib/msf/http/typo3_spec.rb b/spec/lib/msf/http/typo3_spec.rb
@@ -0,0 +1,139 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'rex/proto/http/response'
+require 'msf/http/typo3'
+
+describe Msf::HTTP::Typo3 do
+  subject do
+    mod = ::Msf::Module.new
+    mod.extend described_class
+    mod
+  end
+
+  let(:invalid_user) do
+    "invalid"
+  end
+
+  let(:invalid_password) do
+    "invalid"
+  end
+
+  let(:valid_user) do
+    "admin"
+  end
+
+  let(:valid_password) do
+    "password"
+  end
+
+  let(:valid_cookie) do
+    "be_typo_user=e31843639e5e17b9600602f9378b6ff0"
+  end
+
+  describe '#target_uri' do
+    it 'returns an URI' do
+      expect(subject.target_uri).to be_kind_of URI
+    end
+  end
+
+  describe '#typo3_url_login' do
+    it 'ends with /typo3/index.php' do
+      expect(subject.typo3_url_login).to end_with('/typo3/index.php')
+    end
+  end
+
+  describe '#typo3_url_backend' do
+    it 'ends with /typo3/backend.php' do
+      expect(subject.typo3_url_backend).to end_with('/typo3/backend.php')
+    end
+  end
+
+  describe '#typo3_admin_cookie_valid?' do
+    it 'returns true when valid admin cookie' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res.body = '<body class="test" id="typo3-backend-php">'
+        res
+      end
+
+      expect(subject.typo3_admin_cookie_valid?("#{valid_cookie};")).to eq(true)
+    end
+
+    it 'returns false when invalid admin cookie' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res
+      end
+
+      expect(subject.typo3_admin_cookie_valid?("invalid")).to eq(false)
+    end
+  end
+
+  describe '#typo3_backend_login' do
+
+    it 'returns nil login page can not be reached' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response::E404.new
+        res
+      end
+
+      expect(subject.typo3_backend_login(valid_user, valid_password)).to be_nil
+    end
+
+    it 'returns nil when login page can be reached but isn\'t a TYPO3' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res.body = 'Hello World'
+        res
+      end
+
+      expect(subject.typo3_backend_login(valid_user, valid_password)).to be_nil
+    end
+
+    it 'returns nil when TYPO3 credentials are invalid' do
+
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        if opts['uri'] == "/typo3/index.php" && opts['method'] == 'GET'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<input type="hidden" id="rsa_e" name="e" value="10001" />'
+          res.body << '<input type="hidden" id="rsa_n" name="n" value="B8C58D75B5F9DBCEBBF6FB96BDB9531C64C45DDED56D93B310FA9C79B9787E62C91157DD5842B2BC1D90C10251300571BEEF892776F25EAC80C2672A993B00DA2F1C966C3F70418274E1AC9C432F48F8CBD9D083F990905F7EC5BDFC1B5C93672E7ACBB3D935D0597864A1F732DD44B5C6E02344917543E33A36D68915B26DC9" />'
+        elsif opts['uri'] == "/typo3/index.php" && opts['method'] == 'POST'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<!-- ###LOGIN_ERROR### begin -->Login Failed<!-- ###LOGIN_ERROR### end -->'
+        else
+          res = Rex::Proto::Http::Response::E404.new
+        end
+
+        res
+      end
+
+      expect(subject.typo3_backend_login(invalid_user, invalid_password)).to be_nil
+    end
+
+    it 'returns a cookie string when TYPO3 credentials are valid' do
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        if opts['uri'] == "/typo3/index.php" && opts['method'] == 'GET'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<input type="hidden" id="rsa_e" name="e" value="10001" />'
+          res.body << '<input type="hidden" id="rsa_n" name="n" value="B8C58D75B5F9DBCEBBF6FB96BDB9531C64C45DDED56D93B310FA9C79B9787E62C91157DD5842B2BC1D90C10251300571BEEF892776F25EAC80C2672A993B00DA2F1C966C3F70418274E1AC9C432F48F8CBD9D083F990905F7EC5BDFC1B5C93672E7ACBB3D935D0597864A1F732DD44B5C6E02344917543E33A36D68915B26DC9" />'
+        elsif opts['uri'] == "/typo3/index.php" && opts['method'] == 'POST'
+          res = Rex::Proto::Http::Response.new
+          res.headers['Set-Cookie'] = "#{valid_cookie};"
+        elsif opts['uri'] == "/typo3/backend.php" && opts['method'] == 'GET'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<body class="test" id="typo3-backend-php">'
+          res
+        else
+          res = Rex::Proto::Http::Response::E404.new
+        end
+
+        res
+      end
+
+      expect(subject.typo3_backend_login(valid_user, valid_password)).to include(valid_cookie)
+    end
+  end
+
+end
