Add #get_hidden_inputs for Metasploit::Framework::LoginScanner::HTTP

wchen-r7 · wchen-r7 · commit 717120b8c546 · 2015-04-09T00:34:09.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/http.rb b/lib/metasploit/framework/login_scanner/http.rb
@@ -1,6 +1,7 @@
 require 'rex/proto/http'
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
+require 'nokogiri'
 
 module Metasploit
   module Framework
@@ -241,6 +242,32 @@ def send_request(opts)
         end
 
 
+        # Returns a collection of found hidden inputs
+        #
+        # @param res [Rex::Proto::Http::Response] A response object that contains a body
+        # @return [Array<Hash>] An array, each element represents a form that contains a hash of found hidden inputs
+        #  * 'name' [String] The hidden input's original name. The value is the hidden input's original value.
+        # @example
+        #  res = send_request('uri'=>'/')
+        #  inputs = get_hidden_inputs(res)
+        #  session_id = inputs[0]['sessionid'] # The first form's 'sessionid' hidden input
+        def get_hidden_inputs(res)
+          forms = []
+          noko = Nokogiri::HTML(res.body)
+          noko.search("form").each_entry do |form|
+            found_inputs = {}
+            form.search("input").each_entry do |input|
+              input_name = input.attributes['name'] ? input.attributes['name'].value : ''
+              input_value = input.attributes['value'] ? input.attributes['value'].value : ''
+              found_inputs[input_name] = input_value unless input_name.empty?
+            end
+            forms << found_inputs unless found_inputs.empty?
+          end
+
+          forms
+        end
+
+
         # Attempt a single login with a single credential against the target.
         #
         # @param credential [Credential] The credential object to attempt to
diff --git a/spec/lib/metasploit/framework/login_scanner/http_spec.rb b/spec/lib/metasploit/framework/login_scanner/http_spec.rb
@@ -30,4 +30,51 @@
     end
   end
 
+  describe '#get_hidden_inputs' do
+    let(:response) do
+      res = Rex::Proto::Http::Response.new(200, 'OK')
+      res.body = %Q|
+      <html>
+      <head>
+      <body>
+      <form action="test.php">
+        <input name="input_1" type="hidden" value="some_value_1" />
+      </form>
+      <form>
+        <input name="input_1" type="hidden" value="some_value_1" />
+        <INPUT name="input_2" type="hidden" value="" />
+      </form>
+      </body>
+      </head>
+      </htm>
+      |
+      res
+    end
+
+
+    context 'when an HTML page contains two forms containing hidden inputs' do
+      it 'returns an array' do
+        expect(subject.get_hidden_inputs(response)).to be_kind_of(Array)
+      end
+
+      it 'returns hashes in the array' do
+        subject.get_hidden_inputs(response).each do |form|
+          expect(form).to be_kind_of(Hash)
+        end
+      end
+
+      it 'returns \'some_value_1\' in the input_1 hidden input from the first element' do
+        expect(subject.get_hidden_inputs(response)[0]['input_1']).to eq('some_value_1')
+      end
+
+      it 'returns two hidden inputs in the second element' do
+        expect(subject.get_hidden_inputs(response)[1].length).to eq(2)
+      end
+
+      it 'returns an empty string for the input_2 hidden input from the second element' do
+        expect(subject.get_hidden_inputs(response)[1]['input_2']).to be_empty
+      end
+    end
+  end
+
 end
