Land rapid7#4812, hp_sys_mgmt_login configurable URIs

wvu · wvu · commit 8c5ff858d0df · 2015-02-23T19:04:14.000-06:00
diff --git a/lib/metasploit/framework/login_scanner/smh.rb b/lib/metasploit/framework/login_scanner/smh.rb
@@ -21,7 +21,7 @@ def attempt_login(credential)
 
           req_opts = {
             'method' => 'POST',
-            'uri'    => '/proxy/ssllogin',
+            'uri'    => uri,
             'vars_post' => {
               'redirecturl'         => '',
               'redirectquerystring' => '',
diff --git a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
@@ -32,6 +32,12 @@ def initialize(info={})
           'PASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt")
         }
     ))
+
+    register_advanced_options([
+      OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/proxy/ssllogin']),
+      OptString.new('CPQLOGIN', [true, 'The homepage of the login', '/cpqlogin.htm']),
+      OptString.new('LOGIN_REDIRECT', [true, 'The URL to redirect to', '/cpqlogin'])
+    ], self.class)
   end
 
   def get_version(res)
@@ -77,7 +83,7 @@ def init_loginscanner(ip)
 
     @scanner = Metasploit::Framework::LoginScanner::Smh.new(
       configure_http_login_scanner(
-        uri:                datastore['URI'],
+        uri:                datastore['LOGIN_URL'],
         cred_details:       @cred_collection,
         stop_on_success:    datastore['STOP_ON_SUCCESS'],
         bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
@@ -157,10 +163,10 @@ def bruteforce(ip)
 
   def run_host(ip)
     res = send_request_cgi({
-      'uri' => '/cpqlogin.htm',
+      'uri' => datastore['CPQLOGIN'],
       'method' => 'GET',
       'vars_get' => {
-        'RedirectUrl' => '/cpqlogin',
+        'RedirectUrl' => datastore['LOGIN_REDIRECT'],
         'RedirectQueryString' => ''
       }
     })
diff --git a/spec/lib/metasploit/framework/login_scanner/smh_spec.rb b/spec/lib/metasploit/framework/login_scanner/smh_spec.rb
@@ -55,7 +55,7 @@
       before :each do
         allow_any_instance_of(Rex::Proto::Http::Client).to receive(:send_recv) do |cli, req|
 
-          if req.opts['uri'] && req.opts['uri'].include?('/proxy/ssllogin') &&
+          if req.opts['uri'] &&
               req.opts['vars_post'] &&
               req.opts['vars_post']['user'] &&
               req.opts['vars_post']['user'] == username &&
