Land rapid7#5329, @wchen-r7's add configurable options to jenkins_login

jvazquez-r7 · jvazquez-r7 · commit d05cae5faf88 · 2015-05-15T11:38:21.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/jenkins.rb b/lib/metasploit/framework/login_scanner/jenkins.rb
@@ -17,6 +17,10 @@ def set_sane_defaults
           self.uri = "/j_acegi_security_check" if self.uri.nil?
           self.method = "POST" if self.method.nil?
 
+          if self.uri[0] != '/'
+            self.uri = "/#{self.uri}"
+          end
+
           super
         end
 
@@ -37,15 +41,15 @@ def attempt_login(credential)
             configure_http_client(cli)
             cli.connect
             req = cli.request_cgi({
-              'method'=>'POST',
-              'uri'=>'/j_acegi_security_check',
+              'method'=> method,
+              'uri'=> uri,
               'vars_post'=> {
                 'j_username' => credential.public,
-                'j_password'=>credential.private
+                'j_password'=> credential.private
                 }
             })
             res = cli.send_recv(req)
-            if res && !res.headers['location'].include?('loginError')
+            if res && res.headers['location'] && !res.headers['location'].include?('loginError')
               result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers)
             else
               result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
diff --git a/modules/auxiliary/scanner/http/jenkins_login.rb b/modules/auxiliary/scanner/http/jenkins_login.rb
@@ -23,6 +23,8 @@ def initialize
 
     register_options(
       [
+        OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/j_acegi_security_check']),
+        OptEnum.new('HTTP_METHOD', [true, 'The HTTP method to use for the login', 'POST', ['GET', 'POST']]),
         Opt::RPORT(8080)
       ], self.class)
 
@@ -44,6 +46,8 @@ def run_host(ip)
 
     scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
       configure_http_login_scanner(
+        uri: datastore['LOGIN_URL'],
+        method: datastore['HTTP_METHOD'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
         bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
