Land rapid7#3359, more Set-Cookie fixes

wvu · wvu · commit dfab26ea3603 · 2014-05-14T01:22:09.000-05:00
diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb
@@ -42,10 +42,10 @@ def get_sid_token
       'uri'    => normalize_uri(@uri.path)
     })
 
-    return [nil, nil] if not (res and res.headers['Set-Cookie'])
+    return [nil, nil] if res.nil? || res.get_cookies.empty?
 
     # Get the session ID from the cookie
-    m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
+    m = get_cookies.match(/(DOLSESSID_.+);/)
     id = (m.nil?) ? nil : m[1]
 
     # Get the token from the decompressed HTTP body response
diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb
@@ -167,7 +167,7 @@ def try_glassfish_login(version,user,pass)
       print_status("Trying credential GlassFish 2.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res && res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/applications/upload.jsf', 'GET', session)
 
         p = /<title>Deploy Enterprise Applications\/Modules/
@@ -180,7 +180,7 @@ def try_glassfish_login(version,user,pass)
       print_status("Trying credential GlassFish 3.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res && res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
 
         p = /<title>Deploy Applications or Modules/
diff --git a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb
@@ -64,7 +64,7 @@ def get_first_session
       }
     })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /([^\s]*session)=([a-z0-9]+)/
+    if res && res.code == 200 && res.get_cookies =~ /([^\s]*session)=([a-z0-9]+)/
       return $1,$2
     else
       return nil
@@ -134,8 +134,8 @@ def authenticate
       'cookie' => session_cookie
     })
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /UserID=/
-      parse_auth_cookie(res.headers['Set-Cookie'])
+    if res and res.code == 302 and res.get_cookies.include?('UserID=')
+      parse_auth_cookie(res.get_cookies)
       return true
     else
       return false
diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
@@ -200,7 +200,7 @@ def try_user_pass(opts)
       return :abort
     end
 
-    if action.name != "OWA_2013" and not res.headers['set-cookie']
+    if action.name != "OWA_2013" and res.get_cookies.empty?
         print_error("#{msg} Received invalid repsonse due to a missing cookie (possibly due to invalid version), aborting")
         return :abort
     end
@@ -233,8 +233,9 @@ def try_user_pass(opts)
       end
     else
        # these two lines are the authentication info
-      sessionid = 'sessionid=' << res.headers['set-cookie'].split('sessionid=')[1].split('; ')[0]
-      cadata = 'cadata=' << res.headers['set-cookie'].split('cadata=')[1].split('; ')[0]
+      cookies = res.get_cookies
+      sessionid = 'sessionid=' << cookies.split('sessionid=')[1].split('; ')[0]
+      cadata = 'cadata=' << cookies.split('cadata=')[1].split('; ')[0]
       headers['Cookie'] = 'PBack=0; ' << sessionid << '; ' << cadata
     end
 
diff --git a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
@@ -82,7 +82,7 @@ def do_login(user, pass)
         'authorization' => basic_auth(user,pass)
       })
 
-      if (res and res.headers['Set-Cookie'])
+      if res and !res.get_cookies.empty?
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
         report_hash = {
diff --git a/modules/auxiliary/scanner/http/sevone_enum.rb b/modules/auxiliary/scanner/http/sevone_enum.rb
@@ -56,7 +56,7 @@ def is_app_sevone?
       'method'    => 'GET'
     })
 
-    if (res and res.code.to_i == 200 and res.headers['Set-Cookie'].include?('SEVONE'))
+    if (res and res.code.to_i == 200 and res.get_cookies.include?('SEVONE'))
       version_key = /Version: <strong>(.+)<\/strong>/
       version = res.body.scan(version_key).flatten
       print_good("#{rhost}:#{rport} - Application confirmed to be SevOne Network Performance Management System version #{version}")
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
@@ -75,7 +75,7 @@ def login
       }
     })
 
-    if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.headers["Set-Cookie"].to_s =~ /(SID=[a-z]+)/
+    if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.get_cookies =~ /(SID=[a-z]+)/
       return $1
     else
       return nil
diff --git a/modules/auxiliary/scanner/http/splunk_web_login.rb b/modules/auxiliary/scanner/http/splunk_web_login.rb
@@ -82,8 +82,8 @@ def get_login_cookie
     session_id      = ''
     cval            = ''
 
-    if res and res.code == 200 and res.headers['Set-Cookie']
-      res.headers['Set-Cookie'].split(';').each {|c|
+    if res and res.code == 200 and !res.get_cookies.empty?
+      res.get_cookies.split(';').each {|c|
         c.split(',').each {|v|
           if v.split('=')[0] =~ /cval/
             cval = v.split('=')[1]
diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
@@ -86,8 +86,8 @@ def get_login_data
     last_login = ''  #A hidden field in the login page
 
     res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'})
-    if res and res.headers['Set-Cookie']
-      sid = res.headers['Set-Cookie'].scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
+    if res and !res.get_cookies.empty?
+      sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
     end
 
     if res
@@ -147,4 +147,4 @@ def run_host(ip)
     download_file(sid, fname)
   end
 
-end
+end
diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb
@@ -102,7 +102,7 @@ def do_login(user)
           'data'    => post_data,
         }, 20)
 
-      if res and res.code == 200 and res.headers['Set-Cookie']
+      if res and res.code == 200 and !res.get_cookies.empty?
         vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
       elsif res and res.code == 200 and res.body =~ /invalid username/i
         vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb
@@ -43,7 +43,7 @@ def get_sid
     })
 
     # Get the PHP session ID
-    m = res.headers['Set-Cookie'].match(/(PHPSESSID=.+);/)
+    m = res.get_cookies.match(/(PHPSESSID=.+);/)
     id = (m.nil?) ? nil : m[1]
 
     return id
diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
@@ -93,10 +93,10 @@ def do_login(user=nil,pass=nil)
         return
       end
 
-      if (res and res.code == 302 )
-        if res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/DomAuthSessId=(.*);(.*)/i)
+      if res and res.code == 302
+        if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i)
           cookie = "DomAuthSessId=#{$1}"
-        elsif res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/LtpaToken=(.*);(.*)/i)
+        elsif res.get_cookies.match(/LtpaToken=(.*);(.*)/i)
           cookie = "LtpaToken=#{$1}"
         else
           print_error("http://#{vhost}:#{rport} - Lotus Domino - Unrecognized 302 response")
diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb
@@ -45,8 +45,8 @@ def do_login(user=nil,pass=nil)
         'data'    => post_data,
       }, 20)
 
-      if (res and res.code == 302 )
-        if res.headers['Set-Cookie'].match(/DomAuthSessId=(.*);(.*)/i)
+      if res and res.code == 302
+        if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i)
           print_good("http://#{vhost}:#{rport} - Lotus Domino - SUCCESSFUL login for '#{user}' : '#{pass}'")
           report_auth_info(
             :host   => rhost,
diff --git a/modules/auxiliary/scanner/msf/msf_web_login.rb b/modules/auxiliary/scanner/msf/msf_web_login.rb
@@ -76,9 +76,9 @@ def do_login(user='msf', pass='msf')
 
       token = ''
       uisession = ''
-      if res and res.code == 200 and res.headers['Set-Cookie']
+      if res and res.code == 200 and !res.get_cookies.empty?
         # extract tokens from cookie
-        res.headers['Set-Cookie'].split(';').each {|c|
+        res.get_cookies.split(';').each {|c|
           c.split(',').each {|v|
             if v.split('=')[0] =~ /token/
               token = v.split('=')[1]
diff --git a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb
@@ -56,7 +56,7 @@ def crawl_page(path, parent='')
       'headers' => { 'Authorization' => "Basic #{@user_pass}"}
     }, 25)
     if res
-      @vim_cookie = res.headers['Set-Cookie']
+      @vim_cookie = res.get_cookies
       if res.code== 200
         res.body.scan(/<a href="([\w\/\?=&;%]+)">/) do |match|
           link = match[0]
@@ -88,7 +88,7 @@ def grab_screenshot(path, name)
       'headers' => { 'Authorization' => "Basic #{@user_pass}"}
     }, 25)
     if res
-      @vim_cookie = res.headers['Set-Cookie']
+      @vim_cookie = res.get_cookies
       if res.code == 200
         img = res.body
         ss_path = store_loot("host.vmware.screenshot", "image/png", datastore['RHOST'], img, name , "Screenshot of VM #{name}")
diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb
@@ -78,10 +78,10 @@ def get_sid_token
       'uri'    => @uri.path
     })
 
-    return [nil, nil] if not (res and res.headers['Set-Cookie'])
+    return [nil, nil] if res.nil? || res.get_cookies.empty?
 
     # Get the session ID from the cookie
-    m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
+    m = res.get_cookies.match(/(DOLSESSID_.+);/)
     id = (m.nil?) ? nil : m[1]
 
     # Get the token from the decompressed HTTP body response
diff --git a/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb b/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb
@@ -67,7 +67,7 @@ def exploit
     if res.headers['Location'] =~ /users\/login$/
       fail_with(Failure::NoAccess, 'Authentication failed')
     else
-      session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
+      session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/
       fail_with(Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
     end
 
diff --git a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb
@@ -90,7 +90,7 @@ def get_josso_token
         'josso_password' => datastore['PASSWORD']
       }
     })
-    if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
+    if res and res.get_cookies =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
       return $1
     else
       return nil
diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb
@@ -87,7 +87,7 @@ def login
         'method' => 'GET'
       })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/
       first_session = $1
     end
 
@@ -113,7 +113,7 @@ def login
       'cookie' => "JSESSIONID=#{first_session}"
     })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/
       @session = $1
       return true
     end
diff --git a/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb b/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb
@@ -77,7 +77,7 @@ def get_cookies
         'iptest' => "127.0.0.1" # In order to make things as fast as possible
       }
     })
-    if res and res.code == 200 and res.headers.include?('Set-Cookie') and res.headers['Set-Cookie'] =~ /SESSIONID/
+    if res and res.code == 200 and res.get_cookies.include?('SESSIONID')
       return res.get_cookies
     else
       return nil
diff --git a/modules/exploits/multi/http/activecollab_chat.rb b/modules/exploits/multi/http/activecollab_chat.rb
@@ -97,7 +97,7 @@ def exploit
 
     # response handling
     if res and res.code == 302
-      if (res.headers['Set-Cookie'] =~ /ac_ActiveCollab_sid_eaM4h3LTIZ=(.*); expires=/)
+      if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/
         acsession = $1
       end
     elsif res and res.body =~ /Failed to log you in/
diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb
@@ -283,7 +283,7 @@ def exploit
           # likely to change
 
           success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
-          if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
+          if res.get_cookies =~ /JSESSIONID=(.*);/
             session = $1
           end
         end
@@ -319,7 +319,7 @@ def exploit
           # likely to change
 
           success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
-          if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
+          if res.get_cookies =~ /JSESSIONID=(.*);/
             session = $1
           end
         end
diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -684,7 +684,7 @@ def try_glassfish_login(version,user,pass,type='default')
       print_status("Trying #{type} credentials for GlassFish 2.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/applications/upload.jsf', 'GET', session)
 
         p = /<title>Deploy Enterprise Applications\/Modules/
@@ -697,7 +697,7 @@ def try_glassfish_login(version,user,pass,type='default')
       print_status("Trying #{type} credentials for GlassFish 3.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
 
         p = /<title>Deploy Applications or Modules/
@@ -788,7 +788,7 @@ def exploit
     print_status("Glassfish edition: #{banner}")
 
     #Get session
-    res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /
+    res.get_cookies =~ /JSESSIONID=(.*); /
     session = $1
 
     #Set HTTP verbs.  lower-case is used to bypass auth on v3.0
diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb
@@ -61,7 +61,7 @@ def check
         if res.code == 200
           vprint_error("#{peer} - Authentication failed")
           return Exploit::CheckCode::Unknown
-        elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
+        elsif res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/
           vprint_good("#{peer} - Authenticated successfully")
           return Exploit::CheckCode::Appears
         end
@@ -130,7 +130,7 @@ def exploit
     # login; get session id and token
     print_status("#{peer} - Authenticating as user '#{user}'")
     res = login(base, user, pass)
-    if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
+    if res and res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/
       token = "#{$1}"
       sid   = "#{$2}"
       print_good("#{peer} - Authenticated successfully")
diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
@@ -102,7 +102,7 @@ def exploit
       'method' => 'POST'
     )
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/
       session_id = $1
     else
       print_error("#{peer} - Retrieve of initial JSESSIONID failed")
@@ -125,7 +125,7 @@ def exploit
           }
       })
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/
+    if res and res.code == 302 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/
       session_id = $1
       redirect =  URI(res.headers['Location']).path
     else
diff --git a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb
@@ -113,7 +113,7 @@ def login
 
     # CpqElm-Login: success
     if res.headers['CpqElm-Login'].to_s =~ /success/
-      cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
+      cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
     end
 
     cookie
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -161,7 +161,7 @@ def exploit
       if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
         fail_with(Failure::NoAccess, 'login failed')
       end
-      sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0]
+      sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
       @cookie = "#{sessionid}"
     else
       print_status('No authentication required, skipping login...')
diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb
@@ -193,7 +193,7 @@ def exploit
       }
     })
 
-    if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.get_cookies =~ /JSESSIONID=(.*);/
       print_good("#{peer} - Login successful")
       session = $1
     else
diff --git a/modules/exploits/multi/http/php_volunteer_upload_exec.rb b/modules/exploits/multi/http/php_volunteer_upload_exec.rb
@@ -73,7 +73,7 @@ def login(base, username, password)
     })
 
     # If we don't get a cookie, bail!
-    if res and res.headers['Set-Cookie'] =~ /(PHPVolunteerManagent=\w+);*/
+    if res and res.get_cookies =~ /(PHPVolunteerManagent=\w+);*/
       cookie = $1
       vprint_status("#{peer} - Found cookie: #{cookie}")
     else
diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
@@ -79,12 +79,12 @@ def get_session
         'uri' => uri,
       }, 3)
 
-    if (res.nil? or not res.headers['Set-Cookie'])
+    if res.nil? or res.get_cookies.empty?
       print_error("Could not generate a valid session")
       return
     end
 
-    return res.headers['Set-Cookie']
+    return res.get_cookies
   end
 
   def cleanup
diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb
diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb
diff --git a/modules/exploits/multi/http/sflog_upload_exec.rb b/modules/exploits/multi/http/sflog_upload_exec.rb
diff --git a/modules/exploits/multi/http/sit_file_upload.rb b/modules/exploits/multi/http/sit_file_upload.rb
diff --git a/modules/exploits/multi/http/splunk_mappy_exec.rb b/modules/exploits/multi/http/splunk_mappy_exec.rb
diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ def login`
`75`	`75`	`}`
`76`	`76`	`})`
`77`	`77`
`78`		`- if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.headers["Set-Cookie"].to_s =~ /(SID=[a-z]+)/`
	`78`	`+ if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.get_cookies =~ /(SID=[a-z]+)/`
`79`	`79`	`return $1`
`80`	`80`	`else`
`81`	`81`	`return nil`