modules/auxiliary/scanner/http/file_same_name_dir.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::WmapScanDir
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'   		=> 'HTTP File Same Name Directory Scanner',
      'Description'	=> %q{
        This module identifies the existence of files
        in a given directory path named as the same name of the
        directory.

        Only works if PATH is different than '/'.
      },
      'Author' 		=> [ 'et [at] metasploit.com' ],
      'License'		=> BSD_LICENSE))

    register_options(
      [
        OptString.new('PATH', [ true,  "The directory path  to identify files", '/']),
        OptString.new('EXT', [ true, "File extension to use", '.aspx']),

      ])

  end

  def run_host(ip)
    extensions = [
      '.null',
      '.backup',
      '.bak',
      '.c',
      '.cfg',
      '.class',
      '.copy',
      '.conf',
      '.exe',
      '.html',
      '.htm',
      '.log',
      '.old',
      '.orig',
      '.php',
      '.tar',
      '.tar.gz',
      '.tgz',
      '.tmp',
      '.temp',
      '.txt',
      '.zip',
      '~',
      ''
    ]

    tpath = normalize_uri(datastore['PATH'])

    if tpath.eql? "/"||""
      print_error("Blank or default PATH set.");
      return
    end

    if tpath[-1,1] != '/'
      tpath += '/'
    end

    testf = tpath.split('/').last

    extensions << datastore['EXT']

    extensions.each { |ext|
      begin
        testfext = testf.chomp + ext
        res = send_request_cgi({
          'uri'  		=>  tpath+testfext,
          'method'   	=> 'GET',
          'ctype'		=> 'text/plain'
        }, 20)

        if (res and res.code >= 200 and res.code < 300)
          print_good("Found #{wmap_base_url}#{tpath}#{testfext}")

          report_web_vuln(
            :host	=> ip,
            :port	=> rport,
            :vhost  => vhost,
            :ssl    => ssl,
            :path	=> "#{tpath}#{testfext}",
            :method => 'GET',
            :pname  => "",
            :proof  => "Res code: #{res.code.to_s}",
            :risk   => 0,
            :confidence   => 100,
            :category     => 'file',
            :description  => 'File found.',
            :name   => 'file'
          )

        else
          vprint_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}")
        end

      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      rescue ::Timeout::Error, ::Errno::EPIPE
      end

    }

  end
end
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`##`

Zeitwerk `rex` folder 2021-01-28 10:35:25 +00:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`include Msf::Exploit::Remote::HttpClient`
New wmap version 1.5. Plugin and mixin changes. Modules edited to adjust to naming convention 2012-02-03 15:43:21 -06:00			`include Msf::Auxiliary::WmapScanDir`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`'Name' => 'HTTP File Same Name Directory Scanner',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module identifies the existence of files`
			`in a given directory path named as the same name of the`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`directory.`
Retab modules 2013-08-30 16:28:54 -05:00
more updates, 465 more pages to go 2017-08-26 21:01:10 -04:00			`Only works if PATH is different than '/'.`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`},`
			`'Author' => [ 'et [at] metasploit.com' ],`
msftidy: remove $Revision$ 2013-01-03 01:05:45 +01:00			`'License' => BSD_LICENSE))`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`register_options(`
			`[`
			`OptString.new('PATH', [ true, "The directory path to identify files", '/']),`
WMAP 1.0 and first pass on some modules 2011-02-04 05:57:26 +00:00			`OptString.new('EXT', [ true, "File extension to use", '.aspx']),`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`def run_host(ip)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`extensions = [`
			`'.null',`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`'.backup',`
			`'.bak',`
			`'.c',`
WMAP 1.0 and first pass on some modules 2011-02-04 05:57:26 +00:00			`'.cfg',`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`'.class',`
			`'.copy',`
			`'.conf',`
			`'.exe',`
			`'.html',`
			`'.htm',`
			`'.log',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'.old',`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`'.orig',`
WMAP 1.0 and first pass on some modules 2011-02-04 05:57:26 +00:00			`'.php',`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`'.tar',`
			`'.tar.gz',`
			`'.tgz',`
WMAP 1.0 and first pass on some modules 2011-02-04 05:57:26 +00:00			`'.tmp',`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`'.temp',`
			`'.txt',`
			`'.zip',`
			`'~',`
			`''`
			`]`
Retab modules 2013-08-30 16:28:54 -05:00
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`tpath = normalize_uri(datastore['PATH'])`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`if tpath.eql? "/"\|\|""`
			`print_error("Blank or default PATH set.");`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`if tpath[-1,1] != '/'`
			`tpath += '/'`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`testf = tpath.split('/').last`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`extensions << datastore['EXT']`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`extensions.each { \|ext\|`
			`begin`
			`testfext = testf.chomp + ext`
			`res = send_request_cgi({`
			`'uri' => tpath+testfext,`
			`'method' => 'GET',`
			`'ctype' => 'text/plain'`
			`}, 20)`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`if (res and res.code >= 200 and res.code < 300)`
print_status -> print_good. [When it is successful, show it!] 2017-07-14 00:09:35 +01:00			`print_good("Found #{wmap_base_url}#{tpath}#{testfext}")`
Retab modules 2013-08-30 16:28:54 -05:00
Migrating modules to use report_web_vulns and minor fixes 2012-02-21 14:13:12 -06:00			`report_web_vuln(`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`:host => ip,`
			`:port => rport,`
Migrating modules to use report_web_vulns and minor fixes 2012-02-21 14:13:12 -06:00			`:vhost => vhost,`
			`:ssl => ssl,`
			`:path => "#{tpath}#{testfext}",`
			`:method => 'GET',`
			`:pname => "",`
			`:proof => "Res code: #{res.code.to_s}",`
			`:risk => 0,`
			`:confidence => 100,`
			`:category => 'file',`
			`:description => 'File found.',`
			`:name => 'file'`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`)`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`else`
add VERBOSE option to all modules and vprint_* methods to use it 2011-07-15 15:33:35 +00:00			`vprint_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}")`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`rescue ::Timeout::Error, ::Errno::EPIPE`
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`}`
Retab modules 2013-08-30 16:28:54 -05:00
crossing fingers, big cr removal batch 2009-12-30 22:24:22 +00:00			`end`
			`end`