# # Web assessment for the Metasploit Framework # Efrain Torres - et[ ] metasploit.com 2012 # require 'English' require 'rabal/tree' module Msf class Plugin::Wmap < Msf::Plugin class WmapCommandDispatcher # @!attribute wmapmodules # @return [Array] Enabled WMAP modules # @!attribute targets # @return [Hash] WMAP targets # @!attribute lastsites # @return [Array] Temp location of previously obtained sites # @!attribute rpcarr # @return [Array] Array or rpc connections # @!attribute njobs # @return [Integer] Max number of jobs # @!attribute nmaxdisplay # @return [Boolean] Flag to stop displaying the same message # @!attribute runlocal # @return [Boolean] Flag to run local modules only # @!attribute masstop # @return [Boolean] Flag to stop everything # @!attribute killwhenstop # @return [Boolean] Kill process when exiting attr_accessor :wmapmodules, :targets, :lastsites, :rpcarr, :njobs, :nmaxdisplay, :runlocal, :masstop, :killwhenstop include Msf::Ui::Console::CommandDispatcher def name 'wmap' end # # The initial command set # def commands { 'wmap_targets' => 'Manage targets', 'wmap_sites' => 'Manage sites', 'wmap_nodes' => 'Manage nodes', 'wmap_run' => 'Test targets', 'wmap_modules' => 'Manage wmap modules', 'wmap_vulns' => 'Display web vulns' } end def cmd_wmap_vulns(*args) args.push('-h') if args.empty? while (arg = args.shift) case arg when '-l' view_vulns when '-h' print_status('Usage: wmap_vulns [options]') print_line("\t-h Display this help text") print_line("\t-l Display web vulns table") print_line('') else print_error('Unknown flag.') end return end end def cmd_wmap_modules(*args) args.push('-h') if args.empty? while (arg = args.shift) case arg when '-l' view_modules when '-r' load_wmap_modules(true) when '-h' print_status('Usage: wmap_modules [options]') print_line("\t-h Display this help text") print_line("\t-l List all wmap enabled modules") print_line("\t-r Reload wmap modules") print_line('') else print_error('Unknown flag.') end return end end def cmd_wmap_targets(*args) args.push('-h') if args.empty? while (arg = args.shift) case arg when '-c' self.targets = Hash.new when '-l' view_targets return when '-t' process_urls(args.shift) when '-d' process_ids(args.shift) when '-h' print_status('Usage: wmap_targets [options]') print_line("\t-h Display this help text") print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ") print_line("\t-d [ids] Define target sites (id1, id2, id3 ...)") print_line("\t-c Clean target sites list") print_line("\t-l List all target sites") print_line('') return else print_error('Unknown flag.') return end end end def cmd_wmap_sites(*args) args.push('-h') if args.empty? while (arg = args.shift) case arg when '-a' site = args.shift if site s = add_web_site(site) if s print_status('Site created.') else print_error('Unable to create site') end else print_error('No site provided.') end when '-d' del_idx = args if !del_idx.empty? delete_sites(del_idx.select { |d| d =~ /^[0-9]*$/ }.map(&:to_i).uniq) return else print_error('No index provided.') end when '-l' view_sites return when '-s' u = args.shift l = args.shift o = args.shift return unless u if l.nil? || l.empty? l = 200 o = 'true' elsif (l == 'true') || (l == 'false') # Add check if unicode parameters is the second one o = l l = 200 else l = l.to_i end o = (o == 'true') if u.include? 'http' # Parameters are in url form view_site_tree(u, l, o) else # Parameters are digits if !lastsites || lastsites.empty? view_sites print_status('Web sites ids. referenced from previous table.') end target_whitelist = [] ids = u.to_s.split(/,/) ids.each do |id| next if id.to_s.strip.empty? if id.to_i > lastsites.length print_error("Skipping id #{id}...") else target_whitelist << lastsites[id.to_i] # print_status("Loading #{self.lastsites[id.to_i]}.") end end # Skip the DB entirely if no matches return if target_whitelist.empty? unless targets self.targets = Hash.new end target_whitelist.each do |ent| view_site_tree(ent, l, o) end end return when '-h' print_status('Usage: wmap_sites [options]') print_line("\t-h Display this help text") print_line("\t-a [url] Add site (vhost,url)") print_line("\t-d [ids] Delete sites (separate ids with space)") print_line("\t-l List all available sites") print_line("\t-s [id] Display site structure (vhost,url|ids) (level) (unicode output true/false)") print_line('') return else print_error('Unknown flag.') return end end end def cmd_wmap_nodes(*args) if !rpcarr self.rpcarr = Hash.new end args.push('-h') if args.empty? while (arg = args.shift) case arg when '-a' h = args.shift r = args.shift s = args.shift u = args.shift p = args.shift res = rpc_add_node(h, r, s, u, p, false) if res print_status('Node created.') else print_error('Unable to create node') end when '-c' idref = args.shift if !idref print_error('No id defined') return end if idref.upcase == 'ALL' print_status('All nodes removed') self.rpcarr = Hash.new else idx = 0 rpcarr.each do |k, _v| if idx == idref.to_i rpcarr.delete(k) print_status("Node deleted #{k}") end idx += 1 end end when '-d' host = args.shift port = args.shift user = args.shift pass = args.shift dbname = args.shift res = rpc_db_nodes(host, port, user, pass, dbname) if res print_status('OK.') else print_error('Error') end when '-l' rpc_list_nodes return when '-j' rpc_view_jobs return when '-k' node = args.shift jid = args.shift rpc_kill_node(node, jid) return when '-h' print_status('Usage: wmap_nodes [options]') print_line("\t-h Display this help text") print_line("\t-c id Remove id node (Use ALL for ALL nodes") print_line("\t-a host port ssl user pass Add node") print_line("\t-d host port user pass db Force all nodes to connect to db") print_line("\t-j View detailed jobs") print_line("\t-k ALL|id ALL|job_id Kill jobs on node") print_line("\t-l List all current nodes") print_line('') return else print_error('Unknown flag.') return end end end def cmd_wmap_run(*args) # Stop everything self.masstop = false self.killwhenstop = true trap('INT') do print_error('Stopping execution...') self.masstop = true if killwhenstop rpc_kill_node('ALL', 'ALL') end end # Max numbers of concurrent jobs per node self.njobs = 25 self.nmaxdisplay = false self.runlocal = false # Formatting sizeline = 60 wmap_show = 2**0 wmap_expl = 2**1 # Exclude files can be modified by setting datastore['WMAP_EXCLUDE'] wmap_exclude_files = '.*\.(gif|jpg|png*)$' run_wmap_ssl = true run_wmap_server = true run_wmap_dir_file = true run_wmap_query = true run_wmap_unique_query = true run_wmap_generic = true # If module supports datastore['VERBOSE'] moduleverbose = false showprogress = false if !rpcarr self.rpcarr = Hash.new end if !run_wmap_ssl print_status('Loading of wmap ssl modules disabled.') end if !run_wmap_server print_status('Loading of wmap server modules disabled.') end if !run_wmap_dir_file print_status('Loading of wmap dir and file modules disabled.') end if !run_wmap_query print_status('Loading of wmap query modules disabled.') end if !run_wmap_unique_query print_status('Loading of wmap unique query modules disabled.') end if !run_wmap_generic print_status('Loading of wmap generic modules disabled.') end stamp = Time.now.to_f mode = 0 eprofile = [] using_p = false using_m = false usinginipath = false mname = '' inipathname = '/' args.push('-h') if args.empty? while (arg = args.shift) case arg when '-t' mode |= wmap_show when '-e' mode |= wmap_expl profile = args.shift if profile print_status("Using profile #{profile}.") begin File.open(profile).each do |str| if !str.include? '#' # Not a comment modname = str.strip if !modname.empty? eprofile << modname end end using_p = true end rescue StandardError print_error('Profile not found or invalid.') return end else print_status('Using ALL wmap enabled modules.') end when '-m' mode |= wmap_expl mname = args.shift if mname print_status("Using module #{mname}.") end using_m = true when '-p' mode |= wmap_expl inipathname = args.shift if inipathname print_status("Using initial path #{inipathname}.") end usinginipath = true when '-h' print_status('Usage: wmap_run [options]') print_line("\t-h Display this help text") print_line("\t-t Show all enabled modules") print_line("\t-m [regex] Launch only modules that name match provided regex.") print_line("\t-p [regex] Only test path defined by regex.") print_line("\t-e [/path/to/profile] Launch profile modules against all matched targets.") print_line("\t (No profile file runs all enabled modules.)") print_line('') return else print_error('Unknown flag') return end end if rpcarr.empty? && (mode & wmap_show == 0) print_error('NO WMAP NODES DEFINED. Executing local modules') self.runlocal = true end if targets.nil? print_error('Targets have not been selected.') return end if targets.keys.empty? print_error('Targets have not been selected.') return end execmod = true if (mode & wmap_show != 0) execmod = false end targets.each_with_index do |t, idx| selected_host = t[1][:host] selected_port = t[1][:port] selected_ssl = t[1][:ssl] selected_vhost = t[1][:vhost] print_status('Testing target:') print_status("\tSite: #{selected_vhost} (#{selected_host})") print_status("\tPort: #{selected_port} SSL: #{selected_ssl}") print_line '=' * sizeline print_status("Testing started. #{Time.now}") if !selected_ssl run_wmap_ssl = false # print_status ("Target is not SSL. SSL modules disabled.") end # wmap_dir, wmap_file matches = Hash.new # wmap_server matches1 = Hash.new # wmap_query matches2 = Hash.new # wmap_ssl matches3 = Hash.new # wmap_unique_query matches5 = Hash.new # wmap_generic matches10 = Hash.new # OPTIONS jobify = false # This will be clean later load_wmap_modules(false) wmapmodules.each do |w| case w[2] when :wmap_server if run_wmap_server matches1[w] = true end when :wmap_query if run_wmap_query matches2[w] = true end when :wmap_unique_query if run_wmap_unique_query matches5[w] = true end when :wmap_generic if run_wmap_generic matches10[w] = true end when :wmap_dir, :wmap_file if run_wmap_dir_file matches[w] = true end when :wmap_ssl if run_wmap_ssl matches3[w] = true end else # Black Hole end end # Execution order (orderid) matches = sort_by_orderid(matches) matches1 = sort_by_orderid(matches1) matches2 = sort_by_orderid(matches2) matches3 = sort_by_orderid(matches3) matches5 = sort_by_orderid(matches5) matches10 = sort_by_orderid(matches10) # # Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server. # :wmap_ssl # print_status "\n=[ SSL testing ]=" print_line '=' * sizeline if !selected_ssl print_status('Target is not SSL. SSL modules disabled.') end idx = 0 matches3.each_key do |xref| if masstop print_error('STOPPED.') return end # Module not part of profile or not match next unless (using_p && eprofile.include?(xref[0].split('/').last)) || (using_m && xref[0].to_s.match(mname)) || (!using_m && !using_p) idx += 1 begin # Module options hash modopts = Hash.new # # The code is just a proof-of-concept and will be expanded in the future # print_status "Module #{xref[0]}" if (mode & wmap_expl != 0) # # For modules to have access to the global datastore # i.e. set -g DOMAIN test.com # framework.datastore.each do |gkey, gval| modopts[gkey] = gval end # # Parameters passed in hash xref # modopts['RHOST'] = selected_host modopts['RHOSTS'] = selected_host modopts['RPORT'] = selected_port.to_s modopts['SSL'] = selected_ssl modopts['VHOST'] = selected_vhost.to_s modopts['VERBOSE'] = moduleverbose modopts['ShowProgress'] = showprogress modopts['RunAsJob'] = jobify begin if execmod rpc_round_exec(xref[0], xref[1], modopts, njobs) end rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end rescue ::Exception print_status(" >> Exception from #{xref[0]}: #{$ERROR_INFO}") end end # # Handle modules that need to be run before all tests, once usually again the web server. # :wmap_server # print_status "\n=[ Web Server testing ]=" print_line '=' * sizeline idx = 0 matches1.each_key do |xref| if masstop print_error('STOPPED.') return end # Module not part of profile or not match next unless (using_p && eprofile.include?(xref[0].split('/').last)) || (using_m && xref[0].to_s.match(mname)) || (!using_m && !using_p) idx += 1 begin # Module options hash modopts = Hash.new # # The code is just a proof-of-concept and will be expanded in the future # print_status "Module #{xref[0]}" if (mode & wmap_expl != 0) # # For modules to have access to the global datastore # i.e. set -g DOMAIN test.com # framework.datastore.each do |gkey, gval| modopts[gkey] = gval end # # Parameters passed in hash xref # modopts['RHOST'] = selected_host modopts['RHOSTS'] = selected_host modopts['RPORT'] = selected_port.to_s modopts['SSL'] = selected_ssl modopts['VHOST'] = selected_vhost.to_s modopts['VERBOSE'] = moduleverbose modopts['ShowProgress'] = showprogress modopts['RunAsJob'] = jobify begin if execmod rpc_round_exec(xref[0], xref[1], modopts, njobs) end rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end rescue ::Exception print_status(" >> Exception from #{xref[0]}: #{$ERROR_INFO}") end end # # Handle modules to be run at every path/file # wmap_dir, wmap_file # print_status "\n=[ File/Dir testing ]=" print_line '=' * sizeline idx = 0 matches.each_key do |xref| if masstop print_error('STOPPED.') return end # Module not part of profile or not match next unless (using_p && eprofile.include?(xref[0].split('/').last)) || (using_m && xref[0].to_s.match(mname)) || (!using_m && !using_p) idx += 1 begin # Module options hash modopts = Hash.new # # The code is just a proof-of-concept and will be expanded in the future # print_status "Module #{xref[0]}" if (mode & wmap_expl != 0) # # For modules to have access to the global datastore # i.e. set -g DOMAIN test.com # framework.datastore.each do |gkey, gval| modopts[gkey] = gval end # # Parameters passed in hash xref # modopts['RHOST'] = selected_host modopts['RHOSTS'] = selected_host modopts['RPORT'] = selected_port.to_s modopts['SSL'] = selected_ssl modopts['VHOST'] = selected_vhost.to_s modopts['VERBOSE'] = moduleverbose modopts['ShowProgress'] = showprogress modopts['RunAsJob'] = jobify # # Run the plugins that only need to be # launched once. # wtype = xref[2] h = framework.db.workspace.hosts.find_by_address(selected_host) s = h.services.find_by_port(selected_port) w = s.web_sites.find_by_vhost(selected_vhost) test_tree = load_tree(w) test_tree.each do |node| if masstop print_error('STOPPED.') return end p = node.current_path testpath = Pathname.new(p) strpath = testpath.cleanpath(false).to_s # # Fixing paths # if node.is_leaf? && !node.is_root? # # Later we can add here more checks to see if its a file # elsif node.is_root? strpath = '/' else strpath = strpath.chomp + '/' end strpath = strpath.gsub('//', '/') # print_status("Testing path: #{strpath}") # # Launch plugin depending module type. # Module type depends on main input type. # Code may be the same but it depend on final # versions of plugins # case wtype when :wmap_file if node.is_leaf? && !node.is_root? # # Check if an exclusion regex has been defined # excludefilestr = framework.datastore['WMAP_EXCLUDE'] || wmap_exclude_files if !(strpath.match(excludefilestr) && (!usinginipath || (usinginipath && strpath.match(inipathname)))) modopts['PATH'] = strpath print_status("Path: #{strpath}") begin if execmod rpc_round_exec(xref[0], xref[1], modopts, njobs) end rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end end when :wmap_dir if ((node.is_leaf? && !strpath.include?('.')) || node.is_root? || !node.is_leaf?) && (!usinginipath || (usinginipath && strpath.match(inipathname))) modopts['PATH'] = strpath print_status("Path: #{strpath}") begin if execmod rpcnode = rpc_round_exec(xref[0], xref[1], modopts, njobs) end rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end end end end rescue ::Exception print_status(" >> Exception from #{xref[0]}: #{$ERROR_INFO}") end end # # Run modules for each request to play with URI with UNIQUE query parameters. # wmap_unique_query # print_status "\n=[ Unique Query testing ]=" print_line '=' * sizeline idx = 0 matches5.each_key do |xref| if masstop print_error('STOPPED.') return end # Module not part of profile or not match next unless (using_p && eprofile.include?(xref[0].split('/').last)) || (using_m && xref[0].to_s.match(mname)) || (!using_m && !using_p) idx += 1 begin # Module options hash modopts = Hash.new # # The code is just a proof-of-concept and will be expanded in the future # print_status "Module #{xref[0]}" if (mode & wmap_expl != 0) # # For modules to have access to the global datastore # i.e. set -g DOMAIN test.com # framework.datastore.each do |gkey, gval| modopts[gkey] = gval end # # Parameters passed in hash xref # modopts['RHOST'] = selected_host modopts['RHOSTS'] = selected_host modopts['RPORT'] = selected_port.to_s modopts['SSL'] = selected_ssl modopts['VHOST'] = selected_vhost.to_s modopts['VERBOSE'] = moduleverbose modopts['ShowProgress'] = showprogress modopts['RunAsJob'] = jobify # # Run the plugins for each request that have a distinct # GET/POST URI QUERY string. # utest_query = Hash.new h = framework.db.workspace.hosts.find_by_address(selected_host) s = h.services.find_by_port(selected_port) w = s.web_sites.find_by_vhost(selected_vhost) w.web_forms.each do |form| if masstop print_error('STOPPED.') return end # # Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn' # datastr = '' typestr = '' temparr = [] # print_status "---------" # print_status form.params # print_status "+++++++++" form.params.each do |p| pn, pv, _pt = p if pn if !pn.empty? if !pv || pv.empty? # TODO: add value based on param name pv = 'aaa' end # temparr << pn.to_s + "=" + Rex::Text.uri_encode(pv.to_s) temparr << pn.to_s + '=' + pv.to_s end else print_error("Blank parameter name. Form #{form.path}") end end datastr = temparr.join('&') if (temparr && !temparr.empty?) if (utest_query.key?(signature(form.path, datastr)) == false) modopts['METHOD'] = form.method.upcase modopts['PATH'] = form.path modopts['QUERY'] = form.query if form.method.upcase == 'GET' modopts['QUERY'] = datastr modopts['DATA'] = '' end if form.method.upcase == 'POST' modopts['DATA'] = datastr end modopts['TYPES'] = typestr # # TODO: Add headers, etc. # if !usinginipath || (usinginipath && form.path.match(inipathname)) print_status "Path #{form.path}" # print_status("Unique PATH #{modopts['PATH']}") # print_status("Unique GET #{modopts['QUERY']}") # print_status("Unique POST #{modopts['DATA']}") # print_status("MODOPTS: #{modopts}") begin if execmod rpcnode = rpc_round_exec(xref[0], xref[1], modopts, njobs) end utest_query[signature(form.path, datastr)] = 1 rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end end end end rescue ::Exception print_status(" >> Exception from #{xref[0]}: #{$ERROR_INFO}") end end # # Run modules for each request to play with URI query parameters. # This approach will reduce the complexity of the Tree used before # and will make this shotgun implementation much simple. # wmap_query # print_status "\n=[ Query testing ]=" print_line '=' * sizeline idx = 0 matches2.each_key do |xref| if masstop print_error('STOPPED.') return end # Module not part of profile or not match next unless !(using_p && eprofile.include?(xref[0].split('/').last)) || (using_m && xref[0].to_s.match(mname)) || (!using_m && !using_p) idx += 1 begin # Module options hash modopts = Hash.new # # The code is just a proof-of-concept and will be expanded in the future # print_status "Module #{xref[0]}" if (mode & wmap_expl != 0) # # For modules to have access to the global datastore # i.e. set -g DOMAIN test.com # framework.datastore.each do |gkey, gval| modopts[gkey] = gval end # # Parameters passed in hash xref # modopts['RHOST'] = selected_host modopts['RHOSTS'] = selected_host modopts['RPORT'] = selected_port.to_s modopts['SSL'] = selected_ssl modopts['VHOST'] = selected_vhost.to_s modopts['VERBOSE'] = moduleverbose modopts['ShowProgress'] = showprogress modopts['RunAsJob'] = jobify # # Run the plugins for each request that have a distinct # GET/POST URI QUERY string. # h = framework.db.workspace.hosts.find_by_address(selected_host) s = h.services.find_by_port(selected_port) w = s.web_sites.find_by_vhost(selected_vhost) w.web_forms.each do |req| if masstop print_error('STOPPED.') return end datastr = '' typestr = '' temparr = [] req.params.each do |p| pn, pv, _pt = p if pn if !pn.empty? if !pv || pv.empty? # TODO: add value based on param name pv = 'aaa' end # temparr << pn.to_s + "=" + Rex::Text.uri_encode(pv.to_s) temparr << pn.to_s + '=' + pv.to_s end else print_error("Blank parameter name. Form #{req.path}") end end datastr = temparr.join('&') if (temparr && !temparr.empty?) modopts['METHOD'] = req.method.upcase modopts['PATH'] = req.path if req.method.upcase == 'GET' modopts['QUERY'] = datastr modopts['DATA'] = '' end modopts['DATA'] = datastr if req.method.upcase == 'POST' modopts['TYPES'] = typestr # # TODO: Add method, headers, etc. # if !usinginipath || (usinginipath && req.path.match(inipathname)) print_status "Path #{req.path}" # print_status("Query PATH #{modopts['PATH']}") # print_status("Query GET #{modopts['QUERY']}") # print_status("Query POST #{modopts['DATA']}") # print_status("Query TYPES #{typestr}") begin if execmod rpc_round_exec(xref[0], xref[1], modopts, njobs) end rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end end end rescue ::Exception print_status(" >> Exception from #{xref[0]}: #{$ERROR_INFO}") end end # # Handle modules that need to be after all tests, once. # Good place to have modules that analyze the test results and/or # launch exploits. # :wmap_generic # print_status "\n=[ General testing ]=" print_line '=' * sizeline idx = 0 matches10.each_key do |xref| if masstop print_error('STOPPED.') return end # Module not part of profile or not match next unless !(using_p && eprofile.include?(xref[0].split('/').last)) || (using_m && xref[0].to_s.match(mname)) || (!using_m && !using_p) idx += 1 begin # Module options hash modopts = Hash.new # # The code is just a proof-of-concept and will be expanded in the future # print_status "Module #{xref[0]}" if (mode & wmap_expl != 0) # # For modules to have access to the global datastore # i.e. set -g DOMAIN test.com # framework.datastore.each do |gkey, gval| modopts[gkey] = gval end # # Parameters passed in hash xref # modopts['RHOST'] = selected_host modopts['RHOSTS'] = selected_host modopts['RPORT'] = selected_port.to_s modopts['SSL'] = selected_ssl modopts['VHOST'] = selected_vhost.to_s modopts['VERBOSE'] = moduleverbose modopts['ShowProgress'] = showprogress modopts['RunAsJob'] = jobify # # Run the plugins that only need to be # launched once. # begin if execmod rpc_round_exec(xref[0], xref[1], modopts, njobs) end rescue ::Exception print_status(" >> Exception during launch from #{xref[0]}: #{$ERROR_INFO}") end end rescue ::Exception print_status(" >> Exception from #{xref[0]}: #{$ERROR_INFO}") end end if (mode & wmap_expl != 0) print_line '+' * sizeline if !(runlocal && execmod) rpc_list_nodes print_status('Note: Use wmap_nodes -l to list node status for completion') end print_line("Launch completed in #{Time.now.to_f - stamp} seconds.") print_line '+' * sizeline end print_status('Done.') end # EOM end def view_targets if targets.nil? || targets.keys.empty? print_status 'No targets have been defined' return end indent = ' ' tbl = Rex::Text::Table.new( 'Indent' => indent.length, 'Header' => 'Defined targets', 'Columns' => [ 'Id', 'Vhost', 'Host', 'Port', 'SSL', 'Path', ] ) targets.each_with_index do |t, idx| tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], "\t" + t[1][:path].to_s ] end print_status tbl.to_s + "\n" end def delete_sites(wmap_index) idx = 0 to_del = {} # Rebuild the index from wmap_sites -l framework.db.hosts.each do |bdhost| bdhost.services.each do |serv| serv.web_sites.each do |web| # If the index of this site matches any deletion index, # add to our hash, saving the index for later output to_del[idx] = web if wmap_index.any? { |w| w.to_i == idx } idx += 1 end end end to_del.each do |widx, wsite| if wsite.delete print_status("Deleted #{wsite.vhost} on #{wsite.service.host.address} at index #{widx}") else print_error("Could note delete {wsite.vhost} on #{wsite.service.host.address} at index #{widx}") end end end def view_sites # Clean temporary sites list self.lastsites = [] indent = ' ' tbl = Rex::Text::Table.new( 'Indent' => indent.length, 'Header' => 'Available sites', 'Columns' => [ 'Id', 'Host', 'Vhost', 'Port', 'Proto', '# Pages', '# Forms', ] ) idx = 0 framework.db.hosts.each do |bdhost| bdhost.services.each do |serv| serv.web_sites.each do |web| c = web.web_pages.count f = web.web_forms.count tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, serv.name, c.to_s, f.to_s ] idx += 1 turl = web.vhost + ',' + serv.name + '://' + bdhost.address.to_s + ':' + serv.port.to_s + '/' lastsites << turl end end end print_status tbl.to_s + "\n" end # Reusing code from hdmoore # # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ def add_web_site(url) vhost = nil # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ if url !~ /^http/ vhost, url = url.split(',', 2) if url.to_s.empty? url = vhost vhost = nil end end # Prefix http:// when the URL has no specified parameter if url !~ %r{^[a-z0-9A-Z]+://} url = 'http://' + url end uri = begin URI.parse(url) rescue StandardError nil end if !uri print_error("Could not understand URL: #{url}") return end vhost = uri.hostname if vhost.nil? if uri.scheme !~ /^https?/ print_error("Only http and https URLs are accepted: #{url}") return end ssl = false if uri.scheme == 'https' ssl = true end site = begin framework.db.report_web_site(wait: true, host: uri.host, port: uri.port, vhost: vhost, ssl: ssl, workspace: framework.db.workspace) rescue SocketError => e elog("Could not get address for #{uri.host}", 'wmap', error: e) print_status("Could not get address for #{uri.host}.") nil end return site end # Code by hdm. Modified two lines by et # def process_urls(urlstr) target_whitelist = [] urls = urlstr.to_s.split(/\s+/) urls.each do |url| next if url.to_s.strip.empty? vhost = nil # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ if url !~ /^http/ vhost, url = url.split(',', 2) if url.to_s.empty? url = vhost vhost = nil end end # Prefix http:// when the URL has no specified parameter if url !~ %r{^[a-z0-9A-Z]+://} url = 'http://' + url end uri = begin URI.parse(url) rescue StandardError nil end if !uri print_error("Could not understand URL: #{url}") next end if uri.scheme !~ /^https?/ print_error("Only http and https URLs are accepted: #{url}") next end target_whitelist << [vhost || uri.host, uri] end # Skip the DB entirely if no matches return if target_whitelist.empty? if !targets # First time targets are defined self.targets = Hash.new end target_whitelist.each do |ent| vhost, target = ent begin address = Rex::Socket.getaddress(target.host, true) rescue SocketError => e elog("Could not get address for #{target.host}", 'wmap', error: e) print_status("Could not get address for #{target.host}. Skipping.") next end host = framework.db.workspace.hosts.find_by_address(address) if !host print_error("No matching host for #{target.host}") next end serv = host.services.find_by_port_and_proto(target.port, 'tcp') if !serv print_error("No matching service for #{target.host}:#{target.port}") next end sites = serv.web_sites.where('vhost = ? and service_id = ?', vhost, serv.id) sites.each do |site| # Initial default path inipath = target.path if target.path.empty? inipath = '/' end # site.web_forms.where(path: target.path).each do |form| ckey = [ site.vhost, host.address, serv.port, inipath].join('|') if !targets[ckey] targets[ckey] = WebTarget.new targets[ckey].merge!({ vhost: site.vhost, host: host.address, port: serv.port, ssl: (serv.name == 'https'), path: inipath }) # self.targets[ckey][inipath] = [] else print_status('Target already set in targets list.') end # Store the form object in the hash for this path # self.targets[ckey][inipath] << inipath # end end end end # Code by hdm. Modified two lines by et # lastsites contains a temporary array with vhost,url strings so the id can be # referenced in the array and prevent new sites added in the db to corrupt previous id list. def process_ids(idsstr) if !lastsites || lastsites.empty? view_sites print_status('Web sites ids. referenced from previous table.') end target_whitelist = [] ids = idsstr.to_s.split(/,/) ids.each do |id| next if id.to_s.strip.empty? if id.to_i > lastsites.length print_error("Skipping id #{id}...") else target_whitelist << lastsites[id.to_i] print_status("Loading #{lastsites[id.to_i]}.") end end # Skip the DB entirely if no matches return if target_whitelist.empty? if !targets self.targets = Hash.new end target_whitelist.each do |ent| process_urls(ent) end end def view_site_tree(urlstr, md, ld) if !urlstr return end site_whitelist = [] urls = urlstr.to_s.split(/\s+/) urls.each do |url| next if url.to_s.strip.empty? vhost = nil # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ if url !~ /^http/ vhost, url = url.split(',', 2) if url.to_s.empty? url = vhost vhost = nil end end # Prefix http:// when the URL has no specified parameter if url !~ %r{^[a-z0-9A-Z]+://} url = 'http://' + url end uri = begin URI.parse(url) rescue StandardError nil end if !uri print_error("Could not understand URL: #{url}") next end if uri.scheme !~ /^https?/ print_error("Only http and https URLs are accepted: #{url}") next end site_whitelist << [vhost || uri.host, uri] end # Skip the DB entirely if no matches return if site_whitelist.empty? site_whitelist.each do |ent| vhost, target = ent host = framework.db.workspace.hosts.find_by_address(target.host) unless host print_error("No matching host for #{target.host}") next end serv = host.services.find_by_port_and_proto(target.port, 'tcp') unless serv print_error("No matching service for #{target.host}:#{target.port}") next end sites = serv.web_sites.where('vhost = ? and service_id = ?', vhost, serv.id) sites.each do |site| t = load_tree(site) print_tree(t, target.host, md, ld) print_line("\n") end end end # Private function to avoid duplicate code def load_tree_core(req, wtree) pathchr = '/' tarray = req.path.to_s.split(pathchr) tarray.delete('') tpath = Pathname.new(pathchr) tarray.each do |df| wtree.add_at_path(tpath.to_s, df) tpath += Pathname.new(df.to_s) end end # # Load website structure into a tree # def load_tree(s) wtree = Tree.new(s.vhost) # Load site pages s.web_pages.order('path asc').each do |req| if req.code != 404 load_tree_core(req, wtree) end end # Load site forms s.web_forms.each do |req| load_tree_core(req, wtree) end wtree end def print_file(filename) ext = File.extname(filename) if %w[.txt .md].include? ext print '%bld%red' elsif %w[.css .js].include? ext print '%grn' end print_line("#{filename}%clr") end # # Recursive function for printing the tree structure # def print_tree_recursive(tree, max_level, indent, prefix, is_last, unicode) if !tree.nil? && (tree.depth <= max_level) print(' ' * indent) # Prefix serve to print the superior hierarchy prefix.each do |bool| if unicode print (bool ? ' ' : '│') + (' ' * 3) else print (bool ? ' ' : '|') + (' ' * 3) end end if unicode # The last children is special print (is_last ? '└' : '├') + ('─' * 2) + ' ' else print (is_last ? '`' : '|') + ('-' * 2) + ' ' end c = tree.children.count if c > 0 print_line "%bld%blu#{tree.name}%clr (#{c})" else print_file tree.name end i = 1 new_prefix = prefix + [is_last] tree.children.each_pair do |_, child| is_last = i >= c print_tree_recursive(child, max_level, indent, new_prefix, is_last, unicode) i += 1 end end end # # Print Tree structure. Less ugly # Modified by Jon P. # def print_tree(tree, ip, max_level, unicode) indent = 4 if !tree.nil? && (tree.depth <= max_level) if tree.depth == 0 print_line "\n" + (' ' * indent) + "%cya[#{tree.name}] (#{ip})%clr" end i = 1 c = tree.children.count tree.children.each_pair do |_, child| print_tree_recursive(child, max_level, indent, [], i >= c, unicode) i += 1 end end end # # Signature of the form ',p1,p2,pn' then to be appended to path: path,p1,p2,pn # def signature(fpath, fquery) hsig = queryparse(fquery) fpath + ',' + hsig.map { |p| p[0].to_s }.join(',') end def queryparse(query) params = Hash.new query.split(/[&;]/n).each do |pairs| key, value = pairs.split('=', 2) if params.key?(key) # Error else params[key] = value end end params end def rpc_add_node(host, port, ssl, user, pass, bypass_exist) if !rpcarr self.rpcarr = Hash.new end istr = "#{host}|#{port}|#{ssl}|#{user}|#{pass}" if rpcarr.key?(istr) && !bypass_exist && !rpcarr[istr].nil? print_error("Connection already exists #{istr}") return end begin temprpc = ::Msf::RPC::Client.new( host: host, port: port, ssl: ssl ) rescue StandardError print_error 'Unable to connect' # raise ConnectionError return end res = temprpc.login(user, pass) if !res print_error("Unable to authenticate to #{host}:#{port}.") return end res = temprpc.call('core.version') print_status("Connected to #{host}:#{port} [#{res['version']}].") rpcarr[istr] = temprpc rescue StandardError print_error('Unable to connect') end def local_module_exec(mod, mtype, opts, _nmaxjobs) jobify = false modinst = framework.modules.create(mod) if !modinst print_error('Unknown module') return end sess = nil case mtype when 'auxiliary' Msf::Simple::Auxiliary.run_simple(modinst, { 'Action' => opts['ACTION'], 'LocalOutput' => driver.output, 'RunAsJob' => jobify, 'Options' => opts }) when 'exploit' if !(opts['PAYLOAD']) opts['PAYLOAD'] = WmapCommandDispatcher::Exploit.choose_payload(modinst, opts['TARGET']) end sess = Msf::Simple::Exploit.exploit_simple(modinst, { 'Payload' => opts['PAYLOAD'], 'Target' => opts['TARGET'], 'LocalOutput' => driver.output, 'RunAsJob' => jobify, 'Options' => opts }) else print_error('Wrong mtype.') end if sess if ((jobify == false) && sess.interactive?) print_line driver.run_single("sessions -q -i #{sess.sid}") else print_status("Session #{sess.sid} created in the background.") end end end def rpc_round_exec(mod, mtype, opts, nmaxjobs) res = nil idx = 0 if active_rpc_nodes == 0 if !runlocal print_error('All active nodes not working or removed') return end res = true else rpc_reconnect_nodes end if masstop return end until res if active_rpc_nodes == 0 print_error('All active nodes not working or removed') return end # find the node with less jobs load. minjobs = nmaxjobs minconn = nil nid = 0 rpcarr.each do |k, rpccon| if !rpccon print_error("Skipping inactive node #{nid} #{k}") nid += 1 end begin currentjobs = rpccon.call('job.list').length if currentjobs < minjobs minconn = rpccon minjobs = currentjobs end if currentjobs == nmaxjobs && (nmaxdisplay == false) print_error("Node #{nid} reached max number of jobs #{nmaxjobs}") print_error('Waiting for available node/slot...') self.nmaxdisplay = true end # print_status("Node #{nid} #currentjobs #{currentjobs} #min #{minjobs}") rescue StandardError print_error("Unable to connect. Node #{tarr[0]}:#{tarr[1]}") rpcarr[k] = nil if active_rpc_nodes == 0 print_error('All active nodes, not working or removed') return else print_error('Sending job to next node') next end end nid += 1 end if minjobs < nmaxjobs res = minconn.call('module.execute', mtype, mod, opts) self.nmaxdisplay = false # print_status(">>>#{res} #{mod}") if res if res.key?('job_id') return else print_error("Unable to execute module in node #{k} #{res}") end end end # print_status("Max number of jobs #{nmaxjobs} reached in node #{k}") if minjobs >= nmaxjobs idx += 1 end if runlocal && !masstop local_module_exec(mod, mtype, opts, nmaxjobs) end end def rpc_db_nodes(host, port, user, pass, name) rpc_reconnect_nodes if active_rpc_nodes == 0 print_error('No active nodes at this time') return end rpcarr.each do |k, v| if v v.call('db.driver', { driver: 'postgresql' }) v.call('db.connect', { database: name, host: host, port: port, username: user, password: pass }) res = v.call('db.status') if res['db'] == name print_status("db_connect #{res} #{host}:#{port} OK") else print_error("Error db_connect #{res} #{host}:#{port}") end else print_error("No connection to node #{k}") end end end def rpc_reconnect_nodes # Sucky 5 mins token timeout. idx = nil rpcarr.each do |k, rpccon| next unless rpccon idx = k begin rpccon.call('job.list').length rescue StandardError tarr = k.split('|') res = rpccon.login(tarr[3], tarr[4]) raise ConnectionError unless res print_error("Reauth to node #{tarr[0]}:#{tarr[1]}") break end end rescue StandardError print_error("ERROR CONNECTING TO NODE. Disabling #{idx} use wmap_nodes -a to reconnect") rpcarr[idx] = nil if active_rpc_nodes == 0 print_error('No active nodes') self.masstop = true end end def rpc_kill_node(i, j) if !i print_error('Nodes not defined') return end if !j print_error('Node jobs defined') return end rpc_reconnect_nodes if active_rpc_nodes == 0 print_error('No active nodes at this time') return end idx = 0 rpcarr.each do |_k, rpccon| if (idx == i.to_i) || (i.upcase == 'ALL') # begin if !rpccon print_error("No connection to node #{idx}") else n = rpccon.call('job.list') n.each do |id, name| if (j == id.to_s) || (j.upcase == 'ALL') rpccon.call('job.stop', id) print_status("Node #{idx} Killed job id #{id} #{name}") end end end # rescue # print_error("No connection") # end end idx += 1 end end def rpc_view_jobs indent = ' ' rpc_reconnect_nodes if active_rpc_nodes == 0 print_error('No active nodes at this time') return end idx = 0 rpcarr.each do |k, rpccon| if !rpccon print_status("[Node ##{idx}: #{k} DISABLED/NO CONNECTION]") else arrk = k.split('|') print_status("[Node ##{idx}: #{arrk[0]} Port:#{arrk[1]} SSL:#{arrk[2]} User:#{arrk[3]}]") begin n = rpccon.call('job.list') tbl = Rex::Text::Table.new( 'Indent' => indent.length, 'Header' => 'Jobs', 'Columns' => [ 'Id', 'Job name', 'Target', 'PATH', ] ) n.each do |id, name| jinfo = rpccon.call('job.info', id) dstore = jinfo['datastore'] tbl << [ id.to_s, name, dstore['VHOST'] + ':' + dstore['RPORT'], dstore['PATH']] end print_status tbl.to_s + "\n" rescue StandardError print_status("[Node ##{idx} #{k} DISABLED/NO CONNECTION]") end end idx += 1 end end # Modified from http://stackoverflow.com/questions/946738/detect-key-press-non-blocking-w-o-getc-gets-in-ruby def quit? while (c = driver.input.read_nonblock(1)) print_status('Quited') return true if c == 'Q' end false rescue Errno::EINTR false rescue Errno::EAGAIN false rescue EOFError true end def rpc_mon_nodes # Pretty monitor color = begin opts['ConsoleDriver'].output.supports_color? rescue StandardError false end colors = [ '%grn', '%blu', '%yel', '%whi' ] # begin loop do rpc_reconnect_nodes idx = 0 rpcarr.each do |_k, rpccon| v = 'NOCONN' n = 1 c = '%red' if !rpccon v = 'NOCONN' n = 1 c = '%red' else begin v = '' c = '%blu' rescue StandardError v = 'ERROR' c = '%red' end begin n = rpccon.call('job.list').length c = '%blu' rescue StandardError n = 1 v = 'NOCONN' c = '%red' end end # begin if !@stdio @stdio = Rex::Ui::Text::Output::Stdio.new end if color == true @stdio.auto_color else @stdio.disable_color end msg = "[#{idx}] #{"%bld#{c}||%clr" * n} #{n} #{v}\n" @stdio.print_raw(@stdio.substitute_colors(msg)) # rescue # blah # end sleep(2) idx += 1 end end # rescue # print_status("End.") # end end def rpc_list_nodes indent = ' ' tbl = Rex::Text::Table.new( 'Indent' => indent.length, 'Header' => 'Nodes', 'Columns' => [ 'Id', 'Host', 'Port', 'SSL', 'User', 'Pass', 'Status', '#jobs', ] ) idx = 0 rpc_reconnect_nodes rpcarr.each do |k, rpccon| arrk = k.split('|') if !rpccon v = 'NOCONN' n = '' else begin v = rpccon.call('core.version')['version'] rescue StandardError v = 'ERROR' end begin n = rpccon.call('job.list').length rescue StandardError n = '' end end tbl << [ idx.to_s, arrk[0], arrk[1], arrk[2], arrk[3], arrk[4], v, n] idx += 1 end print_status tbl.to_s + "\n" end def active_rpc_nodes return 0 if rpcarr.empty? idx = 0 rpcarr.each do |_k, conn| if conn idx += 1 end end idx end def view_modules indent = ' ' wmaptype = %i[ wmap_ssl wmap_server wmap_dir wmap_file wmap_unique_query wmap_query wmap_generic ] if !wmapmodules load_wmap_modules(true) end wmaptype.each do |modt| tbl = Rex::Text::Table.new( 'Indent' => indent.length, 'Header' => modt.to_s, 'Columns' => [ 'Name', 'OrderID', ] ) idx = 0 wmapmodules.each do |w| oid = w[3] if w[3] == 0xFFFFFF oid = ':last' end if w[2] == modt tbl << [w[0], oid] idx += 1 end end print_status tbl.to_s + "\n" end end # Sort hash by orderid # Yes sorting hashes dont make sense but actually it does when you are enumerating one. And # sort_by of a hash returns an array so this is the reason for this ugly piece of code def sort_by_orderid(matches) temphash = Hash.new temparr = matches.sort_by do |xref, _v| xref[3] end temparr.each do |b| temphash[b[0]] = b[1] end temphash end # Load all wmap modules def load_wmap_modules(reload) if reload || !wmapmodules print_status('Loading wmap modules...') self.wmapmodules = [] idx = 0 [ [ framework.auxiliary, 'auxiliary' ], [framework.exploits, 'exploit' ] ].each do |mtype| # Scan all exploit modules for matching references mtype[0].each_module do |n, m| e = m.new # Only include wmap_enabled plugins next unless e.respond_to?('wmap_enabled') penabled = e.wmap_enabled if penabled wmapmodules << [mtype[1] + '/' + n, mtype[1], e.wmap_type, e.orderid] idx += 1 end end end print_status("#{idx} wmap enabled modules loaded.") end end def view_vulns framework.db.hosts.each do |host| host.services.each do |serv| serv.web_sites.each do |site| site.web_vulns.each do |wv| print_status("+ [#{host.address}] (#{site.vhost}): #{wv.category} #{wv.path}") print_status("\t#{wv.name} #{wv.description}") print_status("\t#{wv.method} #{wv.proof}") end end end end end end class WebTarget < ::Hash def to_url proto = self[:ssl] ? 'https' : 'http' "#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}" end end def initialize(framework, opts) super if framework.db.active == false raise 'Database not connected (try db_connect)' end color = begin self.opts['ConsoleDriver'].output.supports_color? rescue StandardError false end wmapversion = '1.5.1' wmapbanner = "%red\n.-.-.-..-.-.-..---..---.%clr\n" wmapbanner += "%red| | | || | | || | || |-'%clr\n" wmapbanner += "%red`-----'`-'-'-'`-^-'`-'%clr\n" wmapbanner += "[WMAP #{wmapversion}] === et [ ] metasploit.com 2012\n" if !@stdio @stdio = Rex::Ui::Text::Output::Stdio.new end if color == true @stdio.auto_color else @stdio.disable_color end @stdio.print_raw(@stdio.substitute_colors(wmapbanner)) add_console_dispatcher(WmapCommandDispatcher) # print_status("#{wmapbanner}") end def cleanup remove_console_dispatcher('wmap') end def name 'wmap' end def desc 'Web assessment plugin' end end end