adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
afe28523f318930c76330c1fca42d4e39adeb7ea
metasploit-gs/plugins/wmap.rb
T
Tod Beardsley 4bcbdc54c9 Cutting over rails3 to master. 
This switches the Metasploit Framework to a Rails 3 backend. If you run
into new problems (especially around Active Record or your postgresql
gem) you should try first updating your Ruby installation to 1.9.3 and
use a more recent 'pg' gem.

If that fails, we'd love to see your bug report (just drop all the
detail you can into an issue on GitHub). In the meantime, you can
checkout the rails2 branch, which was branched from master immediately
before this cutover.

Squashed commit of the following:

commit 5802ec851580341c6717dfea529027c12678d35f
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 23:30:12 2012 -0500

    Enable MSF_BUNDLE_GEMS mode by default (set to N/F/0 to disable)

commit 8102f98dce9eb0c73c4374e40dce09af7b51d060
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 23:30:03 2012 -0500

    Add a method to expand win32 file paths

commit bda6479d154cf75572dd5de8b66bfde661a55de9
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 18:53:44 2012 -0500

    Fix 1.8.x compatibility

commit 101ce4eb17bfdf755ef8c0a5198174668b6cd6fd
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 18:40:59 2012 -0500

    Use verbose instead of stringio

commit 5db467ffb593488285576d183b1662093e454b3e
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 18:30:06 2012 -0500

    Hide the iconv warning, were stuck with it due to EBCDIC support

commit 63b9cb20eb6a61daf4effb4c8d2761c16ff0c4e0
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 18:29:58 2012 -0500

    Dont use GEM_HOME by default

commit ca49271c22c314a4465fff934334df18c704cbc0
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 18:23:34 2012 -0500

    Move Gemfile to root (there be dragons, lets find them) and catch failed bundler loads

commit 34af04076a068e9f60c5526045ddbba5fca359fd
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 18:18:29 2012 -0500

    Fallback to bundler when not running inside of a installer env

commit ed1066a4f3f12fae7d4afc03eb1ab70ffe2f9cf3
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 16:26:55 2012 -0500

    Remove a mess of gems that were not actually required

commit 21290a73926809e9049a59359449168f740d13d2
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 15:59:10 2012 -0500

    Hack around a gem() call that is well-intentioned but an obstacle in this case

commit 8e414a8bfab9641c81088d22f73033be5b37a700
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Apr 15 15:06:08 2012 -0500

    Ruby, come on. Ducktype this. Please.

    Use interpolated strings to get the to_s behavior you don't get with
    just plussing.

commit 0fa92c58750f8f84edbecfaab72cd2da5062743f
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 15:05:42 2012 -0500

    Add new eventmachine/thin gems

commit 819d5e7d45e0a16741d3852df3ed110b4d7abc44
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 15:01:18 2012 -0500

    Purge (reimport in a second)

commit ea6f3f6c434537ca15b6c6674e31081e27ce7f86
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 14:54:42 2012 -0500

    Cleanup uncessary .so files (ext vs lib)

commit d219330a3cc563e9da9f01fade016c9ed8cda21c
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 14:53:02 2012 -0500

    PG gems built against the older installation environment

commit d6e590cfa331ae7b25313ff1471c6148a6b36f3b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 14:06:35 2012 -0500

    Rename to include the version

commit a893de222b97ce1222a55324f1811b0262aae2d0
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 13:56:47 2012 -0500

    Detect older installation environments and load the arch-lib directories into the search path

commit 6444bba0a421921e2ebe2df2323277a586f9736f
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 13:49:25 2012 -0500

    Merge in windows gems

commit 95efbcfde220917bc7ee08e6083d7b383240d185
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Apr 15 13:49:33 2012 -0500

    Report_vuln shouldn't use :include in finder

    find_or_create_by doesn't take :include as a param.

commit c5f99eb87f0874ef7d32fa42828841c9a714b787
Author: David Maloney <DMaloney@rapid7.com>
Date:   Sun Apr 15 12:44:09 2012 -0500

    One more msised Mdm namespace issue

commit 2184e2bbc3dd9b0993e8f21d2811a65a0c694d68
Author: David Maloney <DMaloney@rapid7.com>
Date:   Sun Apr 15 12:33:41 2012 -0500

    Fixes some mroe Mdm namespace confusion
    Fixes #6626

commit 10cee17f391f398bb2be3409137ff7348c7a66ee
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 03:40:44 2012 -0500

    Add robots gem (required by webscan)

commit 327e674c83850101364c9cca8f8d16da1de3dfb5
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 03:39:05 2012 -0500

    Fix missing error checks

commit a5a24641866e47e611d7636a3f19ba3b3ed10ac5
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 01:15:37 2012 -0500

    Reorder requires and add a method for injecting a new migration path

commit 250a5fa5ae8cb05807af022aa4168907772c15f8
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 00:56:09 2012 -0500

    Remove missing constant (use string) and add gemcache cleaner

commit 37ad6063fce0a41dddedb857fa49aa2c4834a508
Merge: d47ee82 4be0361
Author: Tod Beardsley <todb@metasploit.com>
Date:   Sun Apr 15 00:40:16 2012 -0500

    Merge branch 'master-clone' into rails3-clone

commit d47ee82ad7e66de53dd3d3a65649cc37299a2479
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 00:30:03 2012 -0500

    cleanup leftovers from gems

commit 6d883b5aa8a3a7ddbcde5bfd4521d57c5b30d3c2
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Apr 15 00:25:47 2012 -0500

    MDM update with purged DBSave module

commit 71e4f2d81f6da221b76150562a16c730888f5925
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 23:19:37 2012 -0500

    Add new mdm

commit 651cd5adac8211d65e0c8079371d8264e549533a
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 23:19:13 2012 -0500

    Update mdm

commit 0191a8bd0acec30ddb2a9e9c291111a12378537f
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 22:30:40 2012 -0500

    This fixes numerous cases of missed Mdm:: prefixes on db objects

commit a2a9bb3f2148622c135663dead80b3367b6f7695
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 18:30:18 2012 -0500

    Add eventmachine

commit 301ddeb12b906ed3c508613ca894347bedc3b499
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 18:18:12 2012 -0500

    A nicer error for folks who need to upgrade pg

commit fa6bde1e67b12e2d3d9978f59bbc98e0c1a1a707
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 17:54:55 2012 -0500

    Remove bundler requirements

commit 2e3ab9ed211303f1116e602b9a450141b71e56a4
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 17:35:38 2012 -0500

    Pull in eventmachine with actual .so's this time

commit 901fb33ff6b754ce2c2cfd51e3b0b669f6ec600b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 17:19:12 2012 -0500

    Update deps, still need to add eventmachine

commit 6b0e17068e8caa0601f3ef81e8dbdb672758fcbe
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 13:07:06 2012 -0500

    Handle older installer environments and only allow binary gems when the
    environment specifically asks for it

commit b98eb7873a6342834840424699caa414a5cb172a
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 04:05:13 2012 -0500

    Bump version to -testing

commit 6ac508c4ba3fdc278aaf8cfe2c58d01de3395431
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 02:25:09 2012 -0500

    Remove msf3 subdir

commit a27dac5067635a95b4cbb773df1985f2a2dc2c5a
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 02:24:39 2012 -0500

    Remove the old busted external

commit 5fb5a0fc642b6c301934c319db854cc3145427a1
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 02:03:10 2012 -0500

    Add the gemcache loader

commit 09e2d89dfd09b9ac0c123fcc4e19816c86725627
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Apr 14 02:02:23 2012 -0500

    Purge gemfile/bundler configure in exchange for new gemcache setup

commit 3cc0264e1cfb027b515d7f24b95a74b023bd905c
Author: Tod Beardsley <todb@metasploit.com>
Date:   Thu Apr 12 14:11:45 2012 -0500

    Mode change on modicon_ladder.apx

commit c18b3d56efd639e461137acdc76b4b283fe978d4
Author: HD Moore <hd_moore@rapid7.com>
Date:   Thu Apr 12 01:38:56 2012 -0500

    The go faster button

commit ca2a67d51d6d4c7c3ca2e745f8b018279aef668a
Merge: 674ee09 b8129f9
Author: Tod Beardsley <todb@metasploit.com>
Date:   Mon Apr 9 15:50:33 2012 -0500

    Merge branch 'master-clone' into rails3-clone

    Picking up Packetfu upstream changes, all pretty minor

commit 674ee097ab8a6bc9608bf377479ccd0b87e7302b
Merge: e9513e5 a26e844
Author: Tod Beardsley <todb@metasploit.com>
Date:   Mon Apr 9 13:57:26 2012 -0500

    Merge branch 'master-clone' into rails3-clone

    Conflicts:
    	lib/msf/core/handler/reverse_http.rb
    	lib/msf/core/handler/reverse_https.rb
    	modules/auxiliary/scanner/discovery/udp_probe.rb
    	modules/auxiliary/scanner/discovery/udp_sweep.rb

    Resolved conflicts with the reverse_http handlers and the udp probe /
    scanners byt favoring the more recent changes (which happened to be the
    intent anyway). The reverse_http and reverse_https changes were mine so
    I know what the intent was, and @dmaloney-r7 changed udp_probe and
    udp_sweep to use pcAnywhere_stat instead of merely pcAnywhere, so the
    intent is clear there as well.

commit e9513e54f984fdb100c13b44a1724246779ccb76
Author: David Maloney <dmaloney@melodie.gateway.2wire.net>
Date:   Fri Apr 6 18:21:46 2012 -0500

    Some fixes to how services get reported to prevent issues with the web interface

commit adeb44e9aaf1a329a0e587d2b26e678398730422
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Mon Apr 2 15:39:46 2012 -0500

    Some corrections to pcAnywhere discovery modules to distinguish between the two services

commit b13900176484fea8f5217a2ef925ae2ad9b7af47
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Mar 31 12:03:21 2012 -0500

    Enable additional migration-path parameters, use a temporary directory to bring the database online

commit 526b4c56883f461417f71269404faef38639917c
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Wed Mar 28 23:24:56 2012 -0500

    A bunch of Mdsm fixes for .kind_of? calls, to make sure we ponit to the right place

commit 2cf3143370af808637d164ce59400605300f922c
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 26 16:22:09 2012 -0500

    Check for ruby 2.0 as well as 1.9 for encoding override

commit 4d0f51b76d89f00f7acbce6b1f00dc6e4c4545ee
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 26 15:36:04 2012 -0500

    Remove debug statement

commit f5d2335e7745aa1a354f4d6c8fc9d0b3876c472a
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 26 15:01:55 2012 -0500

    Be explicit about the Mdm namespace

commit bc8be225606d6ea38dd2a85ab4310c1c181a94ee
Author: hdm <hdm@hypo.(none)>
Date:   Mon Mar 26 11:49:51 2012 -0500

    Precalculate some uri strings in case the 1000-round generation fails

commit 4254f419723349ffb93e4aebdaeabbd7d66bf8c0
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Sat Mar 24 14:03:44 2012 -0500

    Removed some non-namespaced calls to Host

commit c8190e1bb8ad365fb0d7a1c4a9173e6c739be85c
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Mar 20 00:37:00 2012 -0500

    Purge the rvmrc, this is causing major headaches

commit 76df18588917b7150a3bedf2569710a80bab51f8
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Mar 20 00:31:52 2012 -0500

    Switch .rvmrc to the shipping 1.9.3 version

commit 7124971d00
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Mon Mar 12 16:56:40 2012 -0500

    Adds mixin for looking up Mime Types by extension

commit b7ca835316
Merge: a0b0c75 6b9a219
Author: Matt Buck <techpeace@gmail.com>
Date:   Tue Mar 6 19:38:53 2012 -0600

    Merge from develop.

commit a0b0c7528d
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Tue Mar 6 11:08:59 2012 -0600

    Somehow migration file is new?

commit 84d2b3cb1a
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Wed Feb 29 16:38:55 2012 -0600

    Added ability to specify headers to redirects in http server

commit e50d27cda8
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Feb 4 04:44:50 2012 -0600

    Tweak the event dispatcher to enable customer events without a category
    and trigger http request events from the main exploit mixin.
    Experimental

commit 0e4fd2040d
Author: Matt Buck <Matthew_Buck@rapid7.com>
Date:   Thu Feb 2 22:09:05 2012 -0600

    Change Msm -> Mdm in migrations. This is what was preventing migrations from finishing on first boot.

commit c94a2961d0
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Wed Feb 1 12:48:48 2012 -0600

    Changed Gemfile to use new gem name

commit 245c2063f0
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Wed Feb 1 12:47:42 2012 -0600

    Did find/replace for final namespace of Mdm

commit 6ed9bf8430
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Tue Jan 24 10:47:44 2012 -0600

    Fix a bunch of namespace issues

commit 2fe08d9e42
Author: Matt Buck <Matthew_Buck@rapid7.com>
Date:   Fri Jan 20 14:37:37 2012 -0600

    Update Msm contstants in migrations for initial DB builds.

commit 4cc6b8fb04
Author: Matt Buck <Matthew_Buck@rapid7.com>
Date:   Fri Jan 20 14:37:25 2012 -0600

    Update Gemfile.lock.

commit 1cc655b678
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Thu Jan 19 11:48:29 2012 -0600

    Errant Workspaces needed namespace

commit 607a782855
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Tue Jan 17 15:44:02 2012 -0600

    Refactored all models to use the new namespace

    * Every model using DBManager::* namespace is now Msm namespace
    * Almost all of this in msf/base/core
    * Some in modules

commit a690cd959b
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Tue Jan 17 13:41:44 2012 -0600

    Move bundler setup

commit dae115cc8f
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Mon Jan 9 15:51:07 2012 -0600

    Moved ActiveSupport dep to gem

commit d32f8edb6e
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Mon Jan 9 14:40:05 2012 -0600

    Removed model require file

commit d0c74cff8c
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Tue Jan 3 16:06:10 2012 -0600

    Update some more finds

commit 4eb79ea6b5
Author: Trevor Rosen <Trevor_Rosen@rapid7.com>
Date:   Tue Jan 3 14:21:15 2012 -0600

    Yet another dumb commit

commit a75febcb59
Author: Trevor Rosen <trevor@catapult-creative.com>
Date:   Thu Dec 29 19:20:51 2011 -0600

    Fixing deletion

commit dc139ff2fd
Author: Trevor Rosen <trevor@catapult-creative.com>
Date:   Wed Dec 7 17:06:45 2011 -0600

    Fixed erroneous commit

commit 531c1e611c
Author: Trevor Rosen <trevor@catapult-creative.com>
Date:   Mon Nov 21 16:11:35 2011 -0600

    Remove AR patch stuff; attempting to debug non-connection between MSF and Pro

commit 4586112241
Author: Trevor Rosen <trevor@catapult-creative.com>
Date:   Fri Nov 18 16:17:27 2011 -0600

    Drop ActiveRecord/ActiveSupport in preparation for upgrade
2012-04-15 23:35:38 -05:00

2256 lines
52 KiB
Ruby
Raw Blame History

#
# Web assessment for the metasploit framework
# Efrain Torres - et[ ] metasploit.com 2012
#
# $Id$
# $Revision$
#
require 'rabal/tree'
require 'msf/core/rpc/v10/client'
#require 'fileutils'
module Msf
class Plugin::Wmap < Msf::Plugin
class WmapCommandDispatcher
attr_accessor :wmapmodules # Enabled Wmap modules
attr_accessor :targets # Targets
attr_accessor :lastsites # Temp location of previously obtained sites
attr_accessor :rpcarr # Array or rpc connections
attr_accessor :njobs # Max number of jobs
attr_accessor :nmaxdisplay # Flag to stop displaying the same mesg
attr_accessor :runlocal # Flag to run local modules only
attr_accessor :masstop # Flag to stop everything
attr_accessor :killwhenstop # Kill process when exiting
include Msf::Ui::Console::CommandDispatcher
def name
"wmap"
end
#
# The initial command set
#
def commands
{
"wmap_targets" => "Manage targets",
"wmap_sites" => "Manage sites",
"wmap_nodes" => "Manage nodes",
"wmap_run" => "Test targets",
"wmap_modules" => "Manage wmap modules",
"wmap_vulns" => "Display web vulns",
}
end
def cmd_wmap_vulns(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-l'
view_vulns
return
when '-h'
print_status("Usage: wmap_vulns [options]")
print_line("\t-h Display this help text")
print_line("\t-l Display web vulns table")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_modules(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-l'
view_modules
return
when '-r'
load_wmap_modules(true)
return
when '-h'
print_status("Usage: wmap_modules [options]")
print_line("\t-h Display this help text")
print_line("\t-l List all wmap enabled modules")
print_line("\t-r Reload wmap modules")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_targets(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-c'
self.targets = Hash.new()
when '-l'
view_targets
return
when '-t'
process_urls(args.shift)
when '-d'
process_ids(args.shift)
when '-h'
print_status("Usage: wmap_targets [options]")
print_line("\t-h Display this help text")
print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ")
print_line("\t-d [ids] Define target sites (id1, id2, id3 ...)")
print_line("\t-c Clean target sites list")
print_line("\t-l List all target sites")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_sites(*args)
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-a'
s = add_web_site(args.shift)
if s
print_status("Site created.")
else
print_error("Unable to create site")
end
when '-l'
view_sites
return
when '-s'
u = args.shift
l = args.shift
s = args.shift
if not u
return
end
if l == nil or l.empty?
l = 200
s = true
else
l = l.to_i
s = false
end
if u.include? 'http'
# Parameters are in url form
view_site_tree(u,l,s)
else
# Parameters are digits
if !self.lastsites or self.lastsites.length == 0
view_sites
print_status ("Web sites ids. referenced from previous table.")
end
target_whitelist = []
ids = u.to_s.split(/,/)
ids.each do |id|
next if id.to_s.strip.empty?
if id.to_i > self.lastsites.length
print_error("Skipping id #{id}...")
else
target_whitelist << self.lastsites[id.to_i]
#print_status("Loading #{self.lastsites[id.to_i]}.")
end
end
# Skip the DB entirely if no matches
return if target_whitelist.length == 0
if not self.targets
self.targets = Hash.new()
end
target_whitelist.each do |ent|
view_site_tree(ent,l,s)
end
end
return
when '-h'
print_status("Usage: wmap_sites [options]")
print_line("\t-h Display this help text")
print_line("\t-a [url] Add site (vhost,url)")
print_line("\t-l List all available sites")
print_line("\t-s [id] Display site structure (vhost,url|ids) (level)")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_nodes(*args)
if not self.rpcarr
self.rpcarr=Hash.new()
end
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-a'
h = args.shift
r = args.shift
s = args.shift
u = args.shift
p = args.shift
res = rpc_add_node(h,r,s,u,p,false)
if res
print_status("Node created.")
else
print_error("Unable to create node")
end
when '-c'
idref = args.shift
if not idref
print_error("No id defined")
return
end
if idref.upcase == 'ALL'
print_status("All nodes removed")
self.rpcarr = Hash.new()
else
idx=0
self.rpcarr.each do |k,v|
if idx == idref.to_i
self.rpcarr.delete(k)
print_status("Node deleted #{k}")
end
idx += 1
end
end
when '-d'
host = args.shift
port = args.shift
user = args.shift
pass = args.shift
dbname = args.shift
res = rpc_db_nodes(host,port,user,pass,dbname)
if res
print_status("OK.")
else
print_error("Error")
end
when '-l'
rpc_list_nodes
return
when '-j'
rpc_view_jobs
return
when '-k'
node = args.shift
jid = args.shift
rpc_kill_node(node,jid)
return
when '-h'
print_status("Usage: wmap_nodes [options]")
print_line("\t-h Display this help text")
print_line("\t-c id Remove id node (Use ALL for ALL nodes")
print_line("\t-a host port ssl user pass Add node")
print_line("\t-d host port user pass db Force all nodes to connect to db")
print_line("\t-j View detailed jobs")
print_line("\t-k ALL|id ALL|job_id Kill jobs on node")
print_line("\t-l List all current nodes")
print_line("")
return
else
print_error("Unknown flag.")
return
end
end
end
def cmd_wmap_run(*args)
# Stop everything
self.masstop = false
self.killwhenstop = true
trap("INT") {
print_error("Stopping execution...")
self.masstop = true
if self.killwhenstop
rpc_kill_node('ALL','ALL')
end
return
}
# Max numbers of concurrent jobs per node
self.njobs = 25
self.nmaxdisplay = false
self.runlocal = false
# Formating
sizeline = 60
wmap_show = 2**0
wmap_expl = 2**1
# Exclude files can be modified by setting datastore['WMAP_EXCLUDE']
wmap_exclude_files = '.*\.(gif|jpg|png*)$'
run_wmap_ssl = true
run_wmap_server = true
run_wmap_dir_file = true
run_wmap_query = true
run_wmap_unique_query = true
run_wmap_generic = true
# If module supports datastore['VERBOSE']
moduleverbose = false
showprogress = false
if not self.rpcarr
self.rpcarr = Hash.new()
end
if not run_wmap_ssl
print_status("Loading of wmap ssl modules disabled.")
end
if not run_wmap_server
print_status("Loading of wmap server modules disabled.")
end
if not run_wmap_dir_file
print_status("Loading of wmap dir and file modules disabled.")
end
if not run_wmap_query
print_status("Loading of wmap query modules disabled.")
end
if not run_wmap_unique_query
print_status("Loading of wmap unique query modules disabled.")
end
if not run_wmap_generic
print_status("Loading of wmap generic modules disabled.")
end
stamp = Time.now.to_f
mode = 0
eprofile = []
using_p = false
using_m = false
usinginipath = false
mname = ''
inipathname = '/'
args.push("-h") if args.length == 0
while (arg = args.shift)
case arg
when '-t'
mode |= wmap_show
when '-e'
mode |= wmap_expl
profile = args.shift
if profile
print_status("Using profile #{profile}.")
begin
File.open(profile).each do |str|
if not str.include? '#'
# Not a comment
modname = str.strip
if not modname.empty?
eprofile << modname
end
end
using_p = true
end
rescue
print_error("Profile not found or invalid.")
return
end
else
print_status("Using ALL wmap enabled modules.")
end
when '-m'
mode |= wmap_expl
mname = args.shift
if mname
print_status("Using module #{mname}.")
end
using_m = true
when '-p'
mode |= wmap_expl
inipathname = args.shift
if inipathname
print_status("Using initial path #{inipathname}.")
end
usinginipath = true
when '-h'
print_status("Usage: wmap_run [options]")
print_line("\t-h Display this help text")
print_line("\t-t Show all enabled modules")
print_line("\t-m [regex] Launch only modules that name match provided regex.")
print_line("\t-p [regex] Only test path defined by regex.")
print_line("\t-e [/path/to/profile] Launch profile modules against all matched targets.")
print_line("\t (No profile file runs all enabled modules.)")
print_line("")
return
else
print_error("Unknown flag")
return
end
end
if (self.rpcarr.length == 0) and (mode & wmap_show == 0)
print_error("NO WMAP NODES DEFINED. Executing local modules")
self.runlocal = true
end
if self.targets == nil
print_error("Targets have not been selected.")
return
end
if self.targets.keys.length == 0
print_error("Targets have not been selected.")
return
end
execmod = true
if (mode & wmap_show != 0)
execmod = false
end
self.targets.each_with_index do |t, idx|
selected_host = t[1][:host]
selected_port = t[1][:port]
selected_ssl = t[1][:ssl]
selected_vhost = t[1][:vhost]
print_status ("Testing target:")
print_status ("\tSite: #{selected_vhost} (#{selected_host})")
print_status ("\tPort: #{selected_port} SSL: #{selected_ssl}")
print_line '='* sizeline
print_status("Testing started. #{(Time.now )}")
if not selected_ssl
run_wmap_ssl = false
#print_status ("Target is not SSL. SSL modules disabled.")
end
# wmap_dir, wmap_file
matches = Hash.new()
# wmap_server
matches1 = Hash.new()
# wmap_query
matches2 = Hash.new()
# wmap_ssl
matches3 = Hash.new()
# wmap_unique_query
matches5 = Hash.new()
# wmap_generic
matches10 = Hash.new()
# OPTIONS
opt_str = nil
jobify = false
# This will be clean later
load_wmap_modules(false)
self.wmapmodules.each do |w|
case w[2]
when :wmap_server
if run_wmap_server
matches1[w]=true
end
when :wmap_query
if run_wmap_query
matches2[w]=true
end
when :wmap_unique_query
if run_wmap_unique_query
matches5[w]=true
end
when :wmap_generic
if run_wmap_generic
matches10[w]=true
end
when :wmap_dir, :wmap_file
if run_wmap_dir_file
matches[w]=true
end
when :wmap_ssl
if run_wmap_ssl
matches3[w]=true
end
else
# Black Hole
end
end
# Execution order (orderid)
matches = sort_by_orderid(matches)
matches1 = sort_by_orderid(matches1)
matches2 = sort_by_orderid(matches2)
matches3 = sort_by_orderid(matches3)
matches5 = sort_by_orderid(matches5)
matches10 = sort_by_orderid(matches10)
#
# Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server.
# :wmap_ssl
#
print_status "\n=[ SSL testing ]="
print_line "=" * sizeline
if not selected_ssl
print_status ("Target is not SSL. SSL modules disabled.")
end
idx = 0
matches3.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Handle modules that need to be run before all tests, once usually again the web server.
# :wmap_server
#
print_status "\n=[ Web Server testing ]="
print_line "=" * sizeline
idx = 0
matches1.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Handle modules to be run at every path/file
# wmap_dir, wmap_file
#
print_status "\n=[ File/Dir testing ]="
print_line "=" * sizeline
idx = 0
matches.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx+=1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins that only need to be
# launched once.
#
wtype = xref[2]
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
test_tree = load_tree(w)
test_tree.each do |node|
if self.masstop
print_error("STOPPED.")
return
end
p = node.current_path
testpath = Pathname.new(p)
strpath = testpath.cleanpath(false).to_s
#
# Fixing paths
#
if node.is_leaf? and not node.is_root?
#
# Later we can add here more checks to see if its a file
#
else
if node.is_root?
strpath = "/"
else
strpath = strpath.chomp + "/"
end
end
strpath = strpath.gsub("//", "/")
#print_status("Testing path: #{strpath}")
#
# Launch plugin depending module type.
# Module type depends on main input type.
# Code may be the same but it depend on final
# versions of plugins
#
case wtype
when :wmap_file
if node.is_leaf? and not node.is_root?
#
# Check if an exclusion regex has been defined
#
if self.framework.datastore['WMAP_EXCLUDE']
excludefilestr = self.framework.datastore['WMAP_EXCLUDE']
else
excludefilestr = wmap_exclude_files
end
if not strpath.match(excludefilestr)
if (not usinginipath) or (usinginipath and strpath.match(inipathname))
modopts['PATH'] = strpath
print_status("Path: #{strpath}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
end
end
when :wmap_dir
if (node.is_leaf? and not strpath.include? ".") or node.is_root? or not node.is_leaf?
if (not usinginipath) or (usinginipath and strpath.match(inipathname))
modopts['PATH'] = strpath
print_status("Path: #{strpath}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
end
end
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Run modules for each request to play with URI with UNIQUE query parameters.
# wmap_unique_query
#
print_status "\n=[ Unique Query testing ]="
print_line "=" * sizeline
idx = 0
matches5.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins for each request that have a distinct
# GET/POST URI QUERY string.
#
utest_query = Hash.new()
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
w.web_forms.each do |form|
if self.masstop
print_error("STOPPED.")
return
end
#
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
#
datastr = ""
typestr = ""
temparr = []
#print_status "---------"
#print_status form.params
#print_status "+++++++++"
form.params.each do |p|
pn, pv, pt = p
if pn
if not pn.empty?
if not pv or pv.empty?
#TODO add value based on param name
pv = "aaa"
end
#temparr << pn.to_s + "=" + Rex::Text.uri_encode(pv.to_s)
temparr << pn.to_s + "=" + pv.to_s
end
else
print_error("Blank parameter name. Form #{form.path}")
end
end
datastr = temparr.join("&") if (temparr and not temparr.empty?)
if (utest_query.has_key?(signature(form.path,datastr)) == false)
modopts['METHOD'] = form.method.upcase
modopts['PATH'] = form.path
modopts['QUERY'] = form.query
if form.method.upcase == 'GET'
modopts['QUERY'] = datastr
modopts['DATA'] = ""
end
if form.method.upcase == 'POST'
modopts['DATA'] = datastr
end
modopts['TYPES'] = typestr
#
# TODO: Add headers, etc.
#
if (not usinginipath) or (usinginipath and form.path.match(inipathname))
print_status "Path #{form.path}"
#print_status("Unique PATH #{modopts['PATH']}")
#print_status("Unique GET #{modopts['QUERY']}")
#print_status("Unique POST #{modopts['DATA']}")
#print_status("MODOPTS: #{modopts}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
utest_query[signature(form.path,datastr)]=1
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
else
#print_status("Already tested")
end
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Run modules for each request to play with URI query parameters.
# This approach will reduce the complexity of the Tree used before
# and will make this shotgun implementation much simple.
# wmap_query
#
print_status "\n=[ Query testing ]="
print_line "=" * sizeline
idx = 0
matches2.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if not ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins for each request that have a distinct
# GET/POST URI QUERY string.
#
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
w.web_forms.each do |req|
if self.masstop
print_error("STOPPED.")
return
end
datastr = ""
typestr = ""
temparr = []
req.params.each do |p|
pn, pv, pt = p
if pn
if not pn.empty?
if not pv or pv.empty?
#TODO add value based on param name
pv = "aaa"
end
#temparr << pn.to_s + "=" + Rex::Text.uri_encode(pv.to_s)
temparr << pn.to_s + "=" + pv.to_s
end
else
print_error("Blank parameter name. Form #{req.path}")
end
end
datastr = temparr.join("&") if (temparr and not temparr.empty?)
modopts['METHOD'] = req.method.upcase
modopts['PATH'] = req.path
if req.method.upcase == 'GET'
modopts['QUERY'] = datastr
modopts['DATA'] = ""
end
modopts['DATA'] = datastr if req.method.upcase == 'POST'
modopts['TYPES'] = typestr
#
# TODO: Add method, headers, etc.
#
if (not usinginipath) or (usinginipath and req.path.match(inipathname))
print_status "Path #{req.path}"
#print_status("Query PATH #{modopts['PATH']}")
#print_status("Query GET #{modopts['QUERY']}")
#print_status("Query POST #{modopts['DATA']}")
#print_status("Query TYPES #{typestr}")
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
#
# Handle modules that need to be after all tests, once.
# Good place to have modules that analize the test results and/or
# launch exploits.
# :wmap_generic
#
print_status "\n=[ General testing ]="
print_line "=" * sizeline
idx = 0
matches10.each_key do |xref|
if self.masstop
print_error("STOPPED.")
return
end
# Module not part of profile or not match
if not ( using_p and eprofile.include? xref[0].split('/').last ) or (using_m and xref[0].to_s.match(mname)) or (not using_m and not using_p)
idx += 1
begin
# Module options hash
modopts = Hash.new()
#
# The code is just a proof-of-concept and will be expanded in the future
#
print_status "Module #{xref[0]}"
if (mode & wmap_expl != 0)
#
# For modules to have access to the global datastore
# i.e. set -g DOMAIN test.com
#
self.framework.datastore.each do |gkey,gval|
modopts[gkey]=gval
end
#
# Parameters passed in hash xref
#
modopts['RHOST'] = selected_host
modopts['RHOSTS'] = selected_host
modopts['RPORT'] = selected_port.to_s
modopts['SSL'] = selected_ssl
modopts['VHOST'] = selected_vhost.to_s
modopts['VERBOSE'] = moduleverbose
modopts['ShowProgress'] = showprogress
modopts['RunAsJob'] = jobify
#
# Run the plugins that only need to be
# launched once.
#
begin
if execmod
rpcnode = rpc_round_exec(xref[0],xref[1], modopts, self.njobs)
end
rescue ::Exception
print_status(" >> Exception during launch from #{xref[0]}: #{$!}")
end
end
rescue ::Exception
print_status(" >> Exception from #{xref[0]}: #{$!}")
end
end
end
if (mode & wmap_expl != 0)
print_line "+" * sizeline
if not self.runlocal
if execmod
rpc_list_nodes()
print_status("Note: Use wmap_nodes -l to list node status for completion")
end
end
print_line("Launch completed in #{(Time.now.to_f - stamp)} seconds.")
print_line "+" * sizeline
end
print_status("Done.")
end
# EOM
end
def view_targets
if self.targets == nil or self.targets.keys.length == 0
print_status "No targets have been defined"
return
end
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Defined targets',
'Columns' =>
[
'Id',
'Vhost',
'Host',
'Port',
'SSL',
'Path',
])
self.targets.each_with_index { |t, idx|
tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], "\t"+t[1][:path].to_s ]
}
print_status tbl.to_s + "\n"
end
def view_sites
# Clean temporary sites list
self.lastsites = []
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Available sites',
'Columns' =>
[
'Id',
'Host',
'Vhost',
'Port',
'Proto',
'# Pages',
'# Forms',
])
idx = 0
self.framework.db.hosts.each do |bdhost|
bdhost.services.each do |serv|
serv.web_sites.each do |web|
c = web.web_pages.count
f = web.web_forms.count
tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, serv.name, c.to_s, f.to_s ]
idx += 1
turl = web.vhost + "," + serv.name + "://" +bdhost.address.to_s + ":" + serv.port.to_s + "/"
self.lastsites << turl
end
end
end
print_status tbl.to_s + "\n"
end
# Reusing code from hdmoore
#
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
def add_web_site(url)
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
end
end
# Prefix http:// when the URL has no specified parameter
if url !~ /^[a-z0-9A-Z]+:\/\//
url = "http://" + url
end
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
return
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
return
end
ssl = false
if uri.scheme == 'https'
ssl = true
end
site = self.framework.db.report_web_site(:wait => true, :host => uri.host, :port => uri.port, :vhost => vhost, :ssl => ssl)
return site
end
# Code by hdm. Modified two lines by et
#
def process_urls(urlstr)
target_whitelist = []
urls = urlstr.to_s.split(/\s+/)
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
end
end
# Prefix http:// when the URL has no specified parameter
if url !~ /^[a-z0-9A-Z]+:\/\//
url = "http://" + url
end
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
next
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
next
end
target_whitelist << [vhost || uri.host, uri]
end
# Skip the DB entirely if no matches
return if target_whitelist.length == 0
if not self.targets
# First time targets are defined
self.targets = Hash.new()
end
target_whitelist.each do |ent|
vhost,target = ent
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
next
end
serv = host.services.find_by_port_and_proto(target.port, 'tcp')
if not serv
print_error("No matching service for #{target.host}:#{target.port}")
next
end
#print_status "aaa"
#print_status framework.db.workspace.name
serv.web_sites.where('vhost = ? and service_id = ?', vhost, serv.id)
sites.each do |site|
# Initial defaul path
inipath = target.path
if target.path.empty?
inipath = '/'
end
#site.web_forms.find_all_by_path(target.path).each do |form|
ckey = [ site.vhost, host.address, serv.port, inipath].join("|")
if not self.targets[ckey]
self.targets[ckey] = WebTarget.new
self.targets[ckey].merge!({
:vhost => site.vhost,
:host => host.address,
:port => serv.port,
:ssl => (serv.name == "https"),
:path => inipath
})
#self.targets[ckey][inipath] = []
else
print_status("Target already set in targets list.")
end
# Store the form object in the hash for this path
#self.targets[ckey][inipath] << inipath
#end
end
end
end
# Code by hdm. Modified two lines by et
# lastsites contains a temporary array with vhost,url strings so the id can be
# referenced in the array and prevent new sites added in the db to corrupt previous id list.
def process_ids(idsstr)
if !self.lastsites or self.lastsites.length == 0
view_sites
print_status ("Web sites ids. referenced from previous table.")
end
target_whitelist = []
ids = idsstr.to_s.split(/,/)
ids.each do |id|
next if id.to_s.strip.empty?
if id.to_i > self.lastsites.length
print_error("Skipping id #{id}...")
else
target_whitelist << self.lastsites[id.to_i]
print_status("Loading #{self.lastsites[id.to_i]}.")
end
end
# Skip the DB entirely if no matches
return if target_whitelist.length == 0
if not self.targets
self.targets = Hash.new()
end
target_whitelist.each do |ent|
process_urls(ent)
end
end
def view_site_tree(urlstr, md, ld)
if not urlstr
return
end
site_whitelist = []
urls = urlstr.to_s.split(/\s+/)
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
end
end
# Prefix http:// when the URL has no specified parameter
if url !~ /^[a-z0-9A-Z]+:\/\//
url = "http://" + url
end
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
next
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
next
end
site_whitelist << [vhost || uri.host, uri]
end
# Skip the DB entirely if no matches
return if site_whitelist.length == 0
vsites = Hash.new()
site_whitelist.each do |ent|
vhost,target = ent
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
next
end
serv = host.services.find_by_port_and_proto(target.port, 'tcp')
if not serv
print_error("No matching service for #{target.host}:#{target.port}")
next
end
sites = serv.web_sites.where('vhost = ? and service_id = ?', vhost, serv.id)
sites.each do |site|
t = load_tree(site)
print_tree(t,target.host,md,ld)
print_line("\n")
end
end
end
#
# Load website structure into a tree
#
def load_tree(s)
pathchr = '/'
wtree = Tree.new(s.vhost)
# Load site pages
s.web_pages.find(:all, :order => 'path').each do |req|
tarray = req.path.to_s.split(pathchr)
tarray.delete("")
tpath = Pathname.new(pathchr)
tarray.each do |df|
wtree.add_at_path(tpath.to_s,df)
tpath = tpath + Pathname.new(df.to_s)
end
end
# Load site forms
s.web_forms.each do |req|
tarray = req.path.to_s.split(pathchr)
tarray.delete("")
tpath = Pathname.new(pathchr)
tarray.each do |df|
wtree.add_at_path(tpath.to_s,df)
tpath = tpath + Pathname.new(df.to_s)
end
end
return wtree
end
#
# Print Tree structure. Still ugly
#
def print_tree(tree, ip, maxlevel, limitlevel)
initab = " " * 4
indent = 6
if tree != nil and tree.depth <= maxlevel
print initab + (" " * indent * tree.depth)
if tree.depth > 0
print "|"+("-" * (indent-1))+"/"
end
if tree.depth >= 0
if tree.depth == 0
print "[#{tree.name}] (#{ip})\n"+initab+(" " * indent)+"\n"
else
c = tree.children.count
if c > 0
print tree.name + " (" + c.to_s+")\n"
else
print tree.name + "\n"
end
end
end
tree.children.each_pair do |name,child|
print_tree(child,ip,maxlevel,limitlevel)
end
end
end
def signature(fpath,fquery)
hsig = Hash.new()
hsig = queryparse(fquery)
#
# Signature of the form ',p1,p2,pn' then to be appended to path: path,p1,p2,pn
#
sigstr = fpath + "," + hsig.map{|p| p[0].to_s}.join(",")
end
def queryparse(query)
params = Hash.new()
query.split(/[&;]/n).each do |pairs|
key, value = pairs.split('=',2)
if params.has_key?(key)
#Error
else
params[key] = value
end
end
params
end
def rpc_add_node(host,port,ssl,user,pass,bypass_exist)
if not self.rpcarr
self.rpcarr = Hash.new()
end
begin
istr = "#{host}|#{port}|#{ssl}|#{user}|#{pass}"
if self.rpcarr.has_key?(istr) and not bypass_exist and self.rpcarr[istr] != nil
print_error("Connection already exists #{istr}")
else
begin
temprpc = ::Msf::RPC::Client.new(
:host => host,
:port => port,
:ssl => ssl
)
rescue
print_error "Unable to connect"
#raise ConnectionError
return
end
res = temprpc.login( user , pass)
if not res
print_error("Unable to authenticate to #{host}:#{port}.")
return
else
res = temprpc.call('core.version')
end
print_status("Connected to #{host}:#{port} [#{res['version']}].")
self.rpcarr[istr] = temprpc
end
rescue
print_error("Unable to connect")
end
end
def local_module_exec(mod,mtype, opts, nmaxjobs)
jobify = false
modinst = framework.modules.create(mod)
if(not modinst)
print_error("Unknown module")
return
end
sess = nil
case mtype
when 'auxiliary'
Msf::Simple::Auxiliary.run_simple(modinst, {
'Action' => opts['ACTION'],
'LocalOutput' => driver.output,
'RunAsJob' => jobify,
'Options' => opts
})
when 'exploit'
sess = Msf::Simple::Exploit.exploit_simple(modinst, {
'Payload' => opts['PAYLOAD'],
'Target' => opts['TARGET'],
'LocalOutput' => driver.output,
'RunAsJob' => jobify,
'Options' => opts
})
else
print_error("Wrong mtype.")
end
if sess
if (jobify == false and sess.interactive?)
print_line
driver.run_single("sessions -q -i #{sess.sid}")
else
print_status("Session #{sess.sid} created in the background.")
end
end
end
def rpc_round_exec(mod,mtype, opts, nmaxjobs)
res = nil
idx = 0
if active_rpc_nodes == 0
if not self.runlocal
print_error("All active nodes not working or removed")
return
end
res = true
else
rpc_reconnect_nodes()
end
if self.masstop
return
end
while not res
if active_rpc_nodes == 0
print_error("All active nodes not working or removed")
return
end
#find the node with less jobs load.
minjobs = nmaxjobs
minconn = nil
nid = 0
self.rpcarr.each do |k,rpccon|
if not rpccon
print_error("Skipping inactive node #{nid} #{k}")
else
begin
currentjobs = rpccon.call('job.list').length
if currentjobs < minjobs
minconn = rpccon
minjobs = currentjobs
end
if currentjobs == nmaxjobs
if self.nmaxdisplay == false
print_error("Node #{nid} reached max number of jobs #{nmaxjobs}")
print_error("Waiting for available node/slot...")
self.nmaxdisplay = true
end
end
#print_status("Node #{nid} #currentjobs #{currentjobs} #min #{minjobs}")
rescue
print_error("Unable to connect. Node #{tarr[0]}:#{tarr[1]}")
self.rpcarr[k]=nil
if active_rpc_nodes == 0
print_error("All active nodes ,not working or removed")
return
else
print_error("Sending job to next node")
next
end
end
end
nid += 1
end
if minjobs < nmaxjobs
res=minconn.call('module.execute', mtype, mod, opts)
self.nmaxdisplay = false
#print_status(">>>#{res} #{mod}")
if res
if res.has_key?("job_id")
return
else
print_error("Unable to execute module in node #{k} #{res}")
end
end
else
#print_status("Max number of jobs #{nmaxjobs} reached in node #{k}")
end
idx += 1
end
if self.runlocal and not self.masstop
local_module_exec(mod,mtype, opts, nmaxjobs)
end
end
def rpc_db_nodes(host,port,user,pass,name)
rpc_reconnect_nodes()
if active_rpc_nodes == 0
print_error("No active nodes at this time")
return
end
self.rpcarr.each do |k,v|
if v
res = v.call('db.driver',{:driver => 'postgresql'})
res = v.call('db.connect',{:database => name, :host => host, :port => port, :username => user, :password => pass})
res = v.call('db.status')
if res['db'] == name
print_status("db_connect #{res} #{host}:#{port} OK")
else
print_error("Error db_connect #{res} #{host}:#{port}")
end
else
print_error("No connection to node #{k}")
end
end
end
def rpc_reconnect_nodes()
begin
# Sucky 5 mins token timeout.
idx = nil
self.rpcarr.each do |k,rpccon|
if rpccon
idx = k
begin
currentjobs = rpccon.call('job.list').length
rescue
tarr = k.split("|")
rflag = false
res = rpccon.login(tarr[3],tarr[4])
if res
rflag = true
print_error("Reauth to node #{tarr[0]}:#{tarr[1]}")
break
else
raise ConnectionError
end
end
end
end
rescue
print_error("ERROR CONNECTING TO NODE. Disabling #{idx} use wmap_nodes -a to reconnect")
self.rpcarr[idx] = nil
if active_rpc_nodes == 0
print_error("No active nodes")
self.masstop = true
else
#blah
end
end
end
def rpc_kill_node(i,j)
if not i
print_error("Nodes not defined")
return
end
if not j
print_error("Node jobs defined")
return
end
rpc_reconnect_nodes()
if active_rpc_nodes == 0
print_error("No active nodes at this time")
return
end
idx=0
self.rpcarr.each do |k,rpccon|
if idx == i.to_i or i.upcase == 'ALL'
#begin
if not rpccon
print_error("No connection to node #{idx}")
else
n = rpccon.call('job.list')
n.each do |id,name|
if j==id.to_s or j.upcase == 'ALL'
rpccon.call('job.stop',id)
print_status("Node #{idx} Killed job id #{id} #{name}")
end
end
end
#rescue
# print_error("No connection")
#end
end
idx += 1
end
end
def rpc_view_jobs()
indent = ' '
rpc_reconnect_nodes()
if active_rpc_nodes == 0
print_error("No active nodes at this time")
return
end
idx=0
self.rpcarr.each do |k,rpccon|
if not rpccon
print_status("[Node ##{idx}: #{k} DISABLED/NO CONNECTION]")
else
arrk = k.split('|')
print_status("[Node ##{idx}: #{arrk[0]} Port:#{arrk[1]} SSL:#{arrk[2]} User:#{arrk[3]}]")
begin
n = rpccon.call('job.list')
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Jobs',
'Columns' =>
[
'Id',
'Job name',
'Target',
'PATH',
])
n.each do |id,name|
jinfo = rpccon.call('job.info',id)
dstore = jinfo['datastore']
tbl << [ id.to_s, name,dstore['VHOST']+":"+dstore['RPORT'],dstore['PATH']]
end
print_status tbl.to_s + "\n"
rescue
print_status("[Node ##{idx} #{k} DISABLED/NO CONNECTION]")
end
end
idx += 1
end
end
# Modified from http://stackoverflow.com/questions/946738/detect-key-press-non-blocking-w-o-getc-gets-in-ruby
def quit?
begin
while c = driver.input.read_nonblock(1)
print_status("Quited")
return true if c == 'Q'
end
false
rescue Errno::EINTR
false
rescue Errno::EAGAIN
false
rescue EOFError
true
end
end
def rpc_mon_nodes()
# Pretty monitor
color = self.opts["ConsoleDriver"].output.supports_color? rescue false
colors = [
'%grn',
'%blu',
'%yel',
'%whi'
]
#begin
loop do
rpc_reconnect_nodes()
idx = 0
self.rpcarr.each do |k,rpccon|
arrk = k.split('|')
v = "NOCONN"
n = 1
c = '%red'
if not rpccon
v = "NOCONN"
n = 1
c = '%red'
else
begin
v = ""
c = '%blu'
rescue
v = "ERROR"
c = '%red'
end
begin
n = rpccon.call('job.list').length
c = '%blu'
rescue
n = 1
v = "NOCONN"
c = '%red'
end
end
#begin
if not @stdio
@stdio = Rex::Ui::Text::Output::Stdio.new
end
if color == true
@stdio.auto_color
else
@stdio.disable_color
end
msg = "[#{idx}] #{"%bld#{c}||%clr"*n} #{n} #{v}\n"
@stdio.print_raw(@stdio.substitute_colors(msg))
#rescue
#blah
#end
sleep(2)
idx += 1
end
end
#rescue
# print_status("End.")
#end
end
def rpc_list_nodes()
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Nodes',
'Columns' =>
[
'Id',
'Host',
'Port',
'SSL',
'User',
'Pass',
'Status',
'#jobs',
])
idx=0
rpc_reconnect_nodes()
self.rpcarr.each do |k,rpccon|
arrk = k.split('|')
if not rpccon
v = "NOCONN"
n = ""
else
begin
v = rpccon.call('core.version')['version']
rescue
v = "ERROR"
end
begin
n = rpccon.call('job.list').length
rescue
n = ""
end
end
tbl << [ idx.to_s, arrk[0], arrk[1], arrk[2], arrk[3], arrk[4], v, n]
idx += 1
end
print_status tbl.to_s + "\n"
end
def active_rpc_nodes
if self.rpcarr.length == 0
return 0
else
idx = 0
self.rpcarr.each do |k,conn|
if conn
idx += 1
end
end
return idx
end
end
def view_modules
indent = ' '
wmaptype = [:wmap_ssl,
:wmap_server,
:wmap_dir,
:wmap_file,
:wmap_unique_query,
:wmap_query,
:wmap_generic
]
if not self.wmapmodules
load_wmap_modules(true)
end
wmaptype.each do |modt|
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => modt.to_s,
'Columns' =>
[
'Name',
'OrderID',
])
idx = 0
self.wmapmodules.each do |w|
oid = w[3]
if w[3] == 0xFFFFFF
oid = ":last"
end
if w[2] == modt
tbl << [w[0],oid]
idx += 1
end
end
print_status tbl.to_s + "\n"
end
end
# Yes sorting hashes dont make sense but actually it does when you are enumerating one. And
# sort_by of a hash returns an array so this is the reason for this ugly piece of code
def sort_by_orderid(m)
temphash=Hash.new()
temparr=[]
temparr = m.sort_by do |xref,v|
xref[3]
end
temparr.each do |b|
temphash[b[0]] = b[1]
end
temphash
end
# Load all wmap modules
def load_wmap_modules(reload)
if reload or not self.wmapmodules
print_status("Loading wmap modules...")
self.wmapmodules=[]
idx = 0
[ [ framework.auxiliary, 'auxiliary' ], [framework.exploits, 'exploit' ] ].each do |mtype|
# Scan all exploit modules for matching references
mtype[0].each_module do |n,m|
e = m.new
# Only include wmap_enabled plugins
if e.respond_to?("wmap_enabled")
penabled = e.wmap_enabled
if penabled
self.wmapmodules << [mtype[1]+'/'+n,mtype[1],e.wmap_type,e.orderid]
idx += 1
end
end
end
end
print_status("#{idx} wmap enabled modules loaded.")
end
end
def view_vulns
framework.db.hosts.each do |host|
host.services.each do |serv|
serv.web_sites.each do |site|
site.web_vulns.each do |wv|
print_status("+ [#{host.address}] (#{site.vhost}): #{wv.category} #{wv.path}")
print_status("\t#{wv.name} #{wv.description}")
print_status("\t#{wv.method} #{wv.proof}")
end
end
end
end
end
end
class WebTarget < ::Hash
def to_url
proto = self[:ssl] ? "https" : "http"
"#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}"
end
end
def initialize(framework, opts)
super
color = self.opts["ConsoleDriver"].output.supports_color? rescue false
wmapversion = '1.5.1'
wmapbanner = "%red\n.-.-.-..-.-.-..---..---.%clr\n"
wmapbanner += "%red| | | || | | || | || |-'%clr\n"
wmapbanner += "%red`-----'`-'-'-'`-^-'`-'%clr\n"
wmapbanner += "[WMAP #{wmapversion}] === et [ ] metasploit.com 2012\n"
if not @stdio
@stdio = Rex::Ui::Text::Output::Stdio.new
end
if color == true
@stdio.auto_color
else
@stdio.disable_color
end
@stdio.print_raw(@stdio.substitute_colors(wmapbanner))
add_console_dispatcher(WmapCommandDispatcher)
#print_status("#{wmapbanner}")
end
def cleanup
remove_console_dispatcher('wmap')
end
def name
"wmap"
end
def desc
"Web assessment plugin"
end
protected
end
end
Reference in New Issue View Git Blame Copy Permalink