Browse Source

Add Cookie check, random payload and report_web_vuln to trace aux module

Matteo Cantoni 5 months ago
parent
commit
67419990c6
1 changed files with 66 additions and 19 deletions
  1. 66
    19
      modules/auxiliary/scanner/http/trace.rb

+ 66
- 19
modules/auxiliary/scanner/http/trace.rb View File

@@ -4,18 +4,16 @@
4 4
 ##
5 5
 
6 6
 class MetasploitModule < Msf::Auxiliary
7
-
8
-  # Exploit mixins should be called first
9 7
   include Msf::Exploit::Remote::HttpClient
10 8
   include Msf::Auxiliary::WmapScanServer
11
-  # Scanner mixin should be near last
12 9
   include Msf::Auxiliary::Scanner
10
+  include Msf::Auxiliary::Report
13 11
 
14 12
   def initialize
15 13
     super(
16 14
       'Name'        => 'HTTP Cross-Site Tracing Detection',
17 15
       'Description' => 'Checks if the host is vulnerable to Cross-Site Tracing (XST)',
18
-      'Author'       =>
16
+      'Author'      =>
19 17
         [
20 18
           'Jay Turla <@shipcod3>' , #Cross-Site Tracing (XST) Checker
21 19
           'CG' #HTTP TRACE Detection
@@ -27,33 +25,82 @@ class MetasploitModule < Msf::Auxiliary
27 25
           ['URL', 'https://www.owasp.org/index.php/Cross_Site_Tracing']
28 26
         ]
29 27
     )
28
+    register_options(
29
+      [
30
+        OptString.new('PATH', [ true, "The PATH to use while testing", '/']),
31
+        OptInt.new('TIMEOUT', [true, 'The socket connect/read timeout in seconds', 20]),
32
+        OptBool.new('COOKIE_CHECK', [ false, "Check for Cookie header also", false ])
33
+      ]
34
+    )
30 35
   end
31 36
 
32 37
   def run_host(target_host)
33 38
 
39
+    timeout = datastore['TIMEOUT']
40
+
41
+    rand_payload = Rex::Text.rand_text_alpha(5 + rand(8))
42
+
43
+    web_path = normalize_uri(datastore['PATH'])
44
+    xst_payload = "<script>alert(#{rand_payload})</script>" # XST Payload
45
+    check_uri = web_path + xst_payload
46
+
34 47
     begin
35
-      res = send_request_raw({
36
-        'uri'          => '/<script>alert(1337)</script>', #XST Payload
37
-        'method'       => 'TRACE',
38
-      })
48
+
49
+      if datastore['COOKIE_CHECK']
50
+        vprint_status("Sending request #{rhost}:#{rport} (vhost: #{vhost}) with Cookie header check")
51
+        res = send_request_raw({
52
+          'uri'    => check_uri,
53
+          'method' => 'TRACE',
54
+          'headers' => {
55
+            'Cookie' => "name=#{xst_payload}"
56
+          },
57
+        }, timeout)
58
+      else
59
+        vprint_status("Sending request #{rhost}:#{rport} (vhost: #{vhost})")
60
+        res = send_request_raw({
61
+          'uri'    => check_uri,
62
+          'method' => 'TRACE',
63
+        }, timeout)
64
+      end
39 65
 
40 66
       unless res
41
-        vprint_error("#{rhost}:#{rport} did not reply to our request")
67
+        vprint_error("#{rhost}:#{rport} (vhost: #{vhost})[#{res.code}] did not reply to our request")
42 68
         return
43 69
       end
44 70
 
45
-      if res.body.to_s.index('/<script>alert(1337)</script>')
46
-        print_good("#{rhost}:#{rport} is vulnerable to Cross-Site Tracing")
47
-        report_vuln(
48
-          :host   => rhost,
49
-          :port   => rport,
50
-          :proto  => 'tcp',
51
-          :sname  => (ssl ? 'https' : 'http'),
52
-          :info   => "Vulnerable to Cross-Site Tracing",
53
-        )
71
+      if res.body.to_s.index("#{web_path}#{xst_payload}")
72
+        print_good("#{rhost}:#{rport} (vhost: #{vhost})[#{res.code}] is vulnerable to Cross-Site Tracing")
73
+
74
+        vprint_status("#{rhost}:#{rport} (vhost: #{vhost})[#{res.code}] Response: [#{res.body.to_s}]")
75
+
76
+        report_vuln({
77
+          :host  => rhost,
78
+          :port  => rport,
79
+          :proto => 'tcp',
80
+          :sname => (ssl ? 'https' : 'http'),
81
+          :name  => self.name,
82
+          :info  => "Module used #{self.fullname}, vhost: #{vhost}",
83
+          :refs  => self.references
84
+        })
85
+
86
+        report_web_vuln({
87
+          :host        => rhost,
88
+          :port        => rport,
89
+          :vhost       => vhost,
90
+          :path        => web_path,
91
+          :pname       => xst_payload,
92
+          :risk        => 2,
93
+          :proof       => "#{xst_payload} payload with TRACE method",
94
+          :description => "Vulnerable to Cross-Site Tracing",
95
+          :name        => self.fullname,
96
+          :category    => "web",
97
+          :method      => "GET" # specifing TRACE... Error: "ActiveRecord" "RecordInvalid" "Method is not included in the list"
98
+        })
99
+
54 100
       else
55
-        vprint_error("#{rhost}:#{rport} returned #{res.code} #{res.message}")
101
+        vprint_error("#{rhost}:#{rport} (vhost: #{vhost}) returned #{res.code} #{res.message}")
56 102
       end
103
+
57 104
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
58 105
     rescue ::Timeout::Error, ::Errno::EPIPE
59 106
     end

Loading…
Cancel
Save