Skip to content
Permalink
Browse files

Land #12475, enhancements to brute_dirs module

  • Loading branch information
dwelch-r7 committed Nov 25, 2019
2 parents c08ed0e + 4d7f299 commit a8847a1d2a5d663d69f0b50ba58bb5a7e2e03974
Showing with 48 additions and 31 deletions.
  1. +48 −31 modules/auxiliary/scanner/http/brute_dirs.rb
@@ -17,28 +17,28 @@ def initialize(info = {})
'Description' => %q{
This module identifies the existence of interesting directories by brute forcing the name
in a given directory path.
},
'Author' => [ 'et' ],
'License' => BSD_LICENSE))

register_options(
[
OptString.new('PATH', [ true, "The path to identify directories", '/']),
OptString.new('FORMAT', [ true, "The expected directory format (a alpha, d digit, A upperalpha)", 'a,aa,aaa'])
OptString.new('FORMAT', [ true, "The expected directory format (a alpha, d digit, A upperalpha)", 'a,aa,aaa']),
OptInt.new('TIMEOUT', [true, 'The socket connect/read timeout in seconds', 20]),
OptInt.new('DELAY', [true, "The delay between connections, per thread, in milliseconds", 0]),
OptInt.new('JITTER', [true, "The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.", 0]),
])

register_advanced_options(
[
OptInt.new('ErrorCode', [ true, "The expected http code for non existant directories", 404]),
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
File.join(Msf::Config.data_directory, "wmap", "wmap_404s.txt")
]
),
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
File.join(Msf::Config.data_directory, "wmap", "wmap_404s.txt")
]),
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]),
OptInt.new('TestThreads', [ true, "Number of test threads", 25])
])

end

def wmap_enabled
@@ -49,11 +49,25 @@ def run_host(ip)

conn = false

timeout = datastore['TIMEOUT']

delay_value = datastore['DELAY'].to_i
if delay_value < 0
raise Msf::OptionValidateError.new(['DELAY'])
end

jitter_value = datastore['JITTER'].to_i
if jitter_value < 0
raise Msf::OptionValidateError.new(['JITTER'])
end

tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end

vhost = datastore['VHOST'] || datastore['RHOST']

dm = datastore['NoDetailMessages']

# You may add more extensions in the extens array
@@ -74,16 +88,15 @@ def run_host(ip)
randdir = Rex::Text.rand_text_alpha(5).chomp
randdir << exte
res = send_request_cgi({
'uri' => tpath+randdir,
'method' => 'GET',
'ctype' => 'text/html'
}, 20)
'uri' => tpath+randdir,
'method' => 'GET',
'ctype' => 'text/html'
}, timeout)

return if not res

tcode = res.code.to_i


# Look for a string we can signature on as well
if(tcode >= 200 and tcode <= 299)
emesg = nil
@@ -144,15 +157,20 @@ def run_host(ip)
teststr = tpath+strdir
teststr << exte

# Add the delay based on JITTER and DELAY if needs be
add_delay_jitter(delay_value,jitter_value)

vprint_status("Try... #{wmap_base_url}#{teststr} (#{vhost})")

res = send_request_cgi({
'uri' => teststr,
'method' => 'GET',
'ctype' => 'text/plain'
}, 5)
'uri' => teststr,
'method' => 'GET',
'ctype' => 'text/plain'
}, timeout)

if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if (not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if dm == false
print_status("NOT Found #{wmap_base_url}#{teststr} #{res.code.to_i}")
print_status("NOT Found #{wmap_base_url}#{teststr} #{res.code.to_i}")
#blah
end
else
@@ -161,29 +179,28 @@ def run_host(ip)
else
print_good("Found #{wmap_base_url}#{teststr} #{res.code.to_i}")

report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => "#{teststr}",
:method => 'GET',
:pname => "",
:proof => "Res code: #{res.code.to_s}",
:risk => 0,
report_web_vuln({
:host => rhost,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => "#{teststr}",
:method => 'GET',
:pname => "",
:proof => "Res code: #{res.code.to_s}",
:risk => 0,
:confidence => 100,
:category => 'directory',
:description => 'Directory found.',
:name => 'directory'
)
:name => 'directory'
})

end
end

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end

}
end
end

0 comments on commit a8847a1

Please sign in to comment.
You can’t perform that action at this time.