Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Set normalize uri on modules #1047

Merged
merged 5 commits into from

4 participants

@ChrisJohnRiley

This is a follow on from PULL 1045 (HDM)

I've implemented the normalize_uri() function on a number
of modules that I think HD overlooked... there are probably
more that I missed on my search as well.

Please only consider this after applying PULL 1045 as
it contains the required normalize_uri() function used

ChrisJohnRiley added some commits
@ChrisJohnRiley ChrisJohnRiley Add normalize_uri to modules that may have
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> rapid7#1045
f88ec5c
@ChrisJohnRiley ChrisJohnRiley Formatting 0dd4f4d
...ary/scanner/http/apache_activemq_source_disclosure.rb
((5 lines not shown))
res = send_request_cgi({
- 'uri' => "/#{target_uri.to_s}",

Looks like a regression here. target_uri.path vs "/#{target_uri.to_s}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@ChrisJohnRiley

Fixed a couple of instances where target_uri.to_s and target_uri.path were mixed

@todb

Fixing this up today; ran into a couple merge problems, one ruby -c warning. All in all not that big of a deal, just needs another eyeball pass. Figure on landing in a couple hours unless something really horrible pops up.

@todb-r7 todb-r7 merged commit 9412060 into rapid7:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 8, 2012
  1. @ChrisJohnRiley

    Add normalize_uri to modules that may have

    ChrisJohnRiley authored
    been missed by PULL 1045.
    
    Please ensure PULL 1045 is in place prior to
    looking at this (as it implements normalize_uri)
    
    ref --> rapid7#1045
  2. @ChrisJohnRiley

    Formatting

    ChrisJohnRiley authored
Commits on Nov 11, 2012
  1. fixed target_uri.path vs target_uri.to_s issue

    Chris John Riley authored
  2. Set back to target_uri.path

    Chris John Riley authored
  3. Set back to target_uri.to_s per original module

    Chris John Riley authored
This page is out of date. Refresh to see the latest.
Showing with 413 additions and 425 deletions.
  1. +2 −1  modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
  2. +1 −1  modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
  3. +2 −2 modules/auxiliary/admin/http/iis_auth_bypass.rb
  4. +1 −1  modules/auxiliary/admin/http/intersil_pass_reset.rb
  5. +1 −1  modules/auxiliary/admin/http/jboss_seam_exec.rb
  6. +2 −1  modules/auxiliary/admin/http/scrutinizer_add_user.rb
  7. +2 −2 modules/auxiliary/admin/http/typo3_sa_2009_001.rb
  8. +2 −1  modules/auxiliary/admin/tikiwiki/tikidblib.rb
  9. +2 −1  modules/auxiliary/admin/webmin/file_disclosure.rb
  10. +1 −1  modules/auxiliary/dos/http/apache_range_dos.rb
  11. +1 −1  modules/auxiliary/dos/http/hashcollision_dos.rb
  12. +1 −1  modules/auxiliary/dos/http/sonicwall_ssl_format.rb
  13. +1 −1  modules/auxiliary/dos/http/webrick_regex.rb
  14. +3 −2 modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb
  15. +2 −2 modules/auxiliary/fuzzers/http/http_form_field.rb
  16. +2 −1  modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb
  17. +4 −2 modules/auxiliary/scanner/http/apache_userdir_enum.rb
  18. +4 −2 modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb
  19. +6 −5 modules/auxiliary/scanner/http/axis_local_file_include.rb
  20. +1 −1  modules/auxiliary/scanner/http/backup_file.rb
  21. +3 −2 modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
  22. +1 −1  modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb
  23. +6 −6 modules/auxiliary/scanner/http/blind_sql_query.rb
  24. +1 −1  modules/auxiliary/scanner/http/brute_dirs.rb
  25. +1 −1  modules/auxiliary/scanner/http/clansphere_traversal.rb
  26. +1 −1  modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb
  27. +1 −6 modules/auxiliary/scanner/http/concrete5_member_list.rb
  28. +1 −1  modules/auxiliary/scanner/http/copy_of_file.rb
  29. +6 −3 modules/auxiliary/scanner/http/dell_idrac.rb
  30. +1 −1  modules/auxiliary/scanner/http/dir_listing.rb
  31. +1 −1  modules/auxiliary/scanner/http/dir_scanner.rb
  32. +1 −1  modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb
  33. +1 −1  modules/auxiliary/scanner/http/dolibarr_login.rb
  34. +2 −4 modules/auxiliary/scanner/http/drupal_views_user_enum.rb
  35. +5 −4 modules/auxiliary/scanner/http/ektron_cms400net.rb
  36. +4 −4 modules/auxiliary/scanner/http/error_sql_injection.rb
  37. +1 −1  modules/auxiliary/scanner/http/file_same_name_dir.rb
  38. +1 −1  modules/auxiliary/scanner/http/files_dir.rb
  39. +4 −2 modules/auxiliary/scanner/http/glassfish_login.rb
  40. +1 −1  modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb
  41. +1 −1  modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb
  42. +1 −1  modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb
  43. +1 −4 modules/auxiliary/scanner/http/http_put.rb
  44. +3 −2 modules/auxiliary/scanner/http/litespeed_source_disclosure.rb
  45. +1 −1  modules/auxiliary/scanner/http/lucky_punch.rb
  46. +2 −1  modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
  47. +1 −1  modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb
  48. +1 −1  modules/auxiliary/scanner/http/mod_negotiation_brute.rb
  49. +1 −1  modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
  50. +4 −3 modules/auxiliary/scanner/http/nginx_source_disclosure.rb
  51. +1 −1  modules/auxiliary/scanner/http/prev_dir_same_name_file.rb
  52. +1 −1  modules/auxiliary/scanner/http/rails_mass_assignment.rb
  53. +1 −1  modules/auxiliary/scanner/http/robots_txt.rb
  54. +1 −1  modules/auxiliary/scanner/http/s40_traversal.rb
  55. +1 −1  modules/auxiliary/scanner/http/scraper.rb
  56. +3 −2 modules/auxiliary/scanner/http/soap_xml.rb
  57. +2 −1  modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb
  58. +1 −1  modules/auxiliary/scanner/http/svn_scanner.rb
  59. +3 −2 modules/auxiliary/scanner/http/tomcat_enum.rb
  60. +10 −9 modules/auxiliary/scanner/http/tomcat_mgr_login.rb
  61. +1 −1  modules/auxiliary/scanner/http/trace_axd.rb
  62. +1 −1  modules/auxiliary/scanner/http/vcms_login.rb
  63. +2 −2 modules/auxiliary/scanner/http/verb_auth_bypass.rb
  64. +2 −2 modules/auxiliary/scanner/http/vhost_scanner.rb
  65. +1 −1  modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
  66. +1 −1  modules/auxiliary/scanner/http/web_vulndb.rb
  67. +1 −1  modules/auxiliary/scanner/http/webdav_internal_ip.rb
  68. +1 −1  modules/auxiliary/scanner/http/webdav_scanner.rb
  69. +1 −1  modules/auxiliary/scanner/http/webdav_website_content.rb
  70. +2 −1  modules/auxiliary/scanner/http/webpagetest_traversal.rb
  71. +4 −3 modules/auxiliary/scanner/http/wordpress_login_enum.rb
  72. +1 −1  modules/auxiliary/scanner/http/xpath.rb
  73. +1 −1  modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
  74. +1 −1  modules/auxiliary/scanner/lotus/lotus_domino_version.rb
  75. +1 −1  modules/auxiliary/scanner/vmware/esx_fingerprint.rb
  76. +1 −1  modules/auxiliary/scanner/vmware/vmware_http_login.rb
  77. +1 −1  modules/auxiliary/server/http_ntlmrelay.rb
  78. +2 −2 modules/exploits/bsdi/softcart/mercantec_softcart.rb
  79. +3 −2 modules/exploits/linux/http/dolibarr_cmd_exec.rb
  80. +1 −1  modules/exploits/linux/http/symantec_web_gateway_exec.rb
  81. +1 −1  modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
  82. +3 −2 modules/exploits/linux/http/vcms_upload.rb
  83. +2 −2 modules/exploits/linux/http/webcalendar_settings_exec.rb
  84. +2 −2 modules/exploits/linux/http/webid_converter.rb
  85. +10 −10 modules/exploits/multi/http/activecollab_chat.rb
  86. +6 −4 modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
  87. +2 −2 modules/exploits/multi/http/apprain_upload_exec.rb
  88. +6 −4 modules/exploits/multi/http/auxilium_upload_exec.rb
  89. +2 −2 modules/exploits/multi/http/cuteflow_upload_exec.rb
  90. +4 −4 modules/exploits/multi/http/familycms_less_exec.rb
  91. +1 −9 modules/exploits/multi/http/gitorious_graph.rb
  92. +1 −1  modules/exploits/multi/http/glassfish_deployer.rb
  93. +1 −9 modules/exploits/multi/http/horde_href_backdoor.rb
  94. +1 −1  modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
  95. +3 −3 modules/exploits/multi/http/jboss_bshdeployer.rb
  96. +5 −5 modules/exploits/multi/http/jboss_deploymentfilerepository.rb
  97. +1 −1  modules/exploits/multi/http/jboss_invoke_deploy.rb
  98. +4 −4 modules/exploits/multi/http/jboss_maindeployer.rb
  99. +2 −7 modules/exploits/multi/http/lcms_php_exec.rb
  100. +2 −2 modules/exploits/multi/http/log1cms_ajax_create_folder.rb
  101. +6 −4 modules/exploits/multi/http/mobilecartly_upload_exec.rb
  102. +2 −2 modules/exploits/multi/http/op5_license.rb
  103. +2 −2 modules/exploits/multi/http/op5_welcome.rb
  104. +2 −2 modules/exploits/multi/http/openfire_auth_bypass.rb
  105. +3 −2 modules/exploits/multi/http/php_cgi_arg_injection.rb
  106. +1 −1  modules/exploits/multi/http/php_volunteer_upload_exec.rb
  107. +3 −6 modules/exploits/multi/http/phpldapadmin_query_engine.rb
  108. +4 −10 modules/exploits/multi/http/phpscheduleit_start_date.rb
  109. +6 −4 modules/exploits/multi/http/phptax_exec.rb
  110. +2 −2 modules/exploits/multi/http/plone_popen2.rb
  111. +2 −2 modules/exploits/multi/http/pmwiki_pagelist.rb
  112. +6 −4 modules/exploits/multi/http/qdpm_upload_exec.rb
  113. +6 −4 modules/exploits/multi/http/sflog_upload_exec.rb
  114. +8 −20 modules/exploits/multi/http/sit_file_upload.rb
  115. +1 −1  modules/exploits/multi/http/snortreport_exec.rb
  116. +1 −1  modules/exploits/multi/http/spree_search_exec.rb
  117. +1 −1  modules/exploits/multi/http/spree_searchlogic_exec.rb
  118. +2 −1  modules/exploits/multi/http/struts_code_exec.rb
  119. +1 −1  modules/exploits/multi/http/sun_jsws_dav_options.rb
  120. +2 −2 modules/exploits/multi/http/testlink_upload_exec.rb
  121. +3 −3 modules/exploits/multi/http/tomcat_mgr_deploy.rb
  122. +6 −6 modules/exploits/multi/http/traq_plugin_exec.rb
  123. +2 −4 modules/exploits/multi/http/vbseo_proc_deutf.rb
  124. +6 −4 modules/exploits/multi/http/webpagetest_upload_exec.rb
  125. +3 −2 modules/exploits/multi/http/wikka_spam_exec.rb
  126. +2 −2 modules/exploits/multi/php/php_unserialize_zval_cookie.rb
  127. +2 −2 modules/exploits/unix/webapp/awstats_configdir_exec.rb
  128. +2 −2 modules/exploits/unix/webapp/awstats_migrate_exec.rb
  129. +2 −2 modules/exploits/unix/webapp/awstatstotals_multisort.rb
  130. +2 −2 modules/exploits/unix/webapp/barracuda_img_exec.rb
  131. +2 −2 modules/exploits/unix/webapp/basilic_diff_exec.rb
  132. +2 −2 modules/exploits/unix/webapp/cacti_graphimage_exec.rb
  133. +3 −3 modules/exploits/unix/webapp/cakephp_cache_corruption.rb
  134. +2 −2 modules/exploits/unix/webapp/coppermine_piceditor.rb
  135. +2 −2 modules/exploits/unix/webapp/dogfood_spell_exec.rb
  136. +2 −2 modules/exploits/unix/webapp/egallery_upload_exec.rb
  137. +2 −2 modules/exploits/unix/webapp/guestbook_ssi_exec.rb
  138. +2 −2 modules/exploits/unix/webapp/hastymail_exec.rb
  139. +3 −6 modules/exploits/unix/webapp/joomla_tinybrowser.rb
  140. +1 −1  modules/exploits/unix/webapp/mybb_backdoor.rb
  141. +3 −2 modules/exploits/unix/webapp/nagios3_statuswml_ping.rb
  142. +1 −1  modules/exploits/unix/webapp/openview_connectednodes_exec.rb
  143. +2 −4 modules/exploits/unix/webapp/openx_banner_edit.rb
  144. +2 −2 modules/exploits/unix/webapp/oscommerce_filemanager.rb
  145. +1 −1  modules/exploits/unix/webapp/pajax_remote_exec.rb
  146. +1 −1  modules/exploits/unix/webapp/php_include.rb
  147. +2 −2 modules/exploits/unix/webapp/php_wordpress_foxypress.rb
  148. +1 −1  modules/exploits/unix/webapp/php_wordpress_lastpost.rb
  149. +1 −1  modules/exploits/unix/webapp/php_xmlrpc_eval.rb
  150. +3 −3 modules/exploits/unix/webapp/phpbb_highlight.rb
  151. +3 −3 modules/exploits/unix/webapp/phpmyadmin_config.rb
  152. +6 −4 modules/exploits/unix/webapp/projectpier_upload_exec.rb
  153. +1 −1  modules/exploits/unix/webapp/redmine_scm_exec.rb
  154. +7 −7 modules/exploits/unix/webapp/sphpblog_file_upload.rb
  155. +1 −1  modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
  156. +2 −3 modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
  157. +4 −4 modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
  158. +1 −1  modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
  159. +2 −2 modules/exploits/unix/webapp/trixbox_langchoice.rb
  160. +3 −3 modules/exploits/unix/webapp/twiki_history.rb
  161. +3 −3 modules/exploits/unix/webapp/twiki_search.rb
  162. +2 −2 modules/exploits/unix/webapp/xoda_file_upload.rb
  163. +2 −2 modules/exploits/windows/http/bea_weblogic_post_bof.rb
  164. +1 −1  modules/exploits/windows/http/coldfusion_fckeditor.rb
  165. +2 −1  modules/exploits/windows/http/manageengine_apps_mngr.rb
  166. +1 −1  modules/exploits/windows/http/php_apache_request_headers_bof.rb
  167. +3 −3 modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb
  168. +1 −1  modules/exploits/windows/http/sybase_easerver.rb
  169. +6 −6 modules/exploits/windows/http/sysax_create_folder.rb
  170. +1 −5 modules/exploits/windows/http/xampp_webdav_upload_php.rb
  171. +2 −2 modules/exploits/windows/iis/ms02_065_msadc.rb
  172. +3 −3 modules/exploits/windows/iis/msadc.rb
  173. +2 −2 modules/exploits/windows/isapi/ms00_094_pbserver.rb
  174. +2 −2 modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb
  175. +3 −3 modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb
  176. +2 −2 modules/exploits/windows/isapi/rsa_webagent_redirect.rb
  177. +2 −2 modules/exploits/windows/isapi/w3who_query.rb
  178. +4 −2 modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
View
3  modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
@@ -79,8 +79,9 @@ def run_host(ip)
print_status("Issuing password change request for: " + datastore['USERNAME'])
begin
+ uri = normalize_uri(target_uri.path)
res = send_request_cgi({
- 'uri' => target_uri.path,
+ 'uri' => uri,
'method' => 'POST',
'data' => data,
'headers' =>
View
2  modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
@@ -48,7 +48,7 @@ def run_host(ip)
res = send_request_raw(
{
'method' => 'POST',
- 'uri' => datastore['URL'] + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE'],
+ 'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE'],
}, 25)
if (res and res.code == 500)
View
4 modules/auxiliary/admin/http/iis_auth_bypass.rb
@@ -43,7 +43,7 @@ def initialize(info = {})
def has_auth
- uri = target_uri.path
+ uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1, 1] != '/'
res = send_request_cgi({
@@ -56,7 +56,7 @@ def has_auth
end
def try_auth
- uri = target_uri.path
+ uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1, 1] != '/'
uri << Rex::Text.rand_text_alpha(rand(10)+5) + ".#{Rex::Text.rand_text_alpha(3)}"
View
2  modules/auxiliary/admin/http/intersil_pass_reset.rb
@@ -73,7 +73,7 @@ def run
@peer = "#{rhost}:#{rport}"
return if check != Exploit::CheckCode::Vulnerable
- uri = target_uri.path
+ uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
View
2  modules/auxiliary/admin/http/jboss_seam_exec.rb
@@ -42,7 +42,7 @@ def initialize(info = {})
end
def run
- jbr = datastore['JBOSS_ROOT']
+ jbr = normalize_uri(datastore['JBOSS_ROOT'])
cmd_enc = ""
cmd_enc << Rex::Text.uri_encode(datastore["CMD"])
View
3  modules/auxiliary/admin/http/scrutinizer_add_user.rb
@@ -45,9 +45,10 @@ def initialize(info = {})
end
def run
+ uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'method' => 'POST',
- 'uri' => target_uri.path,
+ 'uri' => uri,
'vars_post' => {
'tool' => 'userprefs',
'newUser' => datastore['USERNAME'],
View
4 modules/auxiliary/admin/http/typo3_sa_2009_001.rb
@@ -68,6 +68,7 @@ def run
# Null byte fixed in PHP 5.3.4
#
+ uri = normalize_uri(datastore['URI'])
case datastore['RFILE']
when nil
# Nothing
@@ -100,8 +101,7 @@ def run
juhash = Digest::MD5.hexdigest(juarray)
juhash = juhash[0..9] # shortMD5 value for use as juhash
- file_uri = "#{datastore['URI']}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
- file_uri = file_uri.sub("//", "/") # Prevent double // from appearing in uri
+ file_uri = "#{uri}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
vprint_status("Checking Encryption Key [#{i}/1000]: #{final}")
begin
View
3  modules/auxiliary/admin/tikiwiki/tikidblib.rb
@@ -52,7 +52,8 @@ def initialize(info = {})
def run
print_status("Establishing a connection to the target...")
- rpath = datastore['URI'] + "/tiki-lastchanges.php?days=1&offset=0&sort_mode="
+ uri = normalize_uri(datastore['URI'])
+ rpath = uri + "/tiki-lastchanges.php?days=1&offset=0&sort_mode="
res = send_request_raw({
'uri' => rpath,
View
3  modules/auxiliary/admin/webmin/file_disclosure.rb
@@ -70,7 +70,8 @@ def initialize(info = {})
def run
print_status("Attempting to retrieve #{datastore['RPATH']}...")
- uri = Rex::Text.uri_encode(datastore['DIR']) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])
+ dir = normalize_uri(datastore['DIR'])
+ uri = Rex::Text.uri_encode(dir) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])
res = send_request_raw({
'uri' => uri,
View
2  modules/auxiliary/dos/http/apache_range_dos.rb
@@ -50,7 +50,7 @@ def initialize(info = {})
end
def run
- uri = datastore['URI']
+ uri = normalize_uri(datastore['URI'])
ranges = ''
for i in (0..1299) do
ranges += ",5-" + i.to_s
View
2  modules/auxiliary/dos/http/hashcollision_dos.rb
@@ -202,7 +202,7 @@ def run
print_status("Sending request ##{x}...")
opts = {
'method' => 'POST',
- 'uri' => datastore['URL'],
+ 'uri' => normalize_uri(datastore['URL']),
'data' => payload
}
begin
View
2  modules/auxiliary/dos/http/sonicwall_ssl_format.rb
@@ -55,7 +55,7 @@ def run
fmt = datastore['FORMAT'] + "XX" # XX is 2 bytes used to mark end of memory garbage for regexp
begin
res = send_request_raw({
- 'uri' => datastore['URI'] + fmt,
+ 'uri' => normalize_uri(datastore['URI']) + fmt,
})
if res and res.code == 200
View
2  modules/auxiliary/dos/http/webrick_regex.rb
@@ -44,7 +44,7 @@ def initialize(info = {})
def run
begin
o = {
- 'uri' => datastore['URI'] || '/',
+ 'uri' => normalize_uri(datastore['URI']) || '/',
'headers' => {
'If-None-Match' => %q{foo=""} + %q{bar="baz" } * 100
}
View
5 modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb
@@ -52,7 +52,8 @@ def initialize(info = {})
def run
- print_status("Attacking http://#{datastore['VHOST'] || rhost}:#{rport}#{datastore['URI']}")
+ uri = normalize_uri(datastore['URI'])
+ print_status("Attacking http://#{datastore['VHOST'] || rhost}:#{rport}#{uri}")
begin
while(1)
@@ -60,7 +61,7 @@ def run
connect
payload = "C=A&" * 40000
length = payload.size
- sploit = "HEAD #{datastore['URI']} HTTP/1.1\r\n"
+ sploit = "HEAD #{uri} HTTP/1.1\r\n"
sploit << "Host: #{datastore['VHOST'] || rhost}\r\n"
sploit << "Connection:Close\r\n"
sploit << "Content-Type: application/x-www-form-urlencoded\r\n"
View
4 modules/auxiliary/fuzzers/http/http_form_field.rb
@@ -484,7 +484,7 @@ def run
print_status("Grabbing webpage #{datastore['URL']} from #{datastore['RHOST']}")
response = send_request_raw(
{
- 'uri' => datastore['URL'],
+ 'uri' => normalize_uri(datastore['URL']),
'version' => '1.1',
'method' => 'GET',
'headers' => @get_data_headers
@@ -502,7 +502,7 @@ def run
response = send_request_raw(
{
- 'uri' => datastore['URL'],
+ 'uri' => normalize_uri(datastore['URL']),
'version' => '1.1',
'method' => 'GET',
'headers' => @get_data_headers
View
3  modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb
@@ -47,8 +47,9 @@ def initialize(info = {})
def run_host(ip)
print_status("#{rhost}:#{rport} - Sending request...")
+ uri = normalize_uri(target_uri.to_s)
res = send_request_cgi({
- 'uri' => "/#{target_uri.to_s}",
+ 'uri' => uri,
'method' => 'GET',
})
View
6 modules/auxiliary/scanner/http/apache_userdir_enum.rb
@@ -60,7 +60,8 @@ def initialize
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
@@ -88,7 +89,8 @@ def run_host(ip)
def do_login(user)
vprint_status("#{target_url}~#{user} - Trying UserDir: '#{user}'")
- payload = "#{datastore['URI']}~#{user}/"
+ uri = normalize_uri(datastore['URI'])
+ payload = "#{uri}~#{user}/"
begin
res = send_request_cgi(
{
View
6 modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb
@@ -58,8 +58,9 @@ def rport
end
def run_host(ip)
+ uri = normalize_uri(target_uri.to_s)
res = send_request_cgi({
- 'uri' => target_uri.to_s,
+ 'uri' => uri,
'method' => 'GET'})
if not res
@@ -71,6 +72,7 @@ def run_host(ip)
end
def accessfile(rhost)
+ uri = normalize_uri(target_uri.to_s)
print_status("#{rhost}:#{rport} Connecting to Crowd SOAP Interface")
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@@ -122,7 +124,7 @@ def accessfile(rhost)
data << '</soap:attributes>' + "\r\n"
res = send_request_cgi({
- 'uri' => target_uri.to_s,
+ 'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => data,
View
11 modules/auxiliary/scanner/http/axis_local_file_include.rb
@@ -47,11 +47,12 @@ def initialize
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
- uri = datastore['URI']
+ uri = normalize_uri(datastore['URI'])
begin
res = send_request_raw({
@@ -62,11 +63,11 @@ def run_host(ip)
if (res and res.code == 200)
extract_uri = res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)
new_uri = "/axis2/services/#{$1}"
-
+ new_uri = normalize_uri(new_uri)
get_credentials(new_uri)
else
- print_status("#{target_url} - Apache Axis - The remote page not accessible")
+ print_status("#{uri} - Apache Axis - The remote page not accessible")
return
end
@@ -86,7 +87,7 @@ def get_credentials(uri)
'uri' => "#{uri}" + lfi_payload,
}, 25)
- print_status("#{target_url} - Apache Axis - Dumping administrative credentials")
+ print_status("#{uri} - Apache Axis - Dumping administrative credentials")
if (res and res.code == 200)
if res.body.to_s.match(/axisconfig/)
View
2  modules/auxiliary/scanner/http/backup_file.rb
@@ -53,7 +53,7 @@ def run_host(ip)
]
bakextensions.each do |ext|
- file = datastore['PATH']+ext
+ file = normalize_uri(datastore['PATH'])+ext
check_for_file(file)
end
if datastore['PATH'] =~ %r#(.*)(/.+$)#
View
5 modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
@@ -51,11 +51,12 @@ def initialize
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI']
+ "http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
- uri = datastore['URI']
+ uri = normalize_uri(datastore['URI'])
file = datastore['FILE']
payload = "?locale=/../../../../../../..#{file}%00"
View
2  modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb
@@ -49,7 +49,7 @@ def initialize(info = {})
def run_host(ip)
- base = target_uri.path
+ base = normalize_uri(target_uri.path)
base << '/' if base[-1,1] != '/'
peer = "#{ip}:#{rport}"
View
12 modules/auxiliary/scanner/http/blind_sql_query.rb
@@ -141,7 +141,7 @@ def run_host(ip)
#SEND NORMAL REQUEST
begin
normalres = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => gvars,
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
@@ -189,7 +189,7 @@ def run_host(ip)
begin
trueres = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => testgvars,
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
@@ -206,7 +206,7 @@ def run_host(ip)
begin
falseres = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => testgvars,
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
@@ -236,7 +236,7 @@ def run_host(ip)
:port => rport,
:vhost => vhost,
:ssl => ssl,
- :path => datastore['PATH'],
+ :path => normalize_uri(datastore['PATH']),
:method => http_method,
:pname => key,
:proof => "blind sql inj.",
@@ -272,7 +272,7 @@ def run_host(ip)
begin
trueres = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => gvars,
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
@@ -297,7 +297,7 @@ def run_host(ip)
begin
falseres = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => gvars,
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
View
2  modules/auxiliary/scanner/http/brute_dirs.rb
@@ -59,7 +59,7 @@ def run_host(ip)
conn = false
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/clansphere_traversal.rb
@@ -45,7 +45,7 @@ def initialize(info = {})
def run_host(ip)
- base = target_uri.path
+ base = normalize_uri(target_uri.path)
base << '/' if base[-1,1] != '/'
peer = "#{ip}:#{rport}"
View
2  modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb
@@ -57,7 +57,7 @@ def initialize
def run_host(ip)
- url = datastore['URL']
+ url = normalize_uri(datastore['URL'])
locale = "?locale="
trav = datastore['PATH']
View
7 modules/auxiliary/scanner/http/concrete5_member_list.rb
@@ -44,12 +44,7 @@ def peer
end
def run_host(rhost)
- # check the only one forward slash appears in the url
- if datastore['URI'][0,1] == "/"
- url = datastore['URI']
- else
- url = "/" + datastore['URI']
- end
+ url = normalize_uri(datastore['URI'])
begin
res = send_request_raw({'uri' => "#{url}/index.php/members"})
View
2  modules/auxiliary/scanner/http/copy_of_file.rb
@@ -71,7 +71,7 @@ def run_host(ip)
]
- tpathf = datastore['PATH']
+ tpathf = normalize_uri(datastore['PATH'])
testf = tpathf.split('/').last
View
9 modules/auxiliary/scanner/http/dell_idrac.rb
@@ -53,14 +53,16 @@ def target_url
if rport == 443 or ssl
proto = "https"
end
- "#{proto}://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "#{proto}://#{vhost}:#{rport}#{uri}"
end
def do_login(user=nil, pass=nil)
+ uri = normalize_uri(target_uri.path)
auth = send_request_cgi({
'method' => 'POST',
- 'uri' => target_uri.path,
+ 'uri' => uri,
'SSL' => true,
'vars_post' => {
'user' => user,
@@ -88,10 +90,11 @@ def do_login(user=nil, pass=nil)
def run_host(ip)
print_status("Verifying that login page exists at #{ip}")
+ uri = normalize_uri(target_uri.path)
begin
res = send_request_raw({
'method' => 'GET',
- 'uri' => target_uri.path
+ 'uri' => uri
})
if (res and res.code == 200 and res.body.to_s.match(/<authResult>1/) != nil)
View
2  modules/auxiliary/scanner/http/dir_listing.rb
@@ -40,7 +40,7 @@ def initialize(info = {})
def run_host(ip)
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/dir_scanner.rb
@@ -61,7 +61,7 @@ def run_host(ip)
ecode = nil
emesg = nil
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb
@@ -69,7 +69,7 @@ def run_host(ip)
ecode = nil
emesg = nil
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/dolibarr_login.rb
@@ -112,7 +112,7 @@ def do_login(user, pass)
end
def run
- @uri = target_uri
+ @uri = normalize_uri(target_uri)
@uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"
View
6 modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -58,12 +58,10 @@ def check(base_uri)
def run_host(ip)
# Make sure the URIPATH begins with '/'
- if datastore['PATH'][0] != '/'
- datastore['PATH'] = '/' + datastore['PATH']
- end
+ datastore['PATH'] = normalize_uri(datastore['PATH'])
# Make sure the URIPATH ends with /
- if datastore['PATH'][-1] != '/'
+ if datastore['PATH'][-1,1] != '/'
datastore['PATH'] = datastore['PATH'] + '/'
end
View
9 modules/auxiliary/scanner/http/ektron_cms400net.rb
@@ -50,10 +50,11 @@ def target_url
proto = "http"
end
+ uri = normalize_uri(datastore['URI'])
if vhost != ""
- "#{proto}://#{vhost}:#{rport}#{datastore['URI'].to_s}"
+ "#{proto}://#{vhost}:#{rport}#{uri.to_s}"
else
- "#{proto}://#{rhost}:#{rport}#{datastore['URI'].to_s}"
+ "#{proto}://#{rhost}:#{rport}#{uri.to_s}"
end
end
@@ -62,7 +63,7 @@ def run_host(ip)
res = send_request_cgi(
{
'method' => 'GET',
- 'uri' => datastore['URI']
+ 'uri' => normalize_uri(datastore['URI'])
}, 20)
#Check for HTTP 200 response.
@@ -126,7 +127,7 @@ def do_login(user=nil, pass=nil, viewstate=viewstate, eventvalidation=eventvalid
begin
res = send_request_cgi({
'method' => 'POST',
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'data' => post_data,
}, 20)
View
8 modules/auxiliary/scanner/http/error_sql_injection.rb
@@ -103,7 +103,7 @@ def run_host(ip)
if http_method == 'POST'
reqinfo = {
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'query' => datastore['QUERY'],
'data' => datastore['DATA'],
'method' => http_method,
@@ -112,7 +112,7 @@ def run_host(ip)
}
else
reqinfo = {
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'query' => datastore['QUERY'],
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
@@ -206,7 +206,7 @@ def run_host(ip)
if http_method == 'POST'
reqinfo = {
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'query' => datastore['QUERY'],
'data' => fstr,
'method' => http_method,
@@ -215,7 +215,7 @@ def run_host(ip)
}
else
reqinfo = {
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'query' => fstr,
'method' => http_method,
'ctype' => 'application/x-www-form-urlencoded',
View
2  modules/auxiliary/scanner/http/file_same_name_dir.rb
@@ -71,7 +71,7 @@ def run_host(ip)
''
]
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath.eql? "/"||""
print_error("Blank or default PATH set.");
View
2  modules/auxiliary/scanner/http/files_dir.rb
@@ -85,7 +85,7 @@ def run_host(ip)
conn = false
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
6 modules/auxiliary/scanner/http/glassfish_login.rb
@@ -103,8 +103,9 @@ def send_request(path, method, session='', data=nil, ctype=nil)
headers['Content-Type'] = ctype if ctype != nil
headers['Content-Length'] = data.length if data != nil
+ uri = normalize_uri(target_uri)
res = send_request_raw({
- 'uri' => "#{target_uri.path}#{path}".gsub(/\/\//, '/'),
+ 'uri' => "#{uri}#{path}",
'method' => method,
'data' => data,
'headers' => headers,
@@ -222,7 +223,8 @@ def run_host(ip)
#Get GlassFish version
edition, version, banner = get_version(res)
- target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{datastore['PATH'].to_s}"
+ path = normalize_uri(datastore['PATH'])
+ target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
print_status("#{target_url} - GlassFish - Attempting authentication")
if (version == '2.x' or version == '9.x' or version == '3.0')
View
2  modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb
@@ -54,7 +54,7 @@ def rport
def run_host(ip)
@peer = "#{rhost}:#{rport}"
- @uri = target_uri.path
+ @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
View
2  modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb
@@ -55,7 +55,7 @@ def rport
def run_host(ip)
@peer = "#{rhost}:#{rport}"
- @uri = target_uri.path
+ @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
View
2  modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb
@@ -54,7 +54,7 @@ def rport
def run_host(ip)
@peer = "#{rhost}:#{rport}"
- @uri = target_uri.path
+ @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
View
5 modules/auxiliary/scanner/http/http_put.rb
@@ -124,12 +124,9 @@ def do_delete(path)
# Main function for the module, duh!
#
def run_host(ip)
- path = datastore['PATH']
+ path = normalize_uri(datastore['PATH'])
data = datastore['FILEDATA']
- #Add "/" if necessary
- path = "/#{path}" if path[0,1] != '/'
-
if path[-1,1] != '/'
path += '/'
end
View
5 modules/auxiliary/scanner/http/litespeed_source_disclosure.rb
@@ -47,11 +47,12 @@ def initialize
end
def target_url
+ uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{datastore['URI']}"
end
def run_host(ip)
- uri = datastore['URI']
+ uri = normalize_uri(datastore['URI'])
path_save = datastore['PATH_SAVE']
vuln_versions = [
@@ -63,7 +64,7 @@ def run_host(ip)
begin
res = send_request_raw({
'method' => 'GET',
- 'uri' => "/#{uri}#{nullbytetxt}",
+ 'uri' => "#{uri}#{nullbytetxt}",
}, 25)
version = res.headers['Server'] if res
View
2  modules/auxiliary/scanner/http/lucky_punch.rb
@@ -86,7 +86,7 @@ def run_host(ip)
begin
normalres = send_request_cgi({
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'vars_get' => gvars,
'method' => 'GET',
'ctype' => 'text/plain'
View
3  modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
@@ -49,6 +49,7 @@ module will attempt to download the Majordomo config.pl file.
end
def target_url
+ uri = normalize_uri(datastore['URI'])
"http://#{vhost}:#{rport}#{datastore['URI']}"
end
@@ -57,7 +58,7 @@ def run_host(ip)
'../',
'./.../'
]
- uri = datastore['URI']
+ uri = normalize_uri(datastore['URI'])
file = datastore['FILE']
deep = datastore['DEPTH']
file = file.gsub(/^\//, "")
View
2  modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb
@@ -47,7 +47,7 @@ def initialize(info = {})
def run_host(ip)
- base = target_uri.path
+ base = normalize_uri(target_uri.path)
base << '/' if base[-1,1] != '/'
peer = "#{ip}:#{rport}"
View
2  modules/auxiliary/scanner/http/mod_negotiation_brute.rb
@@ -45,7 +45,7 @@ def run_host(ip)
ecode = nil
emesg = nil
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
tfile = datastore['FILEPATH']
if tpath[-1,1] != '/'
View
2  modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
@@ -50,7 +50,7 @@ def initialize(info = {})
end
def run_host(ip)
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
7 modules/auxiliary/scanner/http/nginx_source_disclosure.rb
@@ -49,11 +49,12 @@ def initialize
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
- uri = datastore['URI']
+ uri = normalize_uri(datastore['URI'])
path_save = datastore['PATH_SAVE']
vuln_versions = [
@@ -73,7 +74,7 @@ def run_host(ip)
res = send_request_raw(
{
'method' => 'GET',
- 'uri' => "/#{uri}#{get_source}",
+ 'uri' => "#{uri}#{get_source}",
}, 25)
if res
View
2  modules/auxiliary/scanner/http/prev_dir_same_name_file.rb
@@ -68,7 +68,7 @@ def run_host(ip)
'~'
]
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath.eql? "/"||""
print_error("Blank or default PATH set.");
View
2  modules/auxiliary/scanner/http/rails_mass_assignment.rb
@@ -79,7 +79,7 @@ def check_data(ip, parsed_data, base_params)
query.merge!(test_param)
resp = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => datastore['METHOD'] == 'POST' ? queryparse(datastore['QUERY'].to_s) : query,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
View
2  modules/auxiliary/scanner/http/robots_txt.rb
@@ -41,7 +41,7 @@ def initialize
def run_host(target_host)
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/s40_traversal.rb
@@ -44,7 +44,7 @@ def initialize(info = {})
end
def run
- uri = target_uri.path
+ uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1, 1] != '/'
t = "/.." * datastore['DEPTH']
View
2  modules/auxiliary/scanner/http/scraper.rb
@@ -42,7 +42,7 @@ def initialize
def run_host(target_host)
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
5 modules/auxiliary/scanner/http/soap_xml.rb
@@ -151,10 +151,11 @@ def run_host(ip)
data_parts << nil
data = data_parts.join("\r\n")
- vprint_status("Sending request #{datastore['PATH']}/#{v}#{n} to #{wmap_target_host}:#{datastore['RPORT']}")
+ uri = normalize_uri(datastore['PATH'])
+ vprint_status("Sending request #{uri}/#{v}#{n} to #{wmap_target_host}:#{datastore['RPORT']}")
res = send_request_raw({
- 'uri' => datastore['PATH'] + '/' + v + n,
+ 'uri' => uri + '/' + v + n,
'method' => 'POST',
'vhost' => vhost,
'data' => data,
View
3  modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb
@@ -54,7 +54,8 @@ def initialize(info={})
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
View
2  modules/auxiliary/scanner/http/svn_scanner.rb
@@ -54,7 +54,7 @@ def run_host(target_host)
ecode = nil
emesg = nil
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
5 modules/auxiliary/scanner/http/tomcat_enum.rb
@@ -55,7 +55,8 @@ def initialize
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "http://#{vhost}:#{rport}#{uri}"
end
def run_host(ip)
@@ -85,7 +86,7 @@ def do_login(user)
res = send_request_cgi(
{
'method' => 'POST',
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'data' => post_data,
}, 20)
View
19 modules/auxiliary/scanner/http/tomcat_mgr_login.rb
@@ -77,18 +77,19 @@ def initialize
def run_host(ip)
begin
+ uri = normalize_uri(datastore['URI'])
res = send_request_cgi({
- 'uri' => "#{datastore['URI']}",
+ 'uri' => uri,
'method' => 'GET'
}, 25)
http_fingerprint({ :response => res })
rescue ::Rex::ConnectionError => e
- vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - #{e}")
+ vprint_error("http://#{rhost}:#{rport}#{uri} - #{e}")
return
end
if not res
- vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - No response")
+ vprint_error("http://#{rhost}:#{rport}#{uri} - No response")
return
end
if res.code != 401
@@ -106,10 +107,10 @@ def do_login(user='tomcat', pass='tomcat')
success = false
srvhdr = '?'
user_pass = Rex::Text.encode_base64(user + ":" + pass)
-
+ uri = normalize_uri(datastore['URI'])
begin
res = send_request_cgi({
- 'uri' => "#{datastore['URI']}",
+ 'uri' => uri,
'method' => 'GET',
'headers' =>
{
@@ -117,7 +118,7 @@ def do_login(user='tomcat', pass='tomcat')
}
}, 25)
unless (res.kind_of? Rex::Proto::Http::Response)
- vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} not responding")
+ vprint_error("http://#{rhost}:#{rport}#{uri} not responding")
return :abort
end
return :abort if (res.code == 404)
@@ -131,12 +132,12 @@ def do_login(user='tomcat', pass='tomcat')
end
rescue ::Rex::ConnectionError => e
- vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - #{e}")
+ vprint_error("http://#{rhost}:#{rport}#{uri} - #{e}")
return :abort
end
if success
- print_good("http://#{rhost}:#{rport}#{datastore['URI']} [#{srvhdr}] [Tomcat Application Manager] successful login '#{user}' : '#{pass}'")
+ print_good("http://#{rhost}:#{rport}#{uri} [#{srvhdr}] [Tomcat Application Manager] successful login '#{user}' : '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
@@ -151,7 +152,7 @@ def do_login(user='tomcat', pass='tomcat')
return :next_user
else
- vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} [#{srvhdr}] [Tomcat Application Manager] failed to login as '#{user}'")
+ vprint_error("http://#{rhost}:#{rport}#{uri} [#{srvhdr}] [Tomcat Application Manager] failed to login as '#{user}'")
return
end
end
View
2  modules/auxiliary/scanner/http/trace_axd.rb
@@ -42,7 +42,7 @@ def initialize
end
def run_host(target_host)
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/vcms_login.rb
@@ -108,7 +108,7 @@ def do_login(user, pass)
end
def run
- @uri = target_uri
+ @uri = normalize_uri(target_uri)
@uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"
View
4 modules/auxiliary/scanner/http/verb_auth_bypass.rb
@@ -53,7 +53,7 @@ def run_host(ip)
begin
res = send_request_raw({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'method' => 'GET'
}, 10)
@@ -76,7 +76,7 @@ def run_host(ip)
verbs.each do |tv|
resauth = send_request_raw({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'method' => tv
}, 10)
View
4 modules/auxiliary/scanner/http/vhost_scanner.rb
@@ -79,7 +79,7 @@ def run_host(ip)
begin
noexistsres = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => tquery,
'headers' => thead,
'vhost' => randhost,
@@ -108,7 +108,7 @@ def run_host(ip)
begin
res = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'vars_get' => tquery,
'headers' => thead,
'vhost' => thost,
View
2  modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
@@ -47,7 +47,7 @@ def initialize(info={})
def run_host(ip)
fname = File.basename(datastore['FILE'])
traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
- uri = datastore['URIPATH'] + traversal + datastore['FILE']
+ uri = normalize_uri(datastore['URIPATH'])+ '/' + traversal + datastore['FILE']
print_status("#{rhost}:#{rport} - Requesting: #{uri}")
View
2  modules/auxiliary/scanner/http/web_vulndb.rb
@@ -58,7 +58,7 @@ def run_host(ip)
conn = false
usecode = datastore['ForceCode']
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
if tpath[-1,1] != '/'
tpath += '/'
end
View
2  modules/auxiliary/scanner/http/webdav_internal_ip.rb
@@ -41,7 +41,7 @@ def run_host(target_host)
begin
res = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'method' => 'PROPFIND',
'data' => '',
'ctype' => 'text/xml',
View
2  modules/auxiliary/scanner/http/webdav_scanner.rb
@@ -41,7 +41,7 @@ def run_host(target_host)
begin
res = send_request_raw({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'method' => 'OPTIONS'
}, 10)
View
2  modules/auxiliary/scanner/http/webdav_website_content.rb
@@ -41,7 +41,7 @@ def run_host(target_host)
begin
res = send_request_cgi({
- 'uri' => datastore['PATH'],
+ 'uri' => normalize_uri(datastore['PATH']),
'method' => 'PROPFIND',
'data' => '',
'ctype' => 'text/xml',
View
3  modules/auxiliary/scanner/http/webpagetest_traversal.rb
@@ -49,7 +49,8 @@ def initialize(info = {})
def run_host(ip)
file = (datastore['FILE'][0,1] == '/') ? datastore['FILE'] : "/#{datastore['FILE']}"
traverse = "../" * datastore['DEPTH']
- base = File.dirname("#{target_uri.path}/.")
+ uri = normalize_uri(target_uri.path)
+ base = File.dirname("#{uri}/.")
print_status("Requesting: #{file} - #{rhost}")
res = send_request_cgi({
View
7 modules/auxiliary/scanner/http/wordpress_login_enum.rb
@@ -46,7 +46,8 @@ def initialize
end
def target_url
- "http://#{vhost}:#{rport}#{datastore['URI']}"
+ uri = normalize_uri(datastore['URI'])
+ "http://#{vhost}:#{rport}#{uri}"
end
@@ -90,7 +91,7 @@ def do_enum(user=nil)
res = send_request_cgi({
'method' => 'POST',
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'data' => post_data,
}, 20)
@@ -146,7 +147,7 @@ def do_login(user=nil,pass=nil)
res = send_request_cgi({
'method' => 'POST',
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'data' => post_data,
}, 20)
View
2  modules/auxiliary/scanner/http/xpath.rb
@@ -65,7 +65,7 @@ def run_host(ip)
falsecond = "'%20and%20'#{rnum}'='#{rnum+1}"
hmeth = datastore['METHOD']
- tpath = datastore['PATH']
+ tpath = normalize_uri(datastore['PATH'])
prequery = datastore['PRE_QUERY']
postquery = datastore['POST_QUERY']
emesg = datastore['ERROR_MSG']
View
2  modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
@@ -39,7 +39,7 @@ def run_host(ip)
user = datastore['NOTES_USER'].to_s
pass = datastore['NOTES_PASS'].to_s
- $uri = datastore['URI'].to_s
+ $uri = normalize_uri(datastore['URI'])
if (user.length == 0 and pass.length == 0)
print_status("http://#{vhost}:#{rport} - Lotus Domino - Trying dump password hashes without credentials")
View
2  modules/auxiliary/scanner/lotus/lotus_domino_version.rb
@@ -33,7 +33,7 @@ def initialize
def run_host(ip)
- path = datastore['PATH']
+ path = normalize_uri(datastore['PATH'])
check1 = [
'iNotes/Forms5.nsf',
'iNotes/Forms6.nsf',
View
2  modules/auxiliary/scanner/vmware/esx_fingerprint.rb
@@ -51,7 +51,7 @@ def run_host(ip)
</env:Envelope>|
begin
res = send_request_cgi({
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'agent' => 'VMware VI Client',
'data' => soap_data,
View
2  modules/auxiliary/scanner/vmware/vmware_http_login.rb
@@ -81,7 +81,7 @@ def check
begin
res = send_request_cgi({
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'agent' => 'VMware VI Client',
'data' => soap_data
View
2  modules/auxiliary/server/http_ntlmrelay.rb
@@ -299,7 +299,7 @@ def http_relay_toserver(hash, ser_sock = nil)
end
opts = {
- 'uri' => datastore['RURIPATH'],
+ 'uri' => normalize_uri(datastore['RURIPATH']),
'method' => method,
'version' => '1.1',
}
View
4 modules/exploits/bsdi/softcart/mercantec_softcart.rb
@@ -74,7 +74,7 @@ def initialize(info = {})
def brute_exploit(address)
if not (@mercantec)
res = send_request_raw({
- 'uri' => datastore['URI']
+ 'uri' => normalize_uri(datastore['URI'])
}, 5)
@mercantec = (res and res.body and res.body =~ /Copyright.*Mercantec/)
fail_with(Exploit::Failure::NotFound, "The target is not a Mercantec CGI") if not @mercantec
@@ -90,7 +90,7 @@ def brute_exploit(address)
print_status("Trying #{"%.8x" % address['Ret']}...")
res = send_request_raw({
- 'uri' => datastore['URI'],
+ 'uri' => normalize_uri(datastore['URI']),
'query' => buffer
}, 5)
View
5 modules/exploits/linux/http/dolibarr_cmd_exec.rb
@@ -59,9 +59,10 @@ def initialize(info={})
end
def check
+ uri = normalize_uri(target_uri.path)
res = send_request_raw({
'method' => 'GET',
- 'uri' => target_uri.path
+ 'uri' => uri
})
if res and res.body =~ /Dolibarr 3\.1\.1/
@@ -112,7 +113,7 @@ def login(sid, token)
end
def exploit
- @uri = target_uri
+ @uri = normalize_uri(target_uri)
@uri.path << "/" if @uri.path[-1, 1] != "/"
peer = "#{rhost}:#{rport}"
View
2  modules/exploits/linux/http/symantec_web_gateway_exec.rb
@@ -69,7 +69,7 @@ def check
end
def exploit
- uri = target_uri.path
+ uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
View
2  modules/exploits/linux/http/symantec_web_gateway_file_upload.rb