New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve regex parsing in lotus_domino_hashes #16505
Improve regex parsing in lotus_domino_hashes #16505
Conversation
* The closing quotes after the `VALUE` attribute were not escaped. This commit adds them * The regex assumed that the short name does not contain whitespace. I am looking at a Domino instance where the short name DOES contain whitespace. This commit changes the regex such that the value is assumed to not contain a quote before the closing quote. Of course, there could be an escaped quote inside quotes in the HTML source, but if we want to do it properly, we'd need an HTML parser which exceeds my modest ruby skills. * The fields `$dspHTTPPassword` and `dspHTTPPassword` (without the dollar sign) can both contain the hash. The code assumed that only up to one of those fields contain a hash. This leads to the hash being printed twice in the output in my case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @AdrianVollmer, looks great, just one suggestion. Wrote a quick unit test as I wasn't able to find a target:
Test script and output
test_strings = ['<INPUT NAME="ShortName" TYPE=TESTTYPE VALUE="test name"
<INPUT NAME="InternetAddress" TYPE=TESTTYPE VALUE="test_IP"
<INPUT NAME="$?dspHTTPPassword" TYPE=TESTTYPE VALUE="test_hash_dollar_sign"
<INPUT NAME="?dspHTTPPassword" TYPE=TESTTYPE VALUE="test_hash"',
'<INPUT NAME="ShortName" TYPE=TESTTYPE VALUE="test name"
<INPUT NAME="InternetAddress" TYPE=TESTTYPE VALUE="test_IP"
<INPUT NAME="$?dspHTTPPassword" TYPE=TESTTYPE VALUE=""
<INPUT NAME="?dspHTTPPassword" TYPE=TESTTYPE VALUE="test_hash"',
'<INPUT NAME="ShortName" TYPE=TESTTYPE VALUE="test name"
<INPUT NAME="InternetAddress" TYPE=TESTTYPE VALUE="test_IP"
<INPUT NAME="$?dspHTTPPassword" TYPE=TESTTYPE VALUE=" "
<INPUT NAME="?dspHTTPPassword" TYPE=TESTTYPE VALUE="test_hash"']
test_strings.each do |test_string|
short_name = test_string.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^"]+)\"/i).join
user_mail = test_string.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^"]+)\"/i).join
pass_hash_candidates = test_string.scan(/<INPUT NAME=\"[\$]*\?dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^"]+)\"/i)
if pass_hash_candidates[0][0].nil? || pass_hash_candidates[0][0].strip.empty?
pass_hash = pass_hash_candidates[1][0] unless (pass_hash_candidates[1][0].nil? || pass_hash_candidates[1][0].strip.empty?)
else
pass_hash = pass_hash_candidates[0][0]
end
puts("Shortname: #{short_name}")
puts("user_mail: #{user_mail}")
puts("pass_hash_candidates: #{pass_hash_candidates}")
puts("pass_hash: #{pass_hash}","")
end
Shortname: test name
user_mail: test_IP
pass_hash_candidates: [["test_hash_dollar_sign"], ["test_hash"]]
pass_hash: test_hash_dollar_sign
Shortname: test name
user_mail: test_IP
pass_hash_candidates: [["test_hash"]]
pass_hash: test_hash
Shortname: test name
user_mail: test_IP
pass_hash_candidates: [[" "], ["test_hash"]]
pass_hash: test_hash
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Maybe my ruby skills are better described by "poor" than "modest" ;) thanks for the suggestion. |
Thanks for updating this @AdrianVollmer. Since it would be very challenging for us to setup a test environment, would you mind setting the We could sanitize the data and use these traces as an input for unit test (specs). |
That's 97k lines of output - each. I'll see what I can do, but that's a lot of data to sanitize... |
Regarding the |
Thanks for the offer, but I have to sanitize this even before sending it to you, or else it would violate the NDA. I'm on it. |
doc = res.get_html_document | ||
short_name = doc.xpath('//input[@name="ShortName"]/@value').text | ||
user_mail = doc.xpath('//input[@name="InternetAddress"]/@value').text | ||
pass_hash = doc.xpath('//input[@name="$dspHTTPPassword" or @name="dspHTTPPassword"]/@value').first&.text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will await the http logs, but we should just double check the case sensitivity around the node name of input
or INPUT
logs are sent to the mail address above |
I confirmed, we received the logs. Thank you! |
Before
After:
Tested locally and verified these changes fix the parsing of the value, shortname, dspHTTPPassword (with and without the |
Release NotesThis fixes an issue in the |
VALUE
attribute were not escaped. Thiscommit adds them.
I am looking at a Domino instance where the short name DOES contain
whitespace. This commit changes the regex such that the value is
assumed to not contain a quote before the closing quote. Of course,
there could be an escaped quote inside quotes in the HTML source, but
if we want to do it properly, we'd need an HTML parser which exceeds
my modest ruby skills.
$dspHTTPPassword
anddspHTTPPassword
(without thedollar sign) can both contain the hash. The code assumed that only up
to one of those fields contain a hash. This leads to the hash being
printed twice in the output in my case. This commit fixes this.
Note that I did not replace the deprecated
report_auth_info
function.Verification
msfconsole
use auxillary/scanner/lotus/lotus_domino_hashes
NULL
Unfortunately I can't provide a PCAP (it's TLS encrypted anyway) or screen recordings because it would contain data protected by an NDA. I do not have a test instance. All I can offer is this:
Before:
After: