New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ':' for split of PATH in backup_file.rb #19130
base: master
Are you sure you want to change the base?
Conversation
@@ -23,7 +23,7 @@ def initialize(info = {}) | |||
|
|||
register_options( | |||
[ | |||
OptString.new('PATH', [ true, "The path/file to identify backups", '/index.asp']) | |||
OptString.new('PATH', [ true, "The path/file to identify backups, use ':' as a delimiter for multi-path/file input", '/index.asp']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have the full context on this module; Does this module need to work with full paths for windows envs? If so I don't think this will work for this scenario: C:\\inetpub\\wwwroot\\foo.asp
Potentially PATH
is just a misnomer though, and this is really FILE_LIST
or something
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The module does HTTP requests to a server trying to find 'backup' files (by adding an extension of .backup
for example)
I do not believe :
is a valid HTTP (URI part)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah; gotcha. I believe the normal pattern is to take such wordlists from a file
So this would become OptPath
and it would point towards a default wordlist that ships with metasploit, but the user can override it to point to their own wordlist
Like this - I'd probably use this pattern for the file reading:
OptPath.new( | |
'URIS_FILE', | |
[ | |
false, | |
'File containing additional URIs to check', | |
File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', 'http_uris.txt') | |
] | |
), |
Another example, but the file reading implementation isn't as good as the above:
metasploit-framework/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
Lines 29 to 32 in e6fb178
OptPath.new('TARGET_URIS_FILE', [ | |
false, 'Path to list of URIs to request', | |
File.join(Msf::Config.data_directory, 'wordlists', 'http_owa_common.txt') | |
]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see
We can migrate to the one TARGET_URIS_FILE
as it more suitable - though none of those paths are relevant for backup files..
For best outcome we should use dirb
(a tool used to bruteforce files and directories) common.txt file:
https://salsa.debian.org/pkg-security-team/dirb/-/blob/debian/master/wordlists/common.txt
At the moment
backup_file.rb
support single path lookup, by adding the ability to use:
delimiter you can now use the module with multiple paths at one 'run'Step to recreate (the web server target I use, returns 200 OK on everything):