Class: Rex::Proto::Http::ClientRequest

Inherits:

Object

• Object
• Rex::Proto::Http::ClientRequest

Defined in:

lib/rex/proto/http/client_request.rb

Constant Summary

DefaultConfig =

{
  #
  # Regular HTTP stuff
  #
  'agent'                  => nil,
  'cgi'                    => true,
  'cookie'                 => nil,
  'data'                   => '',
  'headers'                => nil,
  'raw_headers'            => '',
  'method'                 => 'GET',
  'partial'                => false,
  'path_info'              => '',
  'port'                   => 80,
  'proto'                  => 'HTTP',
  'query'                  => '',
  'ssl'                    => false,
  'uri'                    => '/',
  'vars_get'               => {},
  'vars_post'              => {},
  'vars_form_data'         => [],
  'version'                => '1.1',
  'vhost'                  => nil,
  'ssl_server_name_indication' => nil,

  #
  # Evasion options
  #
  'encode_params'          => true,
  'encode'                 => false,
  'uri_encode_mode'        => 'hex-normal', # hex-normal, hex-all, hex-noslashes, hex-random, u-normal, u-all, u-noslashes, u-random
  'uri_encode_count'       => 1,       # integer
  'uri_full_url'           => false,   # bool
  'pad_method_uri_count'   => 1,       # integer
  'pad_uri_version_count'  => 1,       # integer
  'pad_method_uri_type'    => 'space', # space, tab, apache
  'pad_uri_version_type'   => 'space', # space, tab, apache
  'method_random_valid'    => false,   # bool
  'method_random_invalid'  => false,   # bool
  'method_random_case'     => false,   # bool
  'version_random_valid'   => false,   # bool
  'version_random_invalid' => false,   # bool
  'uri_dir_self_reference' => false,   # bool
  'uri_dir_fake_relative'  => false,   # bool
  'uri_use_backslashes'    => false,   # bool
  'pad_fake_headers'       => false,   # bool
  'pad_fake_headers_count' => 16,      # integer
  'pad_get_params'         => false,   # bool
  'pad_get_params_count'   => 8,       # integer
  'pad_post_params'        => false,   # bool
  'pad_post_params_count'  => 8,       # integer
  'uri_fake_end'           => false,   # bool
  'uri_fake_params_start'  => false,   # bool
  'shuffle_get_params'     => false,   # bool
  'shuffle_post_params'    => false,   # bool
  'header_folding'         => false,   # bool
  'chunked_size'           => 0,        # integer

  #
  # NTLM Options
  #
  'usentlm2_session' => true,
  'use_ntlmv2'       => true,
  'send_lm'         => true,
  'send_ntlm'       => true,
  'SendSPN'  => true,
  'UseLMKey' => false,
  'domain' => 'WORKSTATION',
  #
  # Digest Options
  #
  'DigestAuthIIS' => true
}

Instance Attribute Summary

• #opts ⇒ Object readonly

  Returns the value of attribute opts.

Instance Method Summary

• #get_file_data(file) ⇒ Object protected
• #get_filename(data) ⇒ Object protected
• #initialize(opts = {}) ⇒ ClientRequest constructor

  A new instance of ClientRequest.

• #set_agent_header ⇒ Object protected

  Return the HTTP agent header.

• #set_auth_header ⇒ Object protected
• #set_body(bdata) ⇒ Object protected

  Return the HTTP separator and body string.

• #set_chunked_header ⇒ Object protected
• #set_connection_header ⇒ Object protected

  Return the HTTP connection header.

• #set_content_len_header(clen) ⇒ Object protected

  Return the content length header.

• #set_content_type_header(ctype) ⇒ Object protected

  Return the content type header.

• #set_cookie_header ⇒ Object protected

  Return the HTTP cookie header.

• #set_encode_uri(str) ⇒ Object protected
• #set_extra_headers ⇒ Object protected

  Return a string of formatted extra headers.

• #set_formatted_header(var, val) ⇒ Object protected

  Return a formatted header string.

• #set_host_header ⇒ Object protected

  Return the HTTP Host header.

• #set_method ⇒ Object protected
• #set_method_uri_spacer ⇒ Object protected
• #set_path_info ⇒ Object protected

  Return the HTTP path info TODO: * Encode path information.

• #set_uri ⇒ Object protected
• #set_uri_append ⇒ Object protected

  Return the padding to place before the uri.

• #set_uri_prepend ⇒ Object protected

  Return the padding to place before the uri.

• #set_uri_version_spacer ⇒ Object protected

  Return the spacing between the uri and the version.

• #set_version ⇒ Object protected

  Return the HTTP version string.

• #to_s(headers_only: false) ⇒ Object

Constructor Details

#initialize(opts = {}) ⇒ ClientRequest

Returns a new instance of ClientRequest.

# File 'lib/rex/proto/http/client_request.rb', line 92

def initialize(opts={})
  @opts = DefaultConfig.merge(opts)
  @opts['agent'] ||= Rex::UserAgent.session_agent
  @opts['headers'] ||= {}
end

Instance Attribute Details

#opts ⇒ Object (readonly)

Returns the value of attribute opts.

# File 'lib/rex/proto/http/client_request.rb', line 90

def opts
  @opts
end

Instance Method Details

#get_file_data(file) ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 529

def get_file_data(file)
  file.respond_to?('read') ? (file.rewind; contents = file.read; file.rewind; contents) : file.to_s
end

#get_filename(data) ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 533

def get_filename(data)
  data.is_a?(::Pathname) || data.is_a?(::File) ? ::File.basename(data) : nil
end

#set_agent_header ⇒ Object (protected)

Return the HTTP agent header

# File 'lib/rex/proto/http/client_request.rb', line 421

def set_agent_header
  opts['agent'] ? set_formatted_header("User-Agent", opts['agent']) : ""
end

#set_auth_header ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 425

def set_auth_header
  opts['authorization'] ? set_formatted_header("Authorization", opts['authorization']) : ""
end

#set_body(bdata) ⇒ Object (protected)

Return the HTTP separator and body string

# File 'lib/rex/proto/http/client_request.rb', line 518

def set_body(bdata)
  return "\r\n" + bdata if opts['chunked_size'] == 0
  str = bdata.dup
  chunked = ''
  while str.size > 0
    chunk = str.slice!(0,rand(opts['chunked_size']) + 1)
    chunked << sprintf("%x", chunk.size) + "\r\n" + chunk + "\r\n"
  end
  "\r\n" + chunked + "0\r\n\r\n"
end

#set_chunked_header ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 510

def set_chunked_header
  return "" if opts['chunked_size'] == 0
  set_formatted_header('Transfer-Encoding', 'chunked')
end

#set_connection_header ⇒ Object (protected)

Return the HTTP connection header

# File 'lib/rex/proto/http/client_request.rb', line 439

def set_connection_header
  opts['connection'] ? set_formatted_header("Connection", opts['connection']) : ""
end

#set_content_len_header(clen) ⇒ Object (protected)

Return the content length header

# File 'lib/rex/proto/http/client_request.rb', line 453

def set_content_len_header(clen)
  if opts['method'] == 'GET' && (clen == 0 || opts['chunked_size'] > 0)
    # This condition only applies to GET because of the specs.
    # RFC-7230:
    # A Content-Length header field is normally sent in a POST
    # request even when the value is 0 (indicating an empty payload body)
    return ''
  elsif opts['headers'] && opts['headers']['Content-Length']
    # If the module has a modified content-length header, respect that by
    # not setting another one.
    return ''
  end
  set_formatted_header("Content-Length", clen)
end

#set_content_type_header(ctype) ⇒ Object (protected)

Return the content type header

# File 'lib/rex/proto/http/client_request.rb', line 446

def set_content_type_header(ctype)
  ctype ? set_formatted_header("Content-Type", ctype) : ""
end

#set_cookie_header ⇒ Object (protected)

Return the HTTP cookie header

# File 'lib/rex/proto/http/client_request.rb', line 432

def set_cookie_header
  opts['cookie'] ? set_formatted_header("Cookie", opts['cookie']) : ""
end

#set_encode_uri(str) ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 289

def set_encode_uri(str)
  a = str.to_s.dup
  opts['uri_encode_count'].times {
    a = Rex::Text.uri_encode(a, opts['uri_encode_mode'])
  }
  return a
end

#set_extra_headers ⇒ Object (protected)

Return a string of formatted extra headers

# File 'lib/rex/proto/http/client_request.rb', line 491

def set_extra_headers
  buf = ''

  if (opts['pad_fake_headers'])
    1.upto(opts['pad_fake_headers_count'].to_i) do |i|
      buf << set_formatted_header(
        Rex::Text.rand_text_alphanumeric(rand(32)+1),
        Rex::Text.rand_text_alphanumeric(rand(32)+1)
      )
    end
  end

  opts['headers'].each_pair do |var,val|
    buf << set_formatted_header(var, val)
  end

  buf
end

#set_formatted_header(var, val) ⇒ Object (protected)

Return a formatted header string

# File 'lib/rex/proto/http/client_request.rb', line 410

def set_formatted_header(var, val)
  if (self.opts['header_folding'])
    "#{var}:\r\n\t#{val}\r\n"
  else
    "#{var}: #{val}\r\n"
  end
end

#set_host_header ⇒ Object (protected)

Return the HTTP Host header

# File 'lib/rex/proto/http/client_request.rb', line 471

def set_host_header
  return "" if opts['uri_full_url']
  host = opts['vhost']

  # IPv6 addresses must be placed in brackets
  if Rex::Socket.is_ipv6?(host)
    host = "[#{host}]"
  end

  # The port should be appended if non-standard
  if not [80,443].include?(opts['port'])
    host = host + ":#{opts['port']}"
  end

  set_formatted_header("Host", host)
end

#set_method ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 297

def set_method
  ret = opts['method'].dup

  if (opts['method_random_valid'])
    ret = ['GET', 'POST', 'HEAD'][rand(3)]
  end

  if (opts['method_random_invalid'])
    ret = Rex::Text.rand_text_alpha(rand(20)+1)
  end

  if (opts['method_random_case'])
    ret = Rex::Text.to_rand_case(ret)
  end

  ret
end

#set_method_uri_spacer ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 315

def set_method_uri_spacer
  len = opts['pad_method_uri_count'].to_i
  set = " "
  buf = ""

  case opts['pad_method_uri_type']
  when 'tab'
    set = "\t"
  when 'apache'
    set = "\t \x0b\x0c\x0d"
  end

  while(buf.length < len)
    buf << set[ rand(set.length) ]
  end

  return buf
end

#set_path_info ⇒ Object (protected)

Return the HTTP path info TODO:

* Encode path information

# File 'lib/rex/proto/http/client_request.rb', line 355

def set_path_info
  opts['path_info'] ? opts['path_info'] : ''
end

#set_uri ⇒ Object (protected)

# File 'lib/rex/proto/http/client_request.rb', line 259

def set_uri
  uri_str = opts['uri'].dup
  if (opts['uri_dir_self_reference'])
    uri_str.gsub!('/', '/./')
  end

  if (opts['uri_dir_fake_relative'])
    buf = ""
    uri_str.split('/',-1).each do |part|
      cnt = rand(8)+2
      1.upto(cnt) { |idx|
        buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1)
      }
      buf << ("/.." * cnt)
      buf << "/" + part
    end
    uri_str = buf
  end

  if (opts['uri_full_url'])
    url = opts['ssl'] ? "https://" : "http://"
    url << opts['vhost']
    url << ((opts['port'] == 80) ? "" : ":#{opts['port']}")
    url << uri_str
    url
  else
    uri_str
  end
end

#set_uri_append ⇒ Object (protected)

Return the padding to place before the uri

# File 'lib/rex/proto/http/client_request.rb', line 362

def set_uri_append
  # TODO:
  #  * Support different padding types
  ""
end

#set_uri_prepend ⇒ Object (protected)

Return the padding to place before the uri

# File 'lib/rex/proto/http/client_request.rb', line 337

def set_uri_prepend
  prefix = ""

  if (opts['uri_fake_params_start'])
    prefix << '/%3fa=b/../'
  end

  if (opts['uri_fake_end'])
    prefix << '/%20HTTP/1.0/../../'
  end

  prefix
end

#set_uri_version_spacer ⇒ Object (protected)

Return the spacing between the uri and the version

# File 'lib/rex/proto/http/client_request.rb', line 371

def set_uri_version_spacer
  len = opts['pad_uri_version_count'].to_i
  set = " "
  buf = ""

  case opts['pad_uri_version_type']
  when 'tab'
    set = "\t"
  when 'apache'
    set = "\t \x0b\x0c\x0d"
  end

  while(buf.length < len)
    buf << set[ rand(set.length) ]
  end

  return buf
end

#set_version ⇒ Object (protected)

Return the HTTP version string

# File 'lib/rex/proto/http/client_request.rb', line 393

def set_version
  ret = opts['proto'] + "/" + opts['version']

  if (opts['version_random_valid'])
    ret = opts['proto'] + "/" +  ['1.0', '1.1'][rand(2)]
  end

  if (opts['version_random_invalid'])
    ret = Rex::Text.rand_text_alphanumeric(rand(20)+1)
  end

  ret << "\r\n"
end

#to_s(headers_only: false) ⇒ Object

# File 'lib/rex/proto/http/client_request.rb', line 98

def to_s(headers_only: false)
  # Start GET query string
  qstr = opts['query'] ? opts['query'].dup : ""

  # Start POST data string
  pstr = opts['data'] ? opts['data'].dup : ""

  ctype = opts['ctype']

  if opts['cgi']
    uri_str = set_uri

    if (opts['pad_get_params'])
      1.upto(opts['pad_get_params_count'].to_i) do |i|
        qstr << '&' if qstr.length > 0
        qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1))
        qstr << '='
        qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1))
      end
    end
    if opts.key?("vars_get") && opts['vars_get']
      opts['vars_get'] = Hash[opts['vars_get'].to_a.shuffle] if (opts['shuffle_get_params'])

      opts['vars_get'].each_pair do |var,val|
        var = var.to_s

        qstr << '&' if qstr.length > 0
        qstr << (opts['encode_params'] ? set_encode_uri(var) : var)
        # support get parameter without value
        # Example: uri?parameter
        if val
          val = val.to_s
          qstr << '='
          qstr << (opts['encode_params'] ? set_encode_uri(val) : val)
        end
      end
    end
    if (opts['pad_post_params'])
      1.upto(opts['pad_post_params_count'].to_i) do |i|
        rand_var = Rex::Text.rand_text_alphanumeric(rand(32)+1)
        rand_val = Rex::Text.rand_text_alphanumeric(rand(32)+1)
        pstr << '&' if pstr.length > 0
        pstr << (opts['encode_params'] ? set_encode_uri(rand_var) : rand_var)
        pstr << '='
        pstr << (opts['encode_params'] ? set_encode_uri(rand_val) : rand_val)
      end
    end

    opts['vars_post'] = Hash[opts['vars_post'].to_a.shuffle] if (opts['shuffle_post_params'])

    opts['vars_post'].each_pair do |var,val|
      var = var.to_s
      unless val.is_a?(Array)
        val = [val]
      end
      val.each do |v|
        v = v.to_s
        pstr << '&' if pstr.length > 0
        pstr << (opts['encode_params'] ? set_encode_uri(var) : var)
        pstr << '='
        pstr << (opts['encode_params'] ? set_encode_uri(v) : v)
      end
    end

    if opts['vars_form_data'] && opts['vars_form_data'].length > 0
      unless opts['vars_form_data'].is_a?(::Array)
        raise ::ArgumentError, "request_cgi: The provided `form_data` option is not valid. Expected: Array, Got: #{opts['form_data'].class}"
      end

      form_data = Rex::MIME::Message.new
      # Initialize or reuse the previous form data boundary to ensure idempotency
      opts['vars_form_data_boundary'] ||= form_data.bound
      form_data.bound = opts['vars_form_data_boundary']

      opts['vars_form_data'].each do |field_hash|
        # The name of the HTTP form field
        field_name = field_hash.fetch('name', nil)
        unless field_name.is_a?(::String) || field_name == nil
          raise ::ArgumentError, "to_s: The provided field `name` option is not valid. Expected: String, Got: #{field_name.class}"
        end

        mime_type = field_hash.fetch('content_type', nil)
        encoding = field_hash.fetch('encoding', nil)

        file_contents = get_file_data(field_hash['data'])
        filename = field_hash.fetch('filename') { get_filename(field_hash['data']) }

        content_disposition = 'form-data'
        content_disposition << "; name=\"#{field_name}\"" if field_name
        # NOTE: The file name is intentionally unescaped, as exploits such as playsms_filename_exec embed payloads into the file name which shouldn't be escaped
        content_disposition << "; filename=\"#{filename}\"" if filename

        form_data.add_part(file_contents, mime_type, encoding, content_disposition)
      end

      pstr += form_data.to_s
    end

    ctype ||= "multipart/form-data; boundary=#{opts['vars_form_data_boundary']}" if opts['vars_form_data_boundary']
    ctype ||= 'application/x-www-form-urlencoded' if opts['method'] == 'POST'
  else
    if opts['encode']
      qstr = set_encode_uri(qstr)
    end
    uri_str = set_uri
  end

  req = ''
  req << set_method
  req << set_method_uri_spacer()
  req << set_uri_prepend()

  if opts['encode']
    req << set_encode_uri(uri_str)
  else
    req << uri_str
  end


  if (qstr.length > 0)
    req << '?'
    req << qstr
  end

  req << set_path_info
  req << set_uri_append()
  req << set_uri_version_spacer()
  req << set_version

  # Set a default Host header if one wasn't passed in
  unless opts['headers'] && opts['headers'].keys.map(&:downcase).include?('host')
    req << set_host_header
  end

  # If an explicit User-Agent header is set, then use that instead of
  # the default
  unless opts['headers'] && opts['headers'].keys.map(&:downcase).include?('user-agent')
    req << set_agent_header
  end

  # Similar to user-agent, only add an automatic auth header if a
  # manual one hasn't been provided
  unless opts['headers'] && opts['headers'].keys.map(&:downcase).include?('authorization')
    req << set_auth_header
  end

  req << set_cookie_header
  req << set_connection_header
  req << set_extra_headers

  req << set_content_type_header(ctype)
  req << set_content_len_header(pstr.length)
  req << set_chunked_header
  req << opts['raw_headers']
  req << set_body(pstr) unless headers_only

  req
end