|
| 1 | +## |
| 2 | +# This module requires Metasploit: https://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +class MetasploitModule < Msf::Auxiliary |
| 7 | + include Msf::Auxiliary::Scanner |
| 8 | + include Msf::Exploit::Remote::HttpClient |
| 9 | + |
| 10 | + def initialize(info = {}) |
| 11 | + super( |
| 12 | + update_info( |
| 13 | + info, |
| 14 | + 'Name' => 'ReDoc API Docs UI Exposed', |
| 15 | + 'Description' => %q{ |
| 16 | + Detects publicly exposed ReDoc API documentation pages. |
| 17 | + The module performs safe, read-only GET requests and reports likely |
| 18 | + ReDoc instances based on HTML markers. |
| 19 | + }, |
| 20 | + 'Author' => [ |
| 21 | + 'Hamza Sahin (@hamzasahin61)' |
| 22 | + ], |
| 23 | + 'License' => MSF_LICENSE, |
| 24 | + 'Notes' => { |
| 25 | + 'Stability' => [CRASH_SAFE], # GET requests only; should not crash or disrupt the target service |
| 26 | + 'Reliability' => [], # Does not establish sessions; leaving this empty is acceptable |
| 27 | + 'SideEffects' => [IOC_IN_LOGS] # Requests may be logged by the target web server |
| 28 | + }, |
| 29 | + 'DefaultOptions' => { |
| 30 | + 'RPORT' => 80 |
| 31 | + } |
| 32 | + ) |
| 33 | + ) |
| 34 | + |
| 35 | + register_options( |
| 36 | + [ |
| 37 | + # Mark as required and surface the built-in defaults here |
| 38 | + OptString.new('REDOC_PATHS', [ |
| 39 | + true, |
| 40 | + 'Comma-separated list of paths to probe', |
| 41 | + '/redoc,/redoc/,/docs,/api/docs,/openapi' |
| 42 | + ]) |
| 43 | + ] |
| 44 | + ) |
| 45 | + end |
| 46 | + |
| 47 | + # returns true if the response looks like a ReDoc page |
| 48 | + def redoc_like?(res) |
| 49 | + # Accept only 2xx or 403 (exclude redirects; many 3xx lack HTML to analyze) |
| 50 | + return false unless res && (res.code.between?(200, 299) || res.code == 403) |
| 51 | + |
| 52 | + # Prefer DOM checks |
| 53 | + doc = res.get_html_document |
| 54 | + if doc && (doc.at_css('redoc, redoc-, #redoc') || |
| 55 | + doc.css('script[src*="redoc"]').any? || |
| 56 | + doc.css('script[src*="redoc.standalone"]').any?) |
| 57 | + return true |
| 58 | + end |
| 59 | + |
| 60 | + # Fallback to body/title heuristics |
| 61 | + title = res.get_html_title.to_s |
| 62 | + body = res.body.to_s |
| 63 | + return true if title =~ /redoc/i || body =~ /<redoc-?/i || body =~ /redoc(\.standalone)?\.js/i |
| 64 | + |
| 65 | + false |
| 66 | + end |
| 67 | + |
| 68 | + def check_path(path) |
| 69 | + redoc_like?(send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(path) })) |
| 70 | + end |
| 71 | + |
| 72 | + def run_host(ip) |
| 73 | + vprint_status("#{ip} - scanning for ReDoc") |
| 74 | + |
| 75 | + # REDOC_PATHS is required and has defaults; always use it directly |
| 76 | + paths = datastore['REDOC_PATHS'].split(',').map(&:strip) |
| 77 | + |
| 78 | + hit = paths.find { |p| check_path(p) } |
| 79 | + if hit |
| 80 | + print_good("#{ip} - ReDoc likely exposed at #{hit}") |
| 81 | + report_service(host: ip, port: rport, proto: 'tcp', name: 'http') |
| 82 | + else |
| 83 | + vprint_status("#{ip} - no ReDoc found") |
| 84 | + end |
| 85 | + end |
| 86 | +end |
0 commit comments