Add cookie management to HttpClient

Author: wvu

lib/msf/core/exploit/http/client.rb

@@ -2,6 +2,7 @@
 
 require 'uri'
 require 'digest'
+
 module Msf
 
 ###
@@ -11,6 +12,7 @@ module Msf
 #
 ###
 module Exploit::Remote::HttpClient
+
   include Msf::Auxiliary::Report
 
   #
@@ -48,6 +50,7 @@ def initialize(info = {})
         OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION']),
         OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']),
         OptBool.new('HttpPartialResponses', [false, 'Return partial HTTP responses despite timeouts', false]),
+        OptBool.new('HttpKeepCookies', [false, 'Keep cookies from HTTP responses for reuse in HTTP requests', false]),
         OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false]),
         OptBool.new('HttpTraceHeadersOnly', [false, 'Show HTTP headers only in HttpTrace', false]),
         OptString.new('HttpTraceColors', [false, 'HTTP request and response colors for HttpTrace (unset to disable)', 'red/blu'])
@@ -88,6 +91,9 @@ def initialize(info = {})
     )
     register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ])
     register_autofilter_services(%W{ http https })
+
+    # Initialize an empty cookie jar to keep cookies
+    self.cookie_jar = Set.new
   end
 
   def deregister_http_client_options
@@ -314,69 +320,81 @@ def cleanup
   #
   # Passes +opts+ through directly to Rex::Proto::Http::Client#request_raw.
   #
-  def send_request_raw(opts={}, timeout = 20, disconnect = false)
+  def send_request_raw(opts = {}, timeout = 20, disconnect = false)
     if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
       actual_timeout = datastore['HttpClientTimeout']
     else
-      actual_timeout =  opts[:timeout] || timeout
+      actual_timeout = opts[:timeout] || timeout
     end
 
-    begin
-      c = connect(opts)
-      r = opts[:cgi] ? c.request_cgi(opts) : c.request_raw(opts)
+    c = connect(opts)
+    r = opts[:cgi] ? c.request_cgi(opts) : c.request_raw(opts)
 
-      if datastore['HttpTrace']
-        request_color, response_color =
-          (datastore['HttpTraceColors'] || '').split('/').map { |color| "%bld%#{color}" }
+    if datastore['HttpTrace']
+      request_color, response_color =
+        (datastore['HttpTraceColors'] || '').split('/').map { |color| "%bld%#{color}" }
 
-        request = r.to_s(headers_only: datastore['HttpTraceHeaders'])
+      request = r.to_s(headers_only: datastore['HttpTraceHeaders'])
 
-        print_line('#' * 20)
-        print_line('# Request:')
-        print_line('#' * 20)
-        print_line("%clr#{request_color}#{request}%clr")
-      end
+      print_line('#' * 20)
+      print_line('# Request:')
+      print_line('#' * 20)
+      print_line("%clr#{request_color}#{request}%clr")
+    end
 
-      res = c.send_recv(r, actual_timeout)
+    res = c.send_recv(r, actual_timeout)
 
-      if datastore['HttpTrace']
-        print_line('#' * 20)
-        print_line('# Response:')
-        print_line('#' * 20)
+    if datastore['HttpTrace']
+      print_line('#' * 20)
+      print_line('# Response:')
+      print_line('#' * 20)
 
-        if res
-          response = res.to_terminal_output(headers_only: datastore['HttpTraceHeadersOnly'])
+      if res
+        response = res.to_terminal_output(headers_only: datastore['HttpTraceHeadersOnly'])
 
-          print_line("%clr#{response_color}#{response}%clr")
-        else
-          print_line('No response received')
-        end
+        print_line("%clr#{response_color}#{response}%clr")
+      else
+        print_line('No response received')
       end
+    end
 
-      disconnect(c) if disconnect
+    disconnect(c) if disconnect
 
-      res
-    rescue ::Errno::EPIPE, ::Timeout::Error => e
-      print_line(e.message) if datastore['HttpTrace']
-      nil
-    rescue Rex::ConnectionError => e
-      vprint_error(e.to_s)
-      nil
-    rescue ::Exception => e
-      print_line(e.message) if datastore['HttpTrace']
-      raise e
-    end
+    res
+  rescue ::Errno::EPIPE, ::Timeout::Error => e
+    print_line(e.message) if datastore['HttpTrace']
+    nil
+  rescue Rex::ConnectionError => e
+    vprint_error(e.to_s)
+    nil
+  rescue ::Exception => e
+    print_line(e.message) if datastore['HttpTrace']
+    raise e
   end
 
-
   # Connects to the server, creates a request, sends the request,
   # reads the response
   #
   # Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
+  # Set `opts['keep_cookies']` to keep cookies from responses for reuse in requests.
   #
   # @return (see Rex::Proto::Http::Client#send_recv))
-  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
-    send_request_raw(opts.merge(cgi: true), timeout, disconnect)
+  def send_request_cgi(opts = {}, timeout = 20, disconnect = true)
+    if cookie_jar.any?
+      opts = { 'cookie' => cookie_jar.to_a.join(' ') }.merge(opts)
+    end
+
+    res = send_request_raw(opts.merge(cgi: true), timeout, disconnect)
+
+    return unless res
+    return res unless res.headers['Set-Cookie'].present?
+
+    if opts['keep_cookies'] || datastore['HttpKeepCookies']
+      # XXX: CGI::Cookie (get_cookies_parsed) is hella broken
+      cookie_jar.merge(res.get_cookies.split(' '))
+    end
+
+    res
   end
 
   # Connects to the server, creates a request, sends the request, reads the
@@ -871,10 +889,10 @@ def service_details
     }
   end
 
-protected
+  protected
 
   attr_accessor :client
+  attr_accessor :cookie_jar
 
 end
-
 end