I've recently written a couple of modules that use HTTP multipart/form-data. In Metasploit, the way to do this is using Rex::MIME::Message like so:
multipart_form = Rex::MIME::Message.new
multipart_form.add_part('delete', nil, nil, 'form-data; name="buttontype"')
multipart_form.add_part(test_data, nil, nil, 'form-data; name="lol"')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/test_endpoint'),
'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
'data' => multipart_form.to_s
})
I noticed that the multipart boundary that Metasploit generates isn't like any browser, and therefore is a useful target for fingerprinting or network signatures. The above code produces something like this:
POST /test_endpoint HTTP/1.1
Host: 10.0.0.3:1270
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15
Content-Type: multipart/form-data; boundary=_Part_698_562358401_3483839926
Content-Length: 222
--_Part_698_562358401_3483839926
Content-Disposition: form-data; name="buttontype"
delete
--_Part_698_562358401_3483839926
Content-Disposition: form-data; name="lol"
test data
--_Part_698_562358401_3483839926--
Where the boundary is: _Part_698_562358401_3483839926.
Other browser/product boundaries look like so:
curl: Content-Type: multipart/form-data; boundary=------------------------9b641e139398f517
firefox: Content-Type: multipart/form-data; boundary=---------------------------1821688217351097288842813522
chrome: multipart/form-data; boundary=----WebKitFormBoundaryvLBYjTaSh40Ub9g4
The expected behavior is that Metasploit should try to blend in as a normal browser. Obviously, there are some complications because boundary generation seems to be somewhat unique across products, but adopting any of these seems better than the current solution.
I've recently written a couple of modules that use HTTP multipart/form-data. In Metasploit, the way to do this is using
Rex::MIME::Messagelike so:I noticed that the multipart boundary that Metasploit generates isn't like any browser, and therefore is a useful target for fingerprinting or network signatures. The above code produces something like this:
Where the boundary is:
_Part_698_562358401_3483839926.Other browser/product boundaries look like so:
curl:
Content-Type: multipart/form-data; boundary=------------------------9b641e139398f517firefox:
Content-Type: multipart/form-data; boundary=---------------------------1821688217351097288842813522chrome:
multipart/form-data; boundary=----WebKitFormBoundaryvLBYjTaSh40Ub9g4The expected behavior is that Metasploit should try to blend in as a normal browser. Obviously, there are some complications because boundary generation seems to be somewhat unique across products, but adopting any of these seems better than the current solution.