Ruby loop overrides values

Question

I have this file with 2 passords that i need extract them and input in a XML file:

root@nirvana:~# cat old/pwdump.txt 
# Metasploit PWDump Export 2.0
# Generated: 2020-01-12 18:43:53 UTC
# Project: default
#
#########################################################






#  Plaintext Passwords (3 passwords, 2 services)

# 192.168.0.112:22/tcp (ssh)
paulo secret1

# 192.168.0.112:22/tcp (ssh)
paulosgf secret2

For this i created this code, that first verify if "ssh_login" field exists. If so, it update the username and creates a password field with your respective value. If not, it creates both fields with this values. But i think this approach isn't the right way:

target='192.168.0.112'

File.open("/root/old/pwdump.txt", "r") do |fd|
while(credentials = fd.gets) != nil
        if (credentials =~ /[Ss][Ss][Hh]/)
                while(credentials = fd.gets) != nil
                ssharray = "#{credentials}".to_s.split(/ /)
                sshu=ssharray.slice(0).to_s
                sshp=ssharray.slice(1).to_s.chomp
        break if credentials.include?("\n") 
        end                         
        if `xmlstarlet sel -t  -v "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/module" "/root/#{target}.xml"`
                `xmlstarlet ed -L -i "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/module" -t elem -n password -v "#{sshp}" "/root/#{target}.xml"`
                `xmlstarlet ed -L -u "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/username" -v "#{sshu}" "/root/#{target}.xml"`
        else
            `xmlstarlet ed -L -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts" -t elem -n "vuln_attempt" -v "" -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[last()]" -t elem -n "module" -v "auxiliary/scanner/ssh/ssh_login" "/root/#{target}.xml"`
            `xmlstarlet ed -L -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']" -t elem -n username -v "#{sshu}" "/root/#{target}.xml"`
            `xmlstarlet ed -L -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']" -t elem -n password -v "#{sshp}" "/root/#{target}.xml"`
        end  
        end
    end
end

After run the code the XML, the values are overridden, with the last credential, and the password field is inserted 2 times:

            <vuln_attempt>
              <id>101</id>
              <vuln-id>72</vuln-id>
              <attempted-at>2020-01-18 16:25:22 UTC</attempted-at>
              <exploited>true</exploited>
              <fail-reason/>
              <username>paulosgf</username>
              <password>secret2</password>
              <password>secret2</password>
              <module>auxiliary/scanner/ssh/ssh_login</module>
              <session-id>100</session-id>
              <loot-id/>
              <fail-detail/>
            </vuln_attempt>
            <vuln_attempt>
              <id>102</id>
              <vuln-id>72</vuln-id>
              <attempted-at>2020-01-18 16:26:18 UTC</attempted-at>
              <exploited>true</exploited>
              <fail-reason/>
              <username>paulosgf</username>
              <password>secret2</password>
              <password>secret2</password>
              <module>auxiliary/scanner/ssh/ssh_login</module>
              <session-id>101</session-id>
              <loot-id/>
              <fail-detail/>
            </vuln_attempt>

if i close the statement while(credentials = fd.gets) != nil in the righ way, after the commands, the code don't change the XML:

File.open("/root/old/pwdump.txt", "r") do |fd|
while(credentials = fd.gets) != nil
        if (credentials =~ /[Ss][Ss][Hh]/)
                while(credentials = fd.gets) != nil
                ssharray = "#{credentials}".to_s.split(/ /)
                sshu=ssharray.slice(0).to_s
                sshp=ssharray.slice(1).to_s.chomp
        break if credentials.include?("\n")                         
        if `xmlstarlet sel -t  -v "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/module" "/root/#{target}.xml"`
                `xmlstarlet ed -L -i "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/module" -t elem -n password -v "#{sshp}" "/root/#{target}.xml"`
                `xmlstarlet ed -L -u "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/username" -v "#{sshu}" "/root/#{target}.xml"`
        else
            `xmlstarlet ed -L -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts" -t elem -n "vuln_attempt" -v "" -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[last()]" -t elem -n "module" -v "auxiliary/scanner/ssh/ssh_login" "/root/#{target}.xml"`
            `xmlstarlet ed -L -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']" -t elem -n username -v "#{sshu}" "/root/#{target}.xml"`
            `xmlstarlet ed -L -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']" -t elem -n password -v "#{sshp}" "/root/#{target}.xml"`
        end  
        end
        end 
    end
end

What's wrong?

score 0 · Answer 1 · answered Feb 28 '20 at 17:06

I solved this question by myself:

# This function inserts any passwords found on brute force scans into report. For this, install xmlstarlet tool
def bruteforce(target)
run_single("db_export -f pwdump -a /root/pwdump.txt")
target="#{target}".chomp

sshuser = []
sshpass = []
credssh=nil
credmys=nil
hassh = Hash.new
hamys = Hash.new

count=0
nextline=0

File.open("/root/pwdump.txt").each_line do |line|
nextline += 1
        if (line =~ /[Ss][Ss][Hh]/)
            hassh["credssh#{count}"] = nextline
            count = count + 1
    end
end

file = IO.readlines("./pwdump.txt")

if (! hassh.empty?)
hassh.each do |key, value|
    file[value].split.each_with_index do |wrd, idx| 
        if ((idx) % 2 == 0)
            sshuser.push("#{wrd}")
        else
            sshpass.push("#{wrd}")
        end 
    end
end

`xmlstarlet sel -t  -v "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']/module" "/root/#{target}.xml"`
if ($?.exitstatus == 0)
i=0
j=1
loop do
`xmlstarlet ed -L -i "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']["#{j}"]/module" -t elem -n password -v "#{sshpass[i]}" "/root/#{target}.xml"`
`xmlstarlet ed -L -u "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']["#{j}"]/username"  -v "#{sshuser[i]}" "/root/#{target}.xml"`
    i += 1
    j += 1
        if (i == sshuser.length)
            break
        end
end

else
i=0
j=1
loop do
`xmlstarlet ed -L -s "/MetasploitV5/hosts/host/vulns/vuln/vuln_attempts" -t elem -n "vuln_attempt" -v "" -s "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[last()]" -t elem -n "module" -v "auxiliary/scanner/ssh/ssh_login" "/root/#{target}.xml"`
`xmlstarlet ed -L -i "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']["#{j}"]/module" -t elem -n username -v "#{sshuser[i]}" "/root/#{target}.xml"`
`xmlstarlet ed -L -i "//MetasploitV5/hosts/host/vulns/vuln/vuln_attempts/vuln_attempt[module='auxiliary/scanner/ssh/ssh_login']["#{j}"]/module" -t elem -n password -v "#{sshpass[i]}" "/root/#{target}.xml"`
        i += 1
    j += 1
                if (i == sshuser.length)
                       break
                end
end
end
end

if ($?.success?)
    File.delete("/root/pwdump.txt")
end
end

For each pwdump.txt's line this checks if SSH pattern exists. If so, it push the line in hassh hash, where the key is credssh variable with an incremental number, and the value is the username and password from that line. Then the pwdump.txt file is open again. If hassh hash has some lines, it divide them by two columns: one go to sshuser array holding usernames, and the other sshpass array holding passwords.

Next it checks if the XML contains the vuln_attempt's subtree element named module with ssh_login value. If it exists, the loop creates below vuln_attempt element indexed by j variable, a password field with the password from the first element of sshpass array and updates the username field with the username element of sshuser array. Both indexed by i variable. And so on for each element from these arrays.

Otherwise, it first creates a vuln_attempt's subtree element named module with ssh_login value on the last position, then creates the two fields for username and passord from these arrays.

Ruby loop overrides values

1 Answers1