Recipes engine.

[evilsocket]

It'd be nice to have a "recipe" engine for complex plugin use cases.

For instance, in order to target a Wordpress blog, right now we can either target its xmlrpc.php (faster) or wp-login.php pages via the legba http plugin. As per wiki:

HTTP Post Request (Wordpress wp-login.php page):

legba http \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/wp-login.php \
    --http-method POST \
    --http-success-codes 302 \ # wordpress redirects on successful login
    --http-payload 'log={USERNAME}&pwd={PASSWORD}'

HTTP Post Request (Wordpress xmlrpc.php)

legba http \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/xmlrpc.php \
    --http-method POST \
    --http-payload '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>{USERNAME}</string></value></param><param><value><string>{PASSWORD}</string></value></param></params></methodCall>' \
    --http-success-string 'isAdmin' # what string successful response will contain

This recipe engine would simplify these cases with YAML files and a simple custom-variable syntax. The previous examples would become two recipes:

wordpress/xmlrpc.yml

plugin: http
args:
    - target: {$schema or https}://{$host}:{$port or 443}{$path or /}xmlrpc.php
    - http-method: POST
    - http-success-string: isAdmin
    - http-payload: 
        <?xml version="1.0" encoding="iso-8859-1"?>
        <methodCall>
            <methodName>wp.getUsersBlogs</methodName>
            <params>
                <param>
                    <value><string>{USERNAME}</string></value>
                </param>
                <param>
                    <value><string>{PASSWORD}</string></value>
                </param>
            </params>
        </methodCall>

wordpress/wp-login.yml

plugin: http
args:
    - target: {$schema or https}://{$host}:{$port or 443}{$path or /}wp-login.php
    - http-method: POST
    - http-success-codes: 302
    - http-payload: log={USERNAME}&pwd={PASSWORD}

These recipe files could then be used to shorten the required command line:

legba \
    --recipe wordpress/xmlrpc.yml \
    --host www.something.com \
    --username admin \
    --password wordlists/passwords.txt

or

legba \
    --recipe wordpress/wp-login.yml \
    --host www.something.com \
    --username admin \
    --password wordlists/passwords.txt

This way plugins and specific combinations/uses of their arguments could be "aliased".

[evilsocket]

Another example that comes to mind, as mentioned in #28, is the various ways to bruteforce MS Exchange:

ms-exchange/owa.yml

plugin: http
args:
    - target: {$schema or https}://{$host}:{$port or 443}/owa/auth.owa
    - http-method: POST
    - http-success-codes: 302
    - http-success-string: set-cookie
    - http-payload: destination={$schema or https}://{$host}:{$port or 443}/&flags=4&username={USERNAME}&password={PASSWORD}

ms-exchange/ews.yml

plugin: http.ntlm2
args:
    - target: {$schema or https}://{$host}:{$port or 443}/ews
    - http-success-codes: 200, 500