2013-01-05 01:44:40 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2013-01-09 00:20:02 +00:00
|
|
|
'Name' => 'Wordpress Pingback Locator',
|
2013-01-05 01:44:40 +00:00
|
|
|
'Description' => %q{
|
2013-01-05 02:16:56 +00:00
|
|
|
This module will scan for wordpress sites with the Pingback
|
|
|
|
API enabled. By interfacing with the API an attacker can cause
|
|
|
|
the wordpress site to port scan an external target and return
|
|
|
|
results. Refer to the wordpress_pingback_portscanner module.
|
2013-01-05 01:44:40 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
|
2013-01-05 02:16:56 +00:00
|
|
|
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>' ,
|
2013-01-07 18:17:49 +00:00
|
|
|
'FireFart' # Original PoC
|
2013-01-05 01:44:40 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://www.securityfocus.com/archive/1/525045/30/30/threaded'],
|
|
|
|
[ 'URL', 'http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/'],
|
2013-01-07 18:17:49 +00:00
|
|
|
[ 'URL', 'https://github.com/FireFart/WordpressPingbackPortScanner']
|
|
|
|
]
|
2013-01-05 01:44:40 +00:00
|
|
|
))
|
|
|
|
|
2013-01-07 18:17:49 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [ true, 'The path to wordpress installation (e.g. /wordpress/)', '/'])
|
|
|
|
], self.class)
|
|
|
|
|
2013-01-05 01:44:40 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptInt.new('NUM_REDIRECTS', [ true, "Number of HTTP redirects to follow", 10])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def setup()
|
|
|
|
# Check if database is active
|
|
|
|
if db()
|
|
|
|
@db_active = true
|
|
|
|
else
|
|
|
|
@db_active = false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_xml_rpc_url(ip)
|
2013-01-05 01:59:33 +00:00
|
|
|
# code to find the xmlrpc url when passed in IP
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Enumerating XML-RPC URI...")
|
2013-01-05 01:44:40 +00:00
|
|
|
|
|
|
|
begin
|
2013-01-07 18:17:49 +00:00
|
|
|
|
|
|
|
uri = target_uri.path
|
|
|
|
uri << '/' if uri[-1,1] != '/'
|
|
|
|
|
2013-01-05 01:44:40 +00:00
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'method' => 'HEAD',
|
2013-01-07 18:17:49 +00:00
|
|
|
'uri' => "#{uri}"
|
2013-01-05 01:44:40 +00:00
|
|
|
})
|
|
|
|
# Check if X-Pingback exists and return value
|
2013-01-07 18:17:49 +00:00
|
|
|
if res
|
|
|
|
if res['X-Pingback']
|
2013-01-05 01:44:40 +00:00
|
|
|
return res['X-Pingback']
|
|
|
|
else
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - X-Pingback header not found")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
else
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("#{ip} - Unable to connect")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("#{ip} - Unable to connect")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Creates the XML data to be sent
|
2013-01-10 23:10:15 +00:00
|
|
|
def generate_pingback_xml(target, valid_blog_post)
|
2013-01-05 01:44:40 +00:00
|
|
|
xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
|
|
|
|
xml << "<methodCall>"
|
|
|
|
xml << "<methodName>pingback.ping</methodName>"
|
|
|
|
xml << "<params>"
|
|
|
|
xml << "<param><value><string>#{target}</string></value></param>"
|
|
|
|
xml << "<param><value><string>#{valid_blog_post}</string></value></param>"
|
|
|
|
xml << "</params>"
|
|
|
|
xml << "</methodCall>"
|
|
|
|
return xml
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_blog_posts(xml_rpc, ip)
|
2013-01-05 01:59:33 +00:00
|
|
|
# find all blog posts within IP and determine if pingback is enabled
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Enumerating Blog posts on...")
|
2013-01-10 15:41:25 +00:00
|
|
|
blog_posts = nil
|
2013-01-07 18:17:49 +00:00
|
|
|
|
|
|
|
uri = target_uri.path
|
|
|
|
uri << '/' if uri[-1,1] != '/'
|
2013-01-05 01:44:40 +00:00
|
|
|
|
|
|
|
# make http request to feed url
|
|
|
|
begin
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Resolving #{uri}?feed=rss2 to locate wordpress feed...")
|
2013-01-05 01:44:40 +00:00
|
|
|
res = send_request_cgi({
|
2013-01-07 18:17:49 +00:00
|
|
|
'uri' => "#{uri}?feed=rss2",
|
|
|
|
'method' => 'GET'
|
2013-01-05 01:44:40 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
count = datastore['NUM_REDIRECTS']
|
2013-01-07 18:17:49 +00:00
|
|
|
|
|
|
|
# Follow redirects
|
|
|
|
while (res.code == 301 || res.code == 302) and res.headers['Location'] and count != 0
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Web server returned a #{res.code}...following to #{res.headers['Location']}")
|
2013-01-10 16:32:48 +00:00
|
|
|
|
|
|
|
uri = res.headers['Location'].sub(/(http|https):\/\/.*?\//, "/")
|
2013-01-05 01:44:40 +00:00
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => "#{uri}",
|
2013-01-07 18:17:49 +00:00
|
|
|
'method' => 'GET'
|
2013-01-05 01:44:40 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
if res.code == 200
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Feed located at #{uri}")
|
2013-01-10 14:43:37 +00:00
|
|
|
else
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Returned a #{res.code}...")
|
2013-01-05 01:44:40 +00:00
|
|
|
end
|
|
|
|
count = count - 1
|
|
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("#{ip} - Unable to connect")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("#{ip} - Unable to connect")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2013-01-07 18:17:49 +00:00
|
|
|
if res.nil? or res.code != 200
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Did not recieve HTTP response from #{ip}")
|
2013-01-07 18:17:49 +00:00
|
|
|
return blog_posts
|
|
|
|
end
|
|
|
|
|
2013-01-10 15:41:25 +00:00
|
|
|
# parse out links and place in array
|
2013-01-10 16:32:48 +00:00
|
|
|
links = res.body.scan(/<link>([^<]+)<\/link>/i)
|
2013-01-05 01:44:40 +00:00
|
|
|
|
2013-01-07 18:17:49 +00:00
|
|
|
if links.nil? or links.empty?
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Feed at #{ip} did not have any links present")
|
2013-01-05 01:44:40 +00:00
|
|
|
return blog_posts
|
|
|
|
end
|
|
|
|
|
|
|
|
links.each do |link|
|
|
|
|
blog_post = link[0]
|
2013-01-07 18:17:49 +00:00
|
|
|
pingback_response = get_pingback_request(xml_rpc, 'http://127.0.0.1', blog_post)
|
|
|
|
if pingback_response
|
|
|
|
pingback_disabled_match = pingback_response.body.match(/<value><int>33<\/int><\/value>/i)
|
|
|
|
if pingback_response.code == 200 and pingback_disabled_match.nil?
|
2013-01-10 23:10:15 +00:00
|
|
|
print_good("#{ip} - Pingback enabled: #{link.join}")
|
2013-01-07 18:17:49 +00:00
|
|
|
blog_posts = link.join
|
|
|
|
return blog_posts
|
|
|
|
else
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - Pingback disabled: #{link.join}")
|
2013-01-07 18:17:49 +00:00
|
|
|
end
|
2013-01-05 01:44:40 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
return blog_posts
|
|
|
|
end
|
|
|
|
|
|
|
|
# method to send xml-rpc requests
|
|
|
|
def get_pingback_request(xml_rpc, target, blog_post)
|
2013-01-07 18:17:49 +00:00
|
|
|
uri = xml_rpc.sub(/.*?#{target}/,"")
|
2013-01-05 01:44:40 +00:00
|
|
|
# create xml pingback request
|
|
|
|
pingback_xml = generate_pingback_xml(target, blog_post)
|
|
|
|
|
|
|
|
# Send post request with crafted XML as data
|
|
|
|
begin
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => "#{uri}",
|
|
|
|
'method' => 'POST',
|
2013-01-07 18:17:49 +00:00
|
|
|
'data' => "#{pingback_xml}"
|
2013-01-05 01:44:40 +00:00
|
|
|
})
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("Unable to connect to #{uri}")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("Unable to connect to #{uri}")
|
2013-01-05 01:44:40 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Save data to vuln table
|
|
|
|
def store_vuln(ip, blog)
|
|
|
|
report_vuln(
|
2013-01-07 18:17:49 +00:00
|
|
|
:host => ip,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:port => datastore['RPORT'],
|
|
|
|
:name => self.name,
|
|
|
|
:info => "Module #{self.fullname} found pingback at #{blog}",
|
|
|
|
:sname => datastore['SSL'] ? "https" : "http"
|
2013-01-05 01:44:40 +00:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
# main control method
|
|
|
|
def run_host(ip)
|
|
|
|
# call method to get xmlrpc url
|
|
|
|
xmlrpc = get_xml_rpc_url(ip)
|
|
|
|
|
|
|
|
# once xmlrpc url is found, get_blog_posts
|
|
|
|
if xmlrpc.nil?
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_error("#{ip} - It doesn't appear to be vulnerable")
|
2013-01-05 01:44:40 +00:00
|
|
|
else
|
|
|
|
hash = get_blog_posts(xmlrpc, ip)
|
|
|
|
|
|
|
|
if hash
|
|
|
|
store_vuln(ip, hash) if @db_active
|
|
|
|
else
|
2013-01-10 23:10:15 +00:00
|
|
|
vprint_status("#{ip} - X-Pingback enabled but no vulnerable blogs found")
|
2013-01-05 01:44:40 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2013-01-09 00:20:02 +00:00
|
|
|
end
|