infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for multi-site wp instances in wp_admin_shell_upload 

This change allows for redirects to be followed in wordpress_helper_get_plugin_upload_nonce
Redirect is from:
/wp-admin/plugin-install.php
to
/wp-admin/network/plugin-install.php
bug/bundler_fix
james 2017-09-02 22:12:56 -05:00
parent 6051a1a1c1
commit fdf7149438
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/msf/core/exploit/http/wordpress/helpers.rb
View File

@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# #
# @param cookie [String] A valid admin session cookie # @param cookie [String] A valid admin session cookie
# @return [String,nil] The nonce, nil on error # @return [String,nil] The nonce, nil on error
def wordpress_helper_get_plugin_upload_nonce(cookie) def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
uri = normalize_uri(wordpress_url_backend, 'plugin-install.php') uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
options = { options = {
'method' => 'GET', 'method' => 'GET',
'uri' => uri, 'uri' => uri,
@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
res = send_request_cgi(options) res = send_request_cgi(options)
if res && res.code == 200 if res && res.code == 200
return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1] return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
elsif res && res.redirect? && res.redirection
path = wordpress_helper_parse_location_header(res)
return wordpress_helper_get_plugin_upload_nonce(cookie, path)
end end
end end
end end