Christian Mehlmauer
parent
49ec0d464a
commit
ffdd057f10
|
|
@ -20,7 +20,10 @@ module Msf
|
|||
)
|
||||
end
|
||||
|
||||
#
|
||||
# Checks if the site is online and running wordpress
|
||||
# @return [Boolean] Returns true if the site is online and running wordpress
|
||||
#
|
||||
def wp_wordpress_and_online?
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
|
|
@ -33,7 +36,6 @@ module Msf
|
|||
res.body =~ /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'] \/>/i
|
||||
return true
|
||||
else
|
||||
print_error("#{target_uri} does not seeem to be Wordpress site")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
|
@ -46,20 +48,38 @@ module Msf
|
|||
return false
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the Wordpress Login URL
|
||||
# @return [String] Wordpress Login URL
|
||||
#
|
||||
def wp_uri_login
|
||||
normalize_uri(target_uri.path, 'wp-login.php')
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the Wordpress Post URL
|
||||
# @param post_id Post ID
|
||||
# @return [String] Wordpress Post URL
|
||||
#
|
||||
def wp_url_post(post_id)
|
||||
normalize_uri(target_uri.path) + "/?p=#{post_id}"
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the Wordpress Author URL
|
||||
# @param author_id Author ID
|
||||
# @return [String] Wordpress Author URL
|
||||
#
|
||||
def wp_url_author(author_id)
|
||||
normalize_uri(target_uri.path) + "/?author=#{author_id}"
|
||||
end
|
||||
|
||||
#
|
||||
# performs a wordpress login
|
||||
# returns the session cookie on successful login, nil otherwise
|
||||
# @param user Username
|
||||
# @param pass Password
|
||||
# @return [String] the session cookie on successful login, nil otherwise
|
||||
#
|
||||
def wp_login(user, pass)
|
||||
redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
|
||||
res = send_request_cgi({
|
||||
|
|
@ -78,6 +98,11 @@ module Msf
|
|||
return nil
|
||||
end
|
||||
|
||||
#
|
||||
# Checks if the given user exists
|
||||
# @param user Username
|
||||
# @return [Boolean] true if the user exists
|
||||
#
|
||||
def wp_user_exists?(user)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
|
|
@ -97,6 +122,11 @@ module Msf
|
|||
return exists
|
||||
end
|
||||
|
||||
#
|
||||
# Checks if the given userid exists
|
||||
# @param user_id user_id
|
||||
# @return [String] the Username if it exists, nil otherwise
|
||||
#
|
||||
def wp_userid_exists?(user_id)
|
||||
url = wp_url_author(user_id)
|
||||
res = send_request_cgi({
|
||||
|
|
@ -127,28 +157,67 @@ module Msf
|
|||
return nil
|
||||
end
|
||||
|
||||
#
|
||||
# Posts a comment as an authenticated user
|
||||
# @param comment The comment
|
||||
# @param comment_post_id The Post ID to post the comment to
|
||||
# @param login_cookie The valid login_cookie
|
||||
# @return [String] The location of the new comment/post
|
||||
#
|
||||
def wp_post_comment_auth(comment, comment_post_id, login_cookie)
|
||||
_wp_post_comment(comment, comment_post_id, login_cookie, nil, nil, nil)
|
||||
end
|
||||
|
||||
#
|
||||
# Posts a comment as an unauthenticated user
|
||||
# @param comment The comment
|
||||
# @param comment_post_id The Post ID to post the comment to
|
||||
# @param author The author name
|
||||
# @param email The author email
|
||||
# @param url The author url
|
||||
# @return [String] The location of the new comment/post
|
||||
#
|
||||
def wp_post_comment_no_auth(comment, comment_post_id, author, email, url)
|
||||
_wp_post_comment(comment, comment_post_id, nil, author, email, url)
|
||||
end
|
||||
|
||||
#
|
||||
# Tries to bruteforce a valid post_id
|
||||
# @param login_cookie If set perform the bruteforce as an authenticated user
|
||||
# @return [Integer] The post id, nil when nothing found
|
||||
#
|
||||
def wp_get_valid_post_id(login_cookie=nil)
|
||||
_wp_get_valid_post_id(false, login_cookie)
|
||||
end
|
||||
|
||||
#
|
||||
# Tries to bruteforce a valid post_id with comments enabled
|
||||
# @param login_cookie If set perform the bruteforce as an authenticated user
|
||||
# @return [Integer] The post id, nil when nothing found
|
||||
#
|
||||
def wp_get_valid_post_id_with_comments_enabled(login_cookie=nil)
|
||||
_wp_get_valid_post_id(true, login_cookie)
|
||||
end
|
||||
|
||||
#
|
||||
# Checks if the provided post has comments enabled
|
||||
# @param post_id The post ID to check
|
||||
# @param login_cookie If set perform the check as an authenticated user
|
||||
# @return [String] the HTTP response body of the post, nil otherwise
|
||||
#
|
||||
def wp_post_comments_enabled?(post_id, login_cookie=nil)
|
||||
_wp_check_post_id(wp_url_post(post_id), true, login_cookie)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
#
|
||||
# Returns the POST data for a Wordpress login request
|
||||
# @param user Usernam
|
||||
# @param pass Password
|
||||
# @param redirect URL to redirect after successful login
|
||||
# @return [String] The post data
|
||||
#
|
||||
def _wp_login_post_data(user, pass, redirect=nil)
|
||||
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}"
|
||||
post_data << "&pwd=#{Rex::Text.uri_encode(pass.to_s)}"
|
||||
|
|
@ -157,6 +226,16 @@ module Msf
|
|||
post_data
|
||||
end
|
||||
|
||||
#
|
||||
# Helper method to post a comment to Wordpress
|
||||
# @param comment The comment
|
||||
# @param comment_post_id The Post ID to post the comment to
|
||||
# @param login_cookie The valid login_cookie
|
||||
# @param author The author name
|
||||
# @param email The author email
|
||||
# @param url The author url
|
||||
# @return [String] The location of the new comment/post
|
||||
#
|
||||
def _wp_post_comment(comment, comment_post_id, login_cookie, author, email, url)
|
||||
vars_post = {
|
||||
'comment' => comment,
|
||||
|
|
@ -185,6 +264,12 @@ module Msf
|
|||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Helper method for bruteforcing a valid post id
|
||||
# @param comments_enabled If true try to find a post id with comments enabled, otherwise return the first found
|
||||
# @param login_cookie A valid login cookie to perform the bruteforce as an authenticated user
|
||||
# @return [Integer] The post id, nil when nothing found
|
||||
#
|
||||
def _wp_get_valid_post_id(comments_enabled=false, login_cookie=nil)
|
||||
(1..1000).each { |id|
|
||||
vprint_status("#{rhost}:#{rport} - Checking POST ID #{id}...") if (id % 100) == 0
|
||||
|
|
@ -195,6 +280,13 @@ module Msf
|
|||
return nil
|
||||
end
|
||||
|
||||
#
|
||||
# Helper method to check if a post is valid an has comments enabled
|
||||
# @param uri the Post URI
|
||||
# @param comments_enabled Check if comments are enabled on this post
|
||||
# @param login_cookie A valid login cookie to perform the check as an authenticated user
|
||||
# @return [String] the HTTP response body of the post, nil otherwise
|
||||
#
|
||||
def _wp_check_post_id(uri, comments_enabled=false, login_cookie=nil)
|
||||
options = {
|
||||
'method' => 'GET',
|
||||
|
|
|
|||
|
|
@ -45,7 +45,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run_host(ip)
|
||||
return unless wp_wordpress_and_online?
|
||||
|
||||
unless wp_wordpress_and_online?
|
||||
fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site")
|
||||
end
|
||||
|
||||
usernames = []
|
||||
if datastore['ENUMERATE_USERNAMES']
|
||||
|
|
|
|||
|
|
@ -96,6 +96,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
unless wp_wordpress_and_online?
|
||||
fail_with(Failure::NoTarget, "#{peer} does not seeem to be Wordpress site")
|
||||
end
|
||||
|
||||
@auth = require_auth?
|
||||
|
||||
if @auth
|
||||
|
|
@ -147,6 +151,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
unless wp_wordpress_and_online?
|
||||
print_error("#{peer} does not seeem to be Wordpress site")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
res = send_request_cgi ({
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'method' => 'GET'
|
||||
|
|
|
|||
Loading…
Reference in New Issue