Class: Metasploit::Framework::LoginScanner::WordpressRPC

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::WordpressRPC

Defined in:

lib/metasploit/framework/login_scanner/wordpress_rpc.rb

Overview

Wordpress XML RPC login scanner

Constant Summary

Constants inherited from HTTP

HTTP::DEFAULT_PORT, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::PRIVATE_TYPES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_username, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Object
• #generate_xml_request(user, pass) ⇒ String

  This method generates the XML data for the RPC login request.

• #set_sane_defaults ⇒ Object

Methods inherited from HTTP

#check_setup, #send_request

Instance Method Details

#attempt_login(credential) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/wordpress_rpc.rb', line 11

def attempt_login(credential)
  http_client = Rex::Proto::Http::Client.new(
      host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password
  )
  configure_http_client(http_client)

  result_opts = {
      credential: credential,
      host: host,
      port: port,
      protocol: 'tcp'
  }
  if ssl
    result_opts[:service_name] = 'https'
  else
    result_opts[:service_name] = 'http'
  end

  begin
    http_client.connect

    request = http_client.request_cgi(
        'uri' => uri,
        'method' => method,
        'data' => generate_xml_request(credential.public,credential.private)
    )
    response = http_client.send_recv(request)

    if response && response.code == 200 && response.body =~ /<value><int>401<\/int><\/value>/ || response.body =~ /<name>user_id<\/name>/
      result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response)
    elsif response.body =~ /<value><int>-32601<\/int><\/value>/
      result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
    else
      result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: response)
    end
  rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)

end

#generate_xml_request(user, pass) ⇒ String

This method generates the XML data for the RPC login request

Parameters:

• user (String) —

  the username to authenticate with

• pass (String) —

  the password to authenticate with

Returns:

• (String) —

  the generated XML body for the request

# File 'lib/metasploit/framework/login_scanner/wordpress_rpc.rb', line 58

def generate_xml_request(user, pass)
  xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
  xml << '<methodCall>'
  xml << '<methodName>wp.getUsers</methodName>'
  xml << '<params><param><value>1</value></param>'
  xml << "<param><value>#{user}</value></param>"
  xml << "<param><value>#{pass}</value></param>"
  xml << '</params>'
  xml << '</methodCall>'
  xml
end

#set_sane_defaults ⇒ Object

# File 'lib/metasploit/framework/login_scanner/wordpress_rpc.rb', line 71

def set_sane_defaults
  @method = "POST".freeze
  super
end