Class: WPScan::Controller::PasswordAttack

Inherits:

CMSScanner::Controller::Base

• Object
• CMSScanner::Controller::Base
• WPScan::Controller::PasswordAttack

Defined in:

app/controllers/password_attack.rb

Overview

Password Attack Controller

Instance Method Summary

• #attack_opts ⇒ Object
• #attacker ⇒ CMSScanner::Finders::Finder

  The finder used to perform the attack.

• #attacker_from_automatic_detection ⇒ CMSScanner::Finders::Finder
• #attacker_from_cli_options ⇒ CMSScanner::Finders::Finder
• #cli_options ⇒ Object
• #run ⇒ Object
• #users ⇒ Array<Users>

  The users to brute force.

• #xmlrpc ⇒ Model::XMLRPC
• #xmlrpc_get_users_blogs_enabled? ⇒ Boolean

Instance Method Details

#attack_opts ⇒ Object

# File 'app/controllers/password_attack.rb', line 28

def attack_opts
  @attack_opts ||= {
    show_progression: user_interaction?,
    multicall_max_passwords: ParsedCli.multicall_max_passwords
  }
end

#attacker ⇒ CMSScanner::Finders::Finder

Returns The finder used to perform the attack.

Returns:

• (CMSScanner::Finders::Finder) —

  The finder used to perform the attack

# File 'app/controllers/password_attack.rb', line 60

def attacker
  @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
end

#attacker_from_automatic_detection ⇒ CMSScanner::Finders::Finder

Returns:

• (CMSScanner::Finders::Finder)

# File 'app/controllers/password_attack.rb', line 103

def attacker_from_automatic_detection
  if xmlrpc_get_users_blogs_enabled?
    wp_version = target.wp_version

    if wp_version && wp_version < '4.4'
      Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
    else
      Finders::Passwords::XMLRPC.new(xmlrpc)
    end
  elsif target.login_url
    Finders::Passwords::WpLogin.new(target)
  else
    raise Error::NoLoginInterfaceDetected
  end
end

#attacker_from_cli_options ⇒ CMSScanner::Finders::Finder

Returns:

• (CMSScanner::Finders::Finder)

# File 'app/controllers/password_attack.rb', line 70

def attacker_from_cli_options
  return unless ParsedCli.password_attack

  case ParsedCli.password_attack
  when :wp_login
    raise Error::NoLoginInterfaceDetected unless target.login_url

    Finders::Passwords::WpLogin.new(target)
  when :xmlrpc
    raise Error::XMLRPCNotDetected unless xmlrpc

    Finders::Passwords::XMLRPC.new(xmlrpc)
  when :xmlrpc_multicall
    raise Error::XMLRPCNotDetected unless xmlrpc

    Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
  end
end

#cli_options ⇒ Object

# File 'app/controllers/password_attack.rb', line 7

def cli_options
  [
    OptFilePath.new(
      ['--passwords FILE-PATH', '-P',
       'List of passwords to use during the password attack.',
       'If no --username/s option supplied, user enumeration will be run.'],
      exists: true
    ),
    OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the password attack.']),
    OptInteger.new(['--multicall-max-passwords MAX_PWD',
                    'Maximum number of passwords to send by request with XMLRPC multicall'],
                   default: 500),
    OptChoice.new(['--password-attack ATTACK',
                   'Force the supplied attack to be used rather than automatically determining one.',
                   'Multicall will only work against WP < 4.4'],
                  choices: %w[wp-login xmlrpc xmlrpc-multicall],
                  normalize: %i[downcase underscore to_sym]),
    OptString.new(['--login-uri URI', 'The URI of the login page if different from /wp-login.php'])
  ]
end

#run ⇒ Object

# File 'app/controllers/password_attack.rb', line 35

def run
  return unless ParsedCli.passwords

  begin
    found = []

    if user_interaction?
      output('@info',
             msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
    end

    attacker.attack(users, ParsedCli.passwords, attack_opts) do |user|
      found << user

      attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
    end
  rescue Error::NoLoginInterfaceDetected => e
    # TODO: Maybe output that in JSON as well.
    output('@notice', msg: e.to_s) if user_interaction?
  ensure
    output('users', users: found)
  end
end

#users ⇒ Array<Users>

Returns The users to brute force.

Returns:

• (Array<Users>) —

  The users to brute force

# File 'app/controllers/password_attack.rb', line 120

def users
  return target.users unless ParsedCli.usernames

  ParsedCli.usernames.reduce([]) do |acc, elem|
    acc << Model::User.new(elem.chomp)
  end
end

#xmlrpc ⇒ Model::XMLRPC

Returns:

• (Model::XMLRPC)

# File 'app/controllers/password_attack.rb', line 65

def xmlrpc
  @xmlrpc ||= target.xmlrpc
end

#xmlrpc_get_users_blogs_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/controllers/password_attack.rb', line 90

def xmlrpc_get_users_blogs_enabled?
  if xmlrpc&.enabled? &&
     xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
     !xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
            .run.body.match?(/>\s*405\s*</)

    true
  else
    false
  end
end