Module: Msf::Exploit::Remote::HTTP::Wordpress::Version

Included in:
Msf::Exploit::Remote::HTTP::Wordpress
Defined in:
lib/msf/core/exploit/remote/http/wordpress/version.rb

Constant Summary collapse

WORDPRESS_VERSION_PATTERN =

Used to check if the version is correct: must contain at least one dot

'(\d+\.\d+(?:\.\d+)*)'

Instance Method Summary collapse

Instance Method Details

#check_plugin_version_from_readme(plugin_name, fixed_version = nil, vuln_introduced_version = nil) ⇒ Msf::Exploit::CheckCode

Checks a readme for a vulnerable version

Parameters:

  • plugin_name (String)

    The name of the plugin

  • fixed_version (String) (defaults to: nil)

    Optional, the version the vulnerability was fixed in

  • vuln_introduced_version (String) (defaults to: nil)

    Optional, the version the vulnerability was introduced

Returns:



50
51
52
 
# File 'lib/msf/core/exploit/remote/http/wordpress/version.rb', line 50

def check_plugin_version_from_readme(plugin_name, fixed_version = nil, vuln_introduced_version = nil)
  check_version_from_readme(:plugin, plugin_name, fixed_version, vuln_introduced_version)
end

#check_theme_version_from_readme(theme_name, fixed_version = nil, vuln_introduced_version = nil) ⇒ Msf::Exploit::CheckCode

Checks a readme for a vulnerable version

Parameters:

  • theme_name (String)

    The name of the theme

  • fixed_version (String) (defaults to: nil)

    Optional, the version the vulnerability was fixed in

  • vuln_introduced_version (String) (defaults to: nil)

    Optional, the version the vulnerability was introduced

Returns:



82
83
84
 
# File 'lib/msf/core/exploit/remote/http/wordpress/version.rb', line 82

def check_theme_version_from_readme(theme_name, fixed_version = nil, vuln_introduced_version = nil)
  check_version_from_readme(:theme, theme_name, fixed_version, vuln_introduced_version)
end

#check_theme_version_from_style(theme_name, fixed_version = nil, vuln_introduced_version = nil) ⇒ Msf::Exploit::CheckCode

Checks the style.css file for a vulnerable version

Parameters:

  • theme_name (String)

    The name of the theme

  • fixed_version (String) (defaults to: nil)

    Optional, the version the vulnerability was fixed in

  • vuln_introduced_version (String) (defaults to: nil)

    Optional, the version the vulnerability was introduced

Returns:



61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/msf/core/exploit/remote/http/wordpress/version.rb', line 61

def check_theme_version_from_style(theme_name, fixed_version = nil, vuln_introduced_version = nil)
  style_uri = normalize_uri(wordpress_url_themes, theme_name, 'style.css')
  res = send_request_cgi(
    'uri'    => style_uri,
    'method' => 'GET'
  )

  if res.nil? || res.code != 200
    return Msf::Exploit::CheckCode::Unknown("No style.css file present")
  end

  return extract_and_check_version(res.body.to_s, :style, :theme, fixed_version, vuln_introduced_version)
end

#check_version_from_custom_file(uripath, regex, fixed_version = nil, vuln_introduced_version = nil) ⇒ Msf::Exploit::CheckCode

Checks a custom file for a vulnerable version

Parameters:

  • uripath (String)

    The relative path of the file

  • regex (Regexp)

    The regular expression to extract the version. The first captured group must contain the version.

  • fixed_version (String) (defaults to: nil)

    Optional, the version the vulnerability was fixed in

  • vuln_introduced_version (String) (defaults to: nil)

    Optional, the version the vulnerability was introduced

Returns:



94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'lib/msf/core/exploit/remote/http/wordpress/version.rb', line 94

def check_version_from_custom_file(uripath, regex, fixed_version = nil, vuln_introduced_version = nil)
  res = send_request_cgi(
    'uri'    => uripath,
    'method' => 'GET'
  )

  unless res && res.code == 200
    return Msf::Exploit::CheckCode::Unknown("Unable to retrieve the custom file")
  end

  extract_and_check_version(res.body.to_s, :custom, 'custom file', fixed_version, vuln_introduced_version, regex)
end

#wordpress_versionString?

Extracts the Wordpress version information from various sources

Returns:

  • (String, nil)

    Wordpress version if found, nil otherwise



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/msf/core/exploit/remote/http/wordpress/version.rb', line 11

def wordpress_version
  # detect version from generator
  version = wordpress_version_helper(normalize_uri(target_uri.path), /<meta name="generator" content="WordPress #{WORDPRESS_VERSION_PATTERN}" \/>/i)
  return version if version

  # detect version from readme
  version = wordpress_version_helper(wordpress_url_readme, /<br \/>\sversion #{WORDPRESS_VERSION_PATTERN}/i)
  return version if version

  # detect version from rss
  version = wordpress_version_helper(wordpress_url_rss, /<generator>http:\/\/wordpress.org\/\?v=#{WORDPRESS_VERSION_PATTERN}<\/generator>/i)
  return version if version

  # detect version from rdf
  version = wordpress_version_helper(wordpress_url_rdf, /<admin:generatorAgent rdf:resource="http:\/\/wordpress.org\/\?v=#{WORDPRESS_VERSION_PATTERN}" \/>/i)
  return version if version

  # detect version from atom
  version = wordpress_version_helper(wordpress_url_atom, /<generator uri="http:\/\/wordpress.org\/" version="#{WORDPRESS_VERSION_PATTERN}">WordPress<\/generator>/i)
  return version if version

  # detect version from sitemap
  version = wordpress_version_helper(wordpress_url_sitemap, /generator="wordpress\/#{WORDPRESS_VERSION_PATTERN}"/i)
  return version if version

  # detect version from opml
  version = wordpress_version_helper(wordpress_url_opml, /generator="wordpress\/#{WORDPRESS_VERSION_PATTERN}"/i)
  return version if version

  nil
end