Module: Msf::Exploit::Remote::HTTP::Wordpress::Posts

Included in:
Msf::Exploit::Remote::HTTP::Wordpress
Defined in:
lib/msf/core/exploit/remote/http/wordpress/posts.rb

Instance Method Summary collapse

Instance Method Details

#get_post_id_from_body(body) ⇒ String?

Gets the post_id from a post body

Parameters:

  • body (String)

    The body of a post

Returns:

  • (String, nil)

    The post_id, nil when nothing found



92
93
94
95
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 92

def get_post_id_from_body(body)
  return nil unless body
  body.match(/<body class="[^=]*postid-(\d+)[^=]*">/i)[1]
end

#wordpress_bruteforce_valid_post_id(min_post_id, max_post_id, login_cookie = nil) ⇒ Integer?

Tries to bruteforce a valid post_id

Parameters:

  • min_post_id (Integer)

    The first post_id to bruteforce

  • max_post_id (Integer)

    The last post_id to bruteforce

  • login_cookie (String) (defaults to: nil)

    If set perform the bruteforce as an authenticated user

Returns:

  • (Integer, nil)

    The post id, nil when nothing found



52
53
54
55
56
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 52

def wordpress_bruteforce_valid_post_id(min_post_id, max_post_id, =nil)
  return nil if min_post_id > max_post_id
  range = Range.new(min_post_id, max_post_id)
  wordpress_helper_bruteforce_valid_post_id(range, false, )
end

#wordpress_bruteforce_valid_post_id_with_comments_enabled(min_post_id, max_post_id, login_cookie = nil) ⇒ Integer?

Tries to bruteforce a valid post_id with comments enabled

Parameters:

  • min_post_id (Integer)

    The first post_id to bruteforce

  • max_post_id (Integer)

    The last post_id to bruteforce

  • login_cookie (String) (defaults to: nil)

    If set perform the bruteforce as an authenticated user

Returns:

  • (Integer, nil)

    The post id, nil when nothing found



64
65
66
67
68
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 64

def wordpress_bruteforce_valid_post_id_with_comments_enabled(min_post_id, max_post_id, =nil)
  return nil if min_post_id > max_post_id
  range = Range.new(min_post_id, max_post_id)
  wordpress_helper_bruteforce_valid_post_id(range, true, )
end

#wordpress_get_all_blog_posts_via_feed(max_redirects = 10) ⇒ Array<String>?

Tries to get some Blog Posts via the RSS feed

Parameters:

  • max_redirects (Integer) (defaults to: 10)

    maximum redirects to follow

Returns:

  • (Array<String>, nil)

    String Array with valid blog posts, nil on error



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 101

def wordpress_get_all_blog_posts_via_feed(max_redirects = 10)
  vprint_status("Enumerating Blog posts...")
  blog_posts = []

  begin
    vprint_status("Locating wordpress feed...")
    res = send_request_cgi({
        'uri'    => wordpress_url_rss,
        'method' => 'GET'
    })

    count = max_redirects

    # Follow redirects
    while res.redirect? && res.redirection && count != 0
      path = wordpress_helper_parse_location_header(res)
      return nil unless path

      vprint_status("Web server returned a #{res.code}...following to #{path}")
      res = send_request_cgi({
          'uri'    => path,
          'method' => 'GET'
      })

      if res.code == 200
        vprint_status("Feed located at #{path}")
      else
        vprint_status("Returned a #{res.code}...")
      end
      count = count - 1
    end
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    print_error("Unable to connect")
    return nil
  end

  if res.nil? or res.code != 200
    vprint_status("Did not receive HTTP response for RSS feed")
    return blog_posts
  end

  # parse out links and place in array
  links = res.body.scan(/<link>([^<]+)<\/link>/i)

  if links.nil? or links.empty?
    vprint_status("Feed did not have any links present")
    return blog_posts
  end

  links.each do |link|
    path = path_from_uri(link[0])
    blog_posts << path if path
  end
  return blog_posts
end

#wordpress_get_unauth_comment_cookies(author, email, url) ⇒ String

Wordpress shows moderated comments to the unauthenticated Posting user Users are identified by their cookie

Parameters:

  • author (String)

    The author name used to post the anonymous comment

  • email (String)

    The author email used to post the anonymous comment

  • url (String)

    The author url used to post the anonymous comment

Returns:

  • (String)

    The cookie string that can be used to see moderated comments



33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 33

def wordpress_get_unauth_comment_cookies(author, email, url)
  scheme = ssl ? 'https' : 'http'
  port = (rport == 80 or rport == 443) ? '' : rport
  # siteurl does not contain last slash
  path = target_uri.to_s.sub(/\/$/, '')
  siteurl = "#{scheme}://#{rhost}#{port}#{path}"
  site_hash = Rex::Text.md5(siteurl)
  cookie = "comment_author_#{site_hash}=#{author}; "
  cookie << "comment_author_email_#{site_hash}=#{email}; "
  cookie << "comment_author_url_#{site_hash}=#{url};"
  cookie
end

#wordpress_post_comment_auth(comment, comment_post_id, login_cookie) ⇒ String?

Posts a comment as an authenticated user

Parameters:

  • comment (String)

    The comment

  • comment_post_id (Integer)

    The Post ID to post the comment to

  • login_cookie (String)

    The valid login_cookie

Returns:

  • (String, nil)

    The location of the new comment/post, nil on error



10
11
12
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 10

def wordpress_post_comment_auth(comment, comment_post_id, )
  wordpress_helper_post_comment(comment, comment_post_id, , nil, nil, nil)
end

#wordpress_post_comment_no_auth(comment, comment_post_id, author, email, url) ⇒ String?

Posts a comment as an unauthenticated user

Parameters:

  • comment (String)

    The comment

  • comment_post_id (Integer)

    The Post ID to post the comment to

  • author (String)

    The author name

  • email (String)

    The author email

  • url (String)

    The author url

Returns:

  • (String, nil)

    The location of the new comment/post, nil on error



22
23
24
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 22

def wordpress_post_comment_no_auth(comment, comment_post_id, author, email, url)
  wordpress_helper_post_comment(comment, comment_post_id, nil, author, email, url)
end

#wordpress_post_comments_enabled?(url, login_cookie = nil) ⇒ String?

Checks if the provided post has comments enabled

Parameters:

  • url (String)

    The post url

  • login_cookie (String) (defaults to: nil)

    If set perform the check as an authenticated user

Returns:

  • (String, nil)

    the HTTP response body of the post, nil otherwise



84
85
86
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 84

def wordpress_post_comments_enabled?(url, =nil)
  wordpress_helper_check_post_id(url, true, )
end

#wordpress_post_id_comments_enabled?(post_id, login_cookie = nil) ⇒ String?

Checks if the provided post has comments enabled

Parameters:

  • post_id (Integer)

    The post ID to check

  • login_cookie (String) (defaults to: nil)

    If set perform the check as an authenticated user

Returns:

  • (String, nil)

    the HTTP response body of the post, nil otherwise



75
76
77
 
# File 'lib/msf/core/exploit/remote/http/wordpress/posts.rb', line 75

def wordpress_post_id_comments_enabled?(post_id, =nil)
  wordpress_helper_check_post_id(wordpress_url_post(post_id), true, )
end