Module: Msf::Exploit::Remote::HTTP::Wordpress::Users

Included in:
Msf::Exploit::Remote::HTTP::Wordpress
Defined in:
lib/msf/core/exploit/remote/http/wordpress/users.rb

Instance Method Summary collapse

Instance Method Details

#reset_user_password(user) ⇒ Boolean

Performs a password reset for a user

Parameters:

  • user (String)

    Username

Returns:

  • (Boolean)

    true if the request was successful



70
71
72
73
74
75
76
77
78
79
80
# File 'lib/msf/core/exploit/remote/http/wordpress/users.rb', line 70

def reset_user_password(user)
  res = send_request_cgi({
    'method' => 'POST',
    'uri' => ,
    'vars_get' => { 'action' => 'lostpassword' },
    'vars_post' => { 'user_login' => user, 'redirect_to' => '', 'wp-submit' => 'Get New Password' }
  })
  return false unless res&.code == 200

  true
end

#wordpress_user_exists?(user) ⇒ Boolean

Checks if the given user exists

Parameters:

  • user (String)

    Username

Returns:

  • (Boolean)

    true if the user exists



8
9
10
11
12
13
14
15
16
17
18
19
20
21
# File 'lib/msf/core/exploit/remote/http/wordpress/users.rb', line 8

def wordpress_user_exists?(user)
  res = send_request_cgi({
      'method' => 'POST',
      'uri' => ,
      'vars_post' => (user, Rex::Text.rand_text_alpha(6))
  })

  return true if res and res.code == 200 and
      (res.body.to_s =~ /Incorrect password/ or
          res.body.to_s =~ /document\.getElementById\('user_pass'\)/ or
          res.body.to_s =~/<strong>#{user}<\/strong> is incorrect/)

  return false
end

#wordpress_userid_exists?(user_id) ⇒ String?

Checks if the given userid exists

Parameters:

  • user_id (Integer)

    user_id

Returns:

  • (String, nil)

    the Username if it exists, nil otherwise



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/remote/http/wordpress/users.rb', line 27

def wordpress_userid_exists?(user_id)
  # Wordpress returns all posts from all users on user_id 0
  return nil if user_id < 1

  url = wordpress_url_author(user_id)
  res = send_request_cgi({
      'method' => 'GET',
      'uri' => url
  })

  if res and res.redirect?
    uri = wordpress_helper_parse_location_header(res)
    return nil unless uri
    # try to extract username from location
    if uri.to_s =~ /\/author\/([^\/\b]+)\/?/i
      return $1
    end
    uri = "#{uri.path}?#{uri.query}"
    res = send_request_cgi({
        'method' => 'GET',
        'uri' => uri
    })
  end

  if res.nil?
    print_error("Error getting response.")
    return nil
  elsif res.code == 200 and
      (
        res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i or
        res.body =~ /<body class="archive author author-(?:[^\s]+) author-(?:\d+)/i or
        res.body =~ /Posts by (\w+) Feed/i or
        res.body =~ /<span class='vcard'><a class='url fn n' href='[^"']+' title='[^"']+' rel='me'>([^<]+)<\/a><\/span>/i or
        res.body =~ /<title>.*(\b\w+\b)<\/title>/i
      )
    return $1
  end
end