Module: Msf::Exploit::Remote::HTTP::Wordpress::Users
- Included in:
- Msf::Exploit::Remote::HTTP::Wordpress
- Defined in:
- lib/msf/core/exploit/remote/http/wordpress/users.rb
Instance Method Summary collapse
-
#reset_user_password(user) ⇒ Boolean
Performs a password reset for a user.
-
#wordpress_user_exists?(user) ⇒ Boolean
Checks if the given user exists.
-
#wordpress_userid_exists?(user_id) ⇒ String?
Checks if the given userid exists.
Instance Method Details
#reset_user_password(user) ⇒ Boolean
Performs a password reset for a user
70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/msf/core/exploit/remote/http/wordpress/users.rb', line 70 def reset_user_password(user) res = send_request_cgi({ 'method' => 'POST', 'uri' => wordpress_url_login, 'vars_get' => { 'action' => 'lostpassword' }, 'vars_post' => { 'user_login' => user, 'redirect_to' => '', 'wp-submit' => 'Get New Password' } }) return false unless res&.code == 200 true end |
#wordpress_user_exists?(user) ⇒ Boolean
Checks if the given user exists
8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# File 'lib/msf/core/exploit/remote/http/wordpress/users.rb', line 8 def wordpress_user_exists?(user) res = send_request_cgi({ 'method' => 'POST', 'uri' => wordpress_url_login, 'vars_post' => wordpress_helper_login_post_data(user, Rex::Text.rand_text_alpha(6)) }) return true if res and res.code == 200 and (res.body.to_s =~ /Incorrect password/ or res.body.to_s =~ /document\.getElementById\('user_pass'\)/ or res.body.to_s =~/<strong>#{user}<\/strong> is incorrect/) return false end |
#wordpress_userid_exists?(user_id) ⇒ String?
Checks if the given userid exists
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
# File 'lib/msf/core/exploit/remote/http/wordpress/users.rb', line 27 def wordpress_userid_exists?(user_id) # Wordpress returns all posts from all users on user_id 0 return nil if user_id < 1 url = (user_id) res = send_request_cgi({ 'method' => 'GET', 'uri' => url }) if res and res.redirect? uri = wordpress_helper_parse_location_header(res) return nil unless uri # try to extract username from location if uri.to_s =~ /\/author\/([^\/\b]+)\/?/i return $1 end uri = "#{uri.path}?#{uri.query}" res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) end if res.nil? print_error("Error getting response.") return nil elsif res.code == 200 and ( res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i or res.body =~ /<body class="archive author author-(?:[^\s]+) author-(?:\d+)/i or res.body =~ /Posts by (\w+) Feed/i or res.body =~ /<span class='vcard'><a class='url fn n' href='[^"']+' title='[^"']+' rel='me'>([^<]+)<\/a><\/span>/i or res.body =~ /<title>.*(\b\w+\b)<\/title>/i ) return $1 end end |