Skip to content

Instantly share code, notes, and snippets.

@jvazquez-r7
Created September 24, 2013 15:25
Show Gist options
  • Save jvazquez-r7/6686432 to your computer and use it in GitHub Desktop.
Save jvazquez-r7/6686432 to your computer and use it in GitHub Desktop.
Wordpress mixin Tester
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::HTTP::Wordpress
def initialize
super(
'Name' => 'Wordpress mixin tester',
'Description' => %q{
Wordpress mixin tester
},
'Author' => 'juan vazquez',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://github.com/rapid7/metasploit-framework/pull/2267']
],
'DisclosureDate' => 'Sep 23 2013'
)
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [true, 'Your username']),
OptString.new('PASSWORD', [true, 'Your password']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/wordpress-2.0/'])
], self.class
)
end
def run
# Base
print_status("Is wordpress online...")
res = wordpress_and_online?
if res.nil?
print_error("It isnt wordpress or isnt online...")
else
print_good("Wordpress and online!")
end
# Version
print_status("Finding wordpress version...")
version = wordpress_version
if version
print_good("Version found: #{version}")
else
print_error("Version not found")
end
# URIs
print_status("Generating URLs...")
print_status("URL Login: #{wordpress_url_login}")
print_status("URL Post 3: #{wordpress_url_post(3)}")
print_status("URL Author 1: #{wordpress_url_author(1)}")
print_status("URL RSS: #{wordpress_url_rss}")
print_status("URL RDF: #{wordpress_url_rdf}")
print_status("URL ATOM: #{wordpress_url_atom}")
print_status("URL Readme: #{wordpress_url_readme}")
print_status("URL Sitemap: #{wordpress_url_sitemap}")
print_status("URL OPML: #{wordpress_url_opml}")
# Login
print_status("Login on wordpress...")
session = wordpress_login('admin', 'admin')
if session.nil?
print_error("Couldn't login into wordpress'")
else
print_good("Logged in okey: #{session}")
end
# Users
print_status("Testing if wordpress_user_exists?...")
if wordpress_user_exists?('admin')
print_good("user 'admin' exists... Ok")
else
print_error("user 'admin' no exists... bad")
end
if wordpress_user_exists?('nonexistent')
print_error("user 'nonexistent' exists... Bad")
else
print_good("user 'nonexistent' no exists... Ok")
end
print_status("Testing if wordpress_userid_exists?...")
(0..10).to_a.each do |user_id|
if wordpress_userid_exists?(user_id)
print_good("user_id #{user_id} exists")
else
print_warning("user_id #{user_id} doesn't exist")
end
end
# Posts
print_status("Finding a valid post id (anonymous)")
post_id = wordpress_bruteforce_valid_post_id(0, 20)
if post_id
print_good("Post id found: #{post_id}")
else
print_error("Post id not found")
end
if session
print_status("Finding a valid post id (authenticated)")
post_id = wordpress_bruteforce_valid_post_id(0, 20, session)
if post_id
print_good("Post id found: #{post_id}")
else
print_error("Post id not found")
end
end
if post_id
print_status("Testing if comments are enabled on id #{post_id}")
if wordpress_post_id_comments_enabled?(post_id)
print_good("Comments enabled (#{post_id}")
else
print_error("Comments not enabled #{post_id}")
end
post_url = wordpress_url_post(post_id)
print_status("Testing if comments are enabled on url: #{post_url}")
if wordpress_post_comments_enabled?(post_url)
print_good("Comments enabled (#{post_url}")
else
print_error("Comments not enabled #{post_url}")
end
end
print_status("Finding a valid post id with comments enabled (anonymous)")
post_id = wordpress_bruteforce_valid_post_id_with_comments_enabled(0, 20)
if post_id
print_good("Post id found: #{post_id}")
else
print_error("Post id not found")
end
if session
print_status("Finding a valid post id with comments enabled (authenticated)")
post_id = wordpress_bruteforce_valid_post_id_with_comments_enabled(0, 20, session)
if post_id
print_good("Post id found: #{post_id}")
else
print_error("Post id not found")
end
end
if post_id
print_status("Testing if comments are enabled on id #{post_id}")
if wordpress_post_id_comments_enabled?(post_id)
print_good("Comments enabled (#{post_id}")
else
print_error("Comments not enabled #{post_id}")
end
post_url = wordpress_url_post(post_id)
print_status("Testing if comments are enabled on url: #{post_url}")
if wordpress_post_comments_enabled?(post_url)
print_good("Comments enabled (#{post_url}")
else
print_error("Comments not enabled #{post_url}")
end
end
if post_id
if session
print_status("Posts a comment as an authenticated user...")
comment_url = wordpress_post_comment_auth(Rex::Text.rand_text_alpha(5), post_id, session)
if comment_url
print_good("Comment ok: #{comment_url}")
else
print_error("Couldn't post comment")
end
end
print_status("Post unauthenticated comment")
comment_url = wordpress_post_comment_no_auth(Rex::Text.rand_text_alpha(5), post_id, "juan", "juan@noemail.com", "http://nourl.com")
if comment_url
print_good("Comment ok: #{comment_url}")
else
print_error("Couldn't post comment")
end
print_status("Cookie to show moderated comments #{wordpress_get_unauth_comment_cookies("juan", "juan@noemail.com", "http://nourl.com")}")
end
print_status("Get all blogs via feed")
posts = wordpress_get_all_blog_posts_via_feed
if posts
print_good("Posts found via feed:")
posts.each do |p|
print_status p
end
else
print_error("Posts not found via feed")
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment