diff --git a/lib/common/models/wp_user/brute_forcable.rb b/lib/common/models/wp_user/brute_forcable.rb index 4bced4e8..73a107d7 100644 --- a/lib/common/models/wp_user/brute_forcable.rb +++ b/lib/common/models/wp_user/brute_forcable.rb @@ -17,9 +17,10 @@ class WpUser < WpItem # @param [ Hash ] options # @option options [ Boolean ] :verbose # @option options [ Boolean ] :show_progression + # @param [ String ] redirect_url Override for redirect_url # # @return [ void ] - def brute_force(wordlist, options = {}) + def brute_force(wordlist, options = {}, redirect_url = nil) browser = Browser.instance hydra = browser.hydra passwords = BruteForcable.passwords_from_wordlist(wordlist) @@ -30,8 +31,10 @@ class WpUser < WpItem passwords.each do |password| # A successfull login will redirect us to the redirect_to parameter # Generate a radom one on each request - random = (0...8).map { 65.+(rand(26)).chr }.join - redirect_url = "#{@uri}#{random}/" + unless redirect_url + random = (0...8).map { 65.+(rand(26)).chr }.join + redirect_url = "#{@uri}#{random}/" + end request = login_request(password, redirect_url) @@ -98,7 +101,7 @@ class WpUser < WpItem # # @return [ Boolean ] def valid_password?(response, password, redirect_url, options = {}) - if response.code == 302 && response.headers_hash['Location'] == redirect_url + if response.code == 302 && response.headers_hash && response.headers_hash['Location'] == redirect_url progression = "#{green('[SUCCESS]')} Login : #{login} Password : #{password}\n\n" valid = true elsif response.body =~ /login_error/i diff --git a/spec/shared_examples/wp_user/brute_forcable.rb b/spec/shared_examples/wp_user/brute_forcable.rb index f3734cbf..532dfebf 100644 --- a/spec/shared_examples/wp_user/brute_forcable.rb +++ b/spec/shared_examples/wp_user/brute_forcable.rb @@ -58,19 +58,28 @@ shared_examples 'WpUser::BruteForcable' do describe '#valid_password?' do let(:response) { Typhoeus::Response.new(resp_options) } let(:resp_options) { {} } + let(:return_to) { 'http://www.example.com/asdf/' } after do - wp_user.valid_password?(response, 'password').should == @expected + wp_user.valid_password?(response, 'password', return_to).should == @expected end - context 'when 302' do - let(:resp_options) { { code: 302 } } + context 'when 302 and valid return_to parameter' do + let(:resp_options) { { code: 302, headers: { 'Location' => return_to } } } it 'returns true' do @expected = true end end + context 'when 302 and invalid return_to parameter' do + let(:resp_options) { { code: 302, headers: { 'Location' => nil } } } + + it 'returns false' do + @expected = false + end + end + context 'when login_error' do let(:resp_options) { { body: '
' } } @@ -118,12 +127,13 @@ shared_examples 'WpUser::BruteForcable' do end describe '#brute_force' do - let(:passwords) { %w{pass1 pass2 yolo kansei£Ô} } - let(:login) { 'someuser' } + let(:passwords) { %w{pass1 pass2 yolo kansei£Ô} } + let(:login) { 'someuser' } + let(:redirect_url) { 'http://www.example.com/asdf/' } after do wp_user.login = login - wp_user.brute_force(passwords) + wp_user.brute_force(passwords, {}, redirect_url) wp_user.password.should == @expected end @@ -143,7 +153,7 @@ shared_examples 'WpUser::BruteForcable' do # Due to the error with .with(body: { log: login }) above # We can't use it to stub the request for a specific password # So, the first one will be valid - before { stub_request(:post, wp_user.login_url).to_return(status: 302) } + before { stub_request(:post, wp_user.login_url).to_return(status: 302, headers: { 'Location' => redirect_url } ) } it 'sets the @password' do @expected = passwords[0]