Land rapid7#3558, @firefart's improvements to wordpress mixin

Author: jvazquez-r7

lib/msf/http/wordpress.rb

@@ -25,10 +25,20 @@ def initialize(info = {})
         super
 
         register_options(
-            [
-                Msf::OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
-            ], HTTP::Wordpress
+          [
+            Msf::OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/'])
+          ], HTTP::Wordpress
         )
+
+        register_advanced_options(
+          [
+            Msf::OptString.new('WPCONTENTDIR', [true, 'The name of the wp-content directory', 'wp-content'])
+          ], HTTP::Wordpress
+        )
+      end
+
+      def wp_content_dir
+        datastore['WPCONTENTDIR']
       end
     end
   end

lib/msf/http/wordpress/base.rb

@@ -1,28 +1,23 @@
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Base
-
   # Checks if the site is online and running wordpress
   #
   # @return [Rex::Proto::Http::Response,nil] Returns the HTTP response if the site is online and running wordpress, nil otherwise
   def wordpress_and_online?
-    begin
-      res = send_request_cgi({
-          'method' => 'GET',
-          'uri' => normalize_uri(target_uri.path)
-      })
-      return res if res and
-          res.code == 200 and
-          (
-            res.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i or
-            res.body =~ /<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/wlwmanifest\.xml["'] \/>/i or
-            res.body =~ /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'] \/>/i
-          )
-      return nil
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      print_error("#{peer} - Error connecting to #{target_uri}")
-      return nil
-    end
+    res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path)
+    )
+    wordpress_detect_regexes = [
+      /["'][^"']*\/#{Regexp.escape(wp_content_dir)}\/[^"']*["']/i,
+      /<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/wlwmanifest\.xml["'] \/>/i,
+      /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'](?: \/)*>/i
+    ]
+    return res if res && res.code == 200 && res.body && wordpress_detect_regexes.any? { |r| res.body =~ r }
+    return nil
+  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+    print_error("#{peer} - Error connecting to #{target_uri}: #{e}")
+    return nil
   end
-
 end

lib/msf/http/wordpress/helpers.rb

@@ -49,7 +49,7 @@ def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author
     options.merge!({'vars_post' => vars_post})
     options.merge!({'cookie' => login_cookie}) if login_cookie
     res = send_request_cgi(options)
-    if res and (res.code == 301 or res.code == 302) and res.headers['Location']
+    if res && res.redirect? && res.redirection
       return wordpress_helper_parse_location_header(res)
     else
       message = "#{peer} - Post comment failed."
@@ -101,7 +101,7 @@ def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil
       else
         return res.body
       end
-    elsif res and (res.code == 301 or res.code == 302) and res.headers['Location']
+    elsif res && res.redirect? && res.redirection
       path = wordpress_helper_parse_location_header(res)
       return wordpress_helper_check_post_id(path, comments_enabled, login_cookie)
     end
@@ -113,9 +113,9 @@ def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil
   # @param res [Rex::Proto::Http::Response] The HTTP response
   # @return [String,nil] the path and query, nil on error
   def wordpress_helper_parse_location_header(res)
-    return nil unless res and (res.code == 301 or res.code == 302) and res.headers['Location']
+    return nil unless res && res.redirect? && res.redirection
 
-    location = res.headers['Location']
+    location = res.redirection
     path_from_uri(location)
   end
 

lib/msf/http/wordpress/login.rb

@@ -1,28 +1,30 @@
 # -*- coding: binary -*-
-module Msf::HTTP::Wordpress::Login
 
+module Msf::HTTP::Wordpress::Login
   # performs a wordpress login
   #
   # @param user [String] Username
   # @param pass [String] Password
   # @return [String,nil] the session cookies as a single string on successful login, nil otherwise
   def wordpress_login(user, pass)
     redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
-    res = send_request_cgi({
+    res = send_request_cgi(
         'method' => 'POST',
         'uri' => wordpress_url_login,
         'vars_post' => wordpress_helper_login_post_data(user, pass, redirect)
-    })
-
-    if res and (res.code == 301 or res.code == 302) and res.headers['Location'] == redirect
+    )
+    if res && res.redirect? && res.redirection && res.redirection.to_s == redirect
       cookies = res.get_cookies
       # Check if a valid wordpress cookie is returned
-      return cookies if cookies =~ /wordpress(?:_sec)?_logged_in_[^=]+=[^;]+;/i ||
+      return cookies if
+        # current Wordpress
+        cookies =~ /wordpress(?:_sec)?_logged_in_[^=]+=[^;]+;/i ||
+        # Wordpress 2.0
         cookies =~ /wordpress(?:user|pass)_[^=]+=[^;]+;/i ||
+        # Wordpress 2.5
         cookies =~ /wordpress_[a-z0-9]+=[^;]+;/i
     end
 
-    return nil
+    nil
   end
-
 end

lib/msf/http/wordpress/posts.rb

@@ -112,7 +112,7 @@ def wordpress_get_all_blog_posts_via_feed(max_redirects = 10)
       count = max_redirects
 
       # Follow redirects
-      while (res.code == 301 || res.code == 302) and res.headers['Location'] and count != 0
+      while res.redirect? && res.redirection && count != 0
         path = wordpress_helper_parse_location_header(res)
         return nil unless path
 

lib/msf/http/wordpress/users.rb

@@ -33,7 +33,7 @@ def wordpress_userid_exists?(user_id)
         'uri' => url
     })
 
-    if res and res.code == 301
+    if res and res.redirect?
       uri = wordpress_helper_parse_location_header(res)
       return nil unless uri
       # try to extract username from location

lib/msf/http/wordpress/version.rb

@@ -2,63 +2,124 @@
 
 module Msf::HTTP::Wordpress::Version
 
+  # Used to check if the version is correct: must contain at least one dot
+  WORDPRESS_VERSION_PATTERN = '([^\r\n"\']+\.[^\r\n"\']+)'
+
   # Extracts the Wordpress version information from various sources
   #
   # @return [String,nil] Wordpress version if found, nil otherwise
   def wordpress_version
     # detect version from generator
-    version = wordpress_version_helper(normalize_uri(target_uri.path), /<meta name="generator" content="WordPress #{wordpress_version_pattern}" \/>/i)
+    version = wordpress_version_helper(normalize_uri(target_uri.path), /<meta name="generator" content="WordPress #{WORDPRESS_VERSION_PATTERN}" \/>/i)
     return version if version
 
     # detect version from readme
-    version = wordpress_version_helper(wordpress_url_readme, /<br \/>\sversion #{wordpress_version_pattern}/i)
+    version = wordpress_version_helper(wordpress_url_readme, /<br \/>\sversion #{WORDPRESS_VERSION_PATTERN}/i)
     return version if version
 
     # detect version from rss
-    version = wordpress_version_helper(wordpress_url_rss, /<generator>http:\/\/wordpress.org\/\?v=#{wordpress_version_pattern}<\/generator>/i)
+    version = wordpress_version_helper(wordpress_url_rss, /<generator>http:\/\/wordpress.org\/\?v=#{WORDPRESS_VERSION_PATTERN}<\/generator>/i)
     return version if version
 
     # detect version from rdf
-    version = wordpress_version_helper(wordpress_url_rdf, /<admin:generatorAgent rdf:resource="http:\/\/wordpress.org\/\?v=#{wordpress_version_pattern}" \/>/i)
+    version = wordpress_version_helper(wordpress_url_rdf, /<admin:generatorAgent rdf:resource="http:\/\/wordpress.org\/\?v=#{WORDPRESS_VERSION_PATTERN}" \/>/i)
     return version if version
 
     # detect version from atom
-    version = wordpress_version_helper(wordpress_url_atom, /<generator uri="http:\/\/wordpress.org\/" version="#{wordpress_version_pattern}">WordPress<\/generator>/i)
+    version = wordpress_version_helper(wordpress_url_atom, /<generator uri="http:\/\/wordpress.org\/" version="#{WORDPRESS_VERSION_PATTERN}">WordPress<\/generator>/i)
     return version if version
 
     # detect version from sitemap
-    version = wordpress_version_helper(wordpress_url_sitemap, /generator="wordpress\/#{wordpress_version_pattern}"/i)
+    version = wordpress_version_helper(wordpress_url_sitemap, /generator="wordpress\/#{WORDPRESS_VERSION_PATTERN}"/i)
     return version if version
 
     # detect version from opml
-    version = wordpress_version_helper(wordpress_url_opml, /generator="wordpress\/#{wordpress_version_pattern}"/i)
+    version = wordpress_version_helper(wordpress_url_opml, /generator="wordpress\/#{WORDPRESS_VERSION_PATTERN}"/i)
     return version if version
 
     nil
   end
 
-  private
+  # Checks a readme for a vulnerable version
+  #
+  # @param [String] plugin_name The name of the plugin
+  # @param [String] fixed_version The version the vulnerability was fixed in
+  # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
+  #
+  # @return [ Msf::Exploit::CheckCode ]
+  def check_plugin_version_from_readme(plugin_name, fixed_version, vuln_introduced_version = nil)
+    check_version_from_readme(:plugin, plugin_name, fixed_version, vuln_introduced_version)
+  end
 
-  # Used to check if the version is correct: must contain at least one dot.
+  # Checks a readme for a vulnerable version
   #
-  # @return [ String ]
-  def wordpress_version_pattern
-    '([^\r\n"\']+\.[^\r\n"\']+)'
+  # @param [String] theme_name The name of the theme
+  # @param [String] fixed_version The version the vulnerability was fixed in
+  # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
+  #
+  # @return [ Msf::Exploit::CheckCode ]
+  def check_theme_version_from_readme(theme_name, fixed_version, vuln_introduced_version = nil)
+    check_version_from_readme(:theme, theme_name, fixed_version, vuln_introduced_version)
   end
 
+  private
+
   def wordpress_version_helper(url, regex)
-    res = send_request_cgi({
-        'method' => 'GET',
-        'uri' => url
-    })
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => url
+    )
     if res
       match = res.body.match(regex)
-      if match
-        return match[1]
-      end
+      return match[1] if match
     end
 
     nil
   end
 
+  def check_version_from_readme(type, name, fixed_version, vuln_introduced_version = nil)
+    case type
+    when :plugin
+      folder = 'plugins'
+    when :theme
+      folder = 'themes'
+    else
+      fail("Unknown readme type #{type}")
+    end
+
+    readme_url = normalize_uri(target_uri.path, wp_content_dir, folder, name, 'readme.txt')
+    res = send_request_cgi(
+      'uri'    => readme_url,
+      'method' => 'GET'
+    )
+    # no readme.txt present
+    return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
+
+    # try to extract version from readme
+    # Example line:
+    # Stable tag: 2.6.6
+    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
+
+    # readme present, but no version number
+    return Msf::Exploit::CheckCode::Detected if version.nil?
+
+    vprint_status("#{peer} - Found version #{version} of the #{type}")
+
+    # Version older than fixed version
+    if Gem::Version.new(version) < Gem::Version.new(fixed_version)
+      if vuln_introduced_version.nil?
+        # All versions are vulnerable
+        return Msf::Exploit::CheckCode::Appears
+      # vuln_introduced_version provided, check if version is newer
+      elsif Gem::Version.new(version) >= Gem::Version.new(vuln_introduced_version)
+        return Msf::Exploit::CheckCode::Appears
+      else
+        # Not in range, nut vulnerable
+        return Msf::Exploit::CheckCode::Safe
+      end
+    # version newer than fixed version
+    else
+      return Msf::Exploit::CheckCode::Safe
+    end
+  end
 end