Class: WPScan::Controller::PasswordAttack

Inherits:

CMSScanner::Controller::Base

• Object
• CMSScanner::Controller::Base
• WPScan::Controller::PasswordAttack

Defined in:

app/controllers/password_attack.rb

Overview

Password Attack Controller

Instance Method Summary

• #attacker ⇒ CMSScanner::Finders::Finder

  The finder used to perform the attack.

• #attacker_from_automatic_detection ⇒ CMSScanner::Finders::Finder
• #attacker_from_cli_options ⇒ CMSScanner::Finders::Finder
• #cli_options ⇒ Object
• #passwords(wordlist_path) ⇒ Array<String>
• #run ⇒ Object
• #users ⇒ Array<Users>

  The users to brute force.

• #xmlrpc ⇒ WPScan::XMLRPC

Instance Method Details

#attacker ⇒ CMSScanner::Finders::Finder

Returns The finder used to perform the attack.

Returns:

• (CMSScanner::Finders::Finder) —

  The finder used to perform the attack

# File 'app/controllers/password_attack.rb', line 51

def attacker
  @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
end

#attacker_from_automatic_detection ⇒ CMSScanner::Finders::Finder

Returns:

• (CMSScanner::Finders::Finder)

# File 'app/controllers/password_attack.rb', line 75

def attacker_from_automatic_detection
  if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs')
    wp_version = target.wp_version

    if wp_version && wp_version < '4.4'
      WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
    else
      WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
    end
  else
    WPScan::Finders::Passwords::WpLogin.new(target)
  end
end

#attacker_from_cli_options ⇒ CMSScanner::Finders::Finder

Returns:

• (CMSScanner::Finders::Finder)

# File 'app/controllers/password_attack.rb', line 61

def attacker_from_cli_options
  return unless parsed_options[:password_attack]

  case parsed_options[:password_attack]
  when :wp_login
    WPScan::Finders::Passwords::WpLogin.new(target)
  when :xmlrpc
    WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
  when :xmlrpc_multicall
    WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
  end
end

#cli_options ⇒ Object

# File 'app/controllers/password_attack.rb', line 5

def cli_options
  [
    OptFilePath.new(
      ['--passwords FILE-PATH', '-P',
       'List of passwords to use during the password attack.',
       'If no --username/s option supplied, user enumeration will be run.'],
      exists: true
    ),
    OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the password attack.']),
    OptInteger.new(['--multicall-max-passwords MAX_PWD',
                    'Maximum number of passwords to send by request with XMLRPC multicall'],
                   default: 500),
    OptChoice.new(['--password-attack ATTACK',
                   'Force the supplied attack to be used rather than automatically determining one.'],
                  choices: %w[wp-login xmlrpc xmlrpc-multicall],
                  normalize: %i[downcase underscore to_sym])
  ]
end

#passwords(wordlist_path) ⇒ Array<String>

Parameters:

• wordlist_path (String)

Returns:

• (Array<String>)

# File 'app/controllers/password_attack.rb', line 101

def passwords(wordlist_path)
  @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
    acc << elem.chomp
  end
end

#run ⇒ Object

# File 'app/controllers/password_attack.rb', line 24

def run
  return unless parsed_options[:passwords]

  if user_interaction?
    output('@info',
           msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
  end

  attack_opts = {
    show_progression: user_interaction?,
    multicall_max_passwords: parsed_options[:multicall_max_passwords]
  }

  begin
    found = []

    attacker.attack(users, passwords(parsed_options[:passwords]), attack_opts) do |user|
      found << user

      attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
    end
  ensure
    output('users', users: found)
  end
end

#users ⇒ Array<Users>

Returns The users to brute force.

Returns:

• (Array<Users>) —

  The users to brute force

# File 'app/controllers/password_attack.rb', line 90

def users
  return target.users unless parsed_options[:usernames]

  parsed_options[:usernames].reduce([]) do |acc, elem|
    acc << CMSScanner::User.new(elem.chomp)
  end
end

#xmlrpc ⇒ WPScan::XMLRPC

Returns:

• (WPScan::XMLRPC)

# File 'app/controllers/password_attack.rb', line 56

def xmlrpc
  @xmlrpc ||= target.xmlrpc
end