Class: WPScan::Controller::PasswordAttack

Inherits:

CMSScanner::Controller::Base

• Object
• CMSScanner::Controller::Base
• WPScan::Controller::PasswordAttack

Defined in:

app/controllers/password_attack.rb

Overview

Password Attack Controller

Instance Method Summary

• #attacker ⇒ CMSScanner::Finders::Finder

  The finder used to perform the attack.

• #attacker_from_automatic_detection ⇒ CMSScanner::Finders::Finder
• #attacker_from_cli_options ⇒ CMSScanner::Finders::Finder
• #cli_options ⇒ Object
• #passwords(wordlist_path) ⇒ Array<String>
• #run ⇒ Object
• #users ⇒ Array<Users>

  The users to brute force.

• #xmlrpc ⇒ Model::XMLRPC
• #xmlrpc_get_users_blogs_enabled? ⇒ Boolean

Instance Method Details

#attacker ⇒ CMSScanner::Finders::Finder

Returns The finder used to perform the attack.

Returns:

• (CMSScanner::Finders::Finder) —

  The finder used to perform the attack

# File 'app/controllers/password_attack.rb', line 53

def attacker
  @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
end

#attacker_from_automatic_detection ⇒ CMSScanner::Finders::Finder

Returns:

• (CMSScanner::Finders::Finder)

# File 'app/controllers/password_attack.rb', line 94

def attacker_from_automatic_detection
  if xmlrpc_get_users_blogs_enabled?
    wp_version = target.wp_version

    if wp_version && wp_version < '4.4'
      Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
    else
      Finders::Passwords::XMLRPC.new(xmlrpc)
    end
  else
    Finders::Passwords::WpLogin.new(target)
  end
end

#attacker_from_cli_options ⇒ CMSScanner::Finders::Finder

Returns:

• (CMSScanner::Finders::Finder)

# File 'app/controllers/password_attack.rb', line 63

def attacker_from_cli_options
  return unless ParsedCli.password_attack

  case ParsedCli.password_attack
  when :wp_login
    Finders::Passwords::WpLogin.new(target)
  when :xmlrpc
    raise Error::XMLRPCNotDetected unless xmlrpc

    Finders::Passwords::XMLRPC.new(xmlrpc)
  when :xmlrpc_multicall
    raise Error::XMLRPCNotDetected unless xmlrpc

    Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
  end
end

#cli_options ⇒ Object

# File 'app/controllers/password_attack.rb', line 7

def cli_options
  [
    OptFilePath.new(
      ['--passwords FILE-PATH', '-P',
       'List of passwords to use during the password attack.',
       'If no --username/s option supplied, user enumeration will be run.'],
      exists: true
    ),
    OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the password attack.']),
    OptInteger.new(['--multicall-max-passwords MAX_PWD',
                    'Maximum number of passwords to send by request with XMLRPC multicall'],
                   default: 500),
    OptChoice.new(['--password-attack ATTACK',
                   'Force the supplied attack to be used rather than automatically determining one.'],
                  choices: %w[wp-login xmlrpc xmlrpc-multicall],
                  normalize: %i[downcase underscore to_sym])
  ]
end

#passwords(wordlist_path) ⇒ Array<String>

Parameters:

• wordlist_path (String)

Returns:

• (Array<String>)

# File 'app/controllers/password_attack.rb', line 120

def passwords(wordlist_path)
  @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
    acc << elem.chomp
  end
end

#run ⇒ Object

# File 'app/controllers/password_attack.rb', line 26

def run
  return unless ParsedCli.passwords

  if user_interaction?
    output('@info',
           msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
  end

  attack_opts = {
    show_progression: user_interaction?,
    multicall_max_passwords: ParsedCli.multicall_max_passwords
  }

  begin
    found = []

    attacker.attack(users, passwords(ParsedCli.passwords), attack_opts) do |user|
      found << user

      attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
    end
  ensure
    output('users', users: found)
  end
end

#users ⇒ Array<Users>

Returns The users to brute force.

Returns:

• (Array<Users>) —

  The users to brute force

# File 'app/controllers/password_attack.rb', line 109

def users
  return target.users unless ParsedCli.usernames

  ParsedCli.usernames.reduce([]) do |acc, elem|
    acc << Model::User.new(elem.chomp)
  end
end

#xmlrpc ⇒ Model::XMLRPC

Returns:

• (Model::XMLRPC)

# File 'app/controllers/password_attack.rb', line 58

def xmlrpc
  @xmlrpc ||= target.xmlrpc
end

#xmlrpc_get_users_blogs_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/controllers/password_attack.rb', line 81

def xmlrpc_get_users_blogs_enabled?
  if xmlrpc&.enabled? &&
     xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
     xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
           .run.body !~ /XML\-RPC services are disabled/

    true
  else
    false
  end
end