New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create wordpress_cp_calendar_sqli.rb scanner #5167
Conversation
|
||
class Metasploit4 < Msf::Auxiliary | ||
|
||
include Msf::Exploit::Remote::HttpClient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is wordpress, can use the Msf::HTTP::Wordpress.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what this would buy me, don't need fingerprinting or authentication... Can certainly add if there is a benefit though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brandonprry jeah there is no benefit in this module when using the wordpress mixin. But you could include it and write a check method calling check_plugin_version_from_readme
(https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/http/wordpress/version.rb#L50). But as this module only checks for the SQLI without exploiting it, the main method already acts as a "check method".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It technically does exploit the vuln in order to check the validity of the vuln :)
It also isn't a wordpress vuln per se, just a plugin for wordpress, the version of wordpress itself doesn't matter.
In any case, I agree, the scanner is essentially its own check method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check_plugin_version_from_readme
checks the plugins readme and extracts the version number (not the version from wordpress itself). So if you call it with check_plugin_version_from_readme('cp-multi-view-calendar', fixed_in_version)
it will say vulnerable or not only determined by the plugins version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I see. I misunderstood.
@firefart is the most suitable for the recommendations. \o |
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'EDB', '36243'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[ 'WPVDB', '7650' ]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry wrong vuln, will create a new one for this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use wpvulndbid 7910
works for me:
can you please add the additional reference @brandonprry ? |
Yes, doing that now. |
Use the new WPVDB
thx @brandonprry ! |
This module will scan for vulnerable instances of CP Multi-View Calendar v1.1.4 (and prior) for Wordpress by exploiting an unauthenticated UNION-based SQL injection.
http://www.exploit-db.com/exploits/36243/
Quick run:
Passes msftidy:
Thanks!