Fix Wordpress user login validation for recent versions of WordPress #14882
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## BUG
While trying using
`module> auxiliary/scanner/http/wordpress_login_enum`
User validation does not occur correctly in wordpress 5.x
## Verification
- mkdir wordpress
- cd wordpress
- nano docker-compose.yml
- Enter the following into the file
```
version: '3.3'
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
WORDPRESS_DB_NAME: wordpress
volumes:
db_data: {}
```
- sudo docker-compose up -d
- Follow the setup instructions at 127.0.0.1:8000 and set up a new user in WordPress.
- Start msfconsole
- creds add user:test
- use auxiliary/scanner/http/wordpress_login_enum
- set RHOSTS 127.0.0.1
- set RPORT 8000
- set DB_ALL_USERS true
- run
## Expected Output
```
msf6 > use auxiliary/scanner/http/wordpress_login_enum
msf6 auxiliary(scanner/http/wordpress_login_enum) > show options
Module options (auxiliary/scanner/http/wordpress_login_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE true yes Perform brute force authentication
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
ENUMERATE_USERNAMES true yes Enumerate usernames
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RANGE_END 10 no Last user id to enumerate
RANGE_START 1 no First user id to enumerate
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VALIDATE_USERS true yes Validate usernames
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/http/wordpress_login_enum) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/wordpress_login_enum) > set DB_ALL_USERS true
DB_ALL_USERS => true
msf6 auxiliary(scanner/http/wordpress_login_enum) > run
[-] The connection was refused by the remote host (127.0.0.1:8080).
[-] / does not seem to be WordPress site
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/wordpress_login_enum) > set RPORT 8000
RPORT => 8000
msf6 auxiliary(scanner/http/wordpress_login_enum) > run
[*] / - WordPress Version 5.6.1 detected
[*] 127.0.0.1:8000 - / - WordPress User-Enumeration - Running User Enumeration
[*] 127.0.0.1:8000 - / - WordPress User-Validation - Running User Validation
[*] / - WordPress User-Validation - Checking Username:'Administrator'
[-] 127.0.0.1:8000 - [1/4] - / - WordPress User-Validation - Invalid Username: 'Administrator'
[*] / - WordPress User-Validation - Checking Username:'administrator'
[-] 127.0.0.1:8000 - [2/4] - / - WordPress User-Validation - Invalid Username: 'administrator'
[*] / - WordPress User-Validation - Checking Username:'test'
[+] / - WordPress User-Validation - Username: 'test' - is VALID
[+] / - WordPress User-Validation - Found 1 valid user
[-] 127.0.0.1:8000 - [4/4] - / - WordPress User-Validation - Invalid Username: 'normal'
[*] 127.0.0.1:8000 - [5/4] - / - WordPress Brute Force - Running Bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/wordpress_login_enum) >
```
## Linked Issue
[https://github.com/rapid7/metasploit-framework/issues/14790#issue-81372544](https://github.com/rapid7/metasploit-framework/issues/14790#issue-813725448,"https://github.com/rapid7/metasploit-framework/issues/14790#issue-813725448")
Please remind me if any issue is found with the fix! ;-)
gwillcox-r7
suggested changes
Mar 11, 2021
Now the search will be for the exact user error
|
Done! |
|
Thanks going to verify this now, appreciate the quick turn around! |
gwillcox-r7
approved these changes
Mar 11, 2021
|
Hmm this doesn't seem to be working for me. Valid username:password combo should be Looking into this a bit closer things should be working but somehow the fix isn't correct: |
gwillcox-r7
reviewed
Mar 11, 2021
| @@ -14,7 +14,8 @@ def wordpress_user_exists?(user) | |||
|
|
|||
| return true if res and res.code == 200 and | |||
| (res.body.to_s =~ /Incorrect password/ or | |||
| res.body.to_s =~ /document\.getElementById\('user_pass'\)/) | |||
| res.body.to_s =~ /document\.getElementById\('user_pass'\)/ or | |||
| res.body.to_s =~/<strong>^#{user}<\/strong> is incorrect/) | |||
There was a problem hiding this comment.
Wait I think there might be a typo here. Looks like an extra ^ slipped in. Let me check this quickly.
There was a problem hiding this comment.
There we go that was the issue 👍
There was a problem hiding this comment.
Applied the fix in 94dbe9f before landing. Thanks again!
With typo fixed this works! Thanks for submitting this PR, I know a lot of people were trying to get this issue addressed. Will go ahead and make a ninja edit to fix the typo and then get this landed 👍 |
gwillcox-r7
changed the title
gwillcox-r7
changed the title
gwillcox-r7
added a commit
that referenced
this pull request
Mar 11, 2021
gwillcox-r7
added
rn-fix
Release NotesImproved |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #14790
BUG
While trying using
module> auxiliary/scanner/http/wordpress_login_enumUser validation does not occur correctly in wordpress 5.x
Verification
testwas recognisedExpected Output
Please remind me if any issue is found with the fix! ;-)