Refactor plugin editing

2020-02-07 00:15:22 -06:00
parent 68565f575f
commit 3b258eeb19
2 changed files with 23 additions and 8 deletions
@@ -55,25 +55,33 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin

    vprint_status("Acquired a plugin edit nonce: #{nonce}")

-    editor_uri = normalize_uri(
-      wordpress_url_backend,
-      "plugin-editor.php?file=#{file}" # Can't use vars_get for this
-    )
-
    # https://github.com/WordPress/WordPress/blob/master/wp-admin/plugin-editor.php
    res = send_request_cgi(
      'method'       => 'POST',
-      'uri'          => editor_uri,
+      'uri'          => wordpress_url_admin_plugin_editor,
      'cookie'       => cookie,
      'vars_post'    => {
+        'action'     => 'update',
        '_wpnonce'   => nonce,
        'file'       => file,
-        'action'     => 'update',
        'newcontent' => contents
      }
    )

-    unless res && res.redirect? && res.redirection.to_s.include?(editor_uri)
+    unless res && res.redirect?
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    # NOTE: send_request_cgi! doesn't change the method
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => res.redirection.to_s,
+      'cookie' => cookie
+    )
+
+    unless res && res.code == 200 && res.body.include?('edited successfully')
      vprint_error("Server responded with code #{res.code}") if res
      vprint_error("Failed to edit plugin file #{file}")
      return false
@@ -94,6 +94,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::URIs
    normalize_uri(wordpress_url_backend, 'update.php')
  end

+  # Returns the Wordpress Admin Plugin Editor URL
+  #
+  # @return [String] Wordpress Admin Plugin Editor URL
+  def wordpress_url_admin_plugin_editor
+    normalize_uri(wordpress_url_backend, 'plugin-editor.php')
+  end
+
  # Returns the Wordpress wp-content dir URL
  #
  # @return [String] Wordpress wp-content dir URL