Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload
module
#18985
+1
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
This PR fixes #18916
This PR updates the conditional logic for
unix/webapp/wp_admin_shell_upload
module. Previouslystore_valid_credential
was added to the wrong conditional branch in d69bfd5.The new fix will now return
return CheckCode::Safe
when an invalid login (cookie returnsnil
) is used by the module.CheckCode::Safe
is return when a target is safe and is therefore not exploitable.metasploit-framework/lib/msf/core/exploit.rb
Line 124 in d64ed33
When a valid login is used by the module, the module will now store the creds to the database and return
CheckCode::Appears
.CheckCode::Appears
is return when the target appears to be vulnerable.metasploit-framework/lib/msf/core/exploit.rb
Line 136 in d64ed33
Example
Target
Guide I followed: https://github.com/docker/awesome-compose/tree/master/wordpress-mysql
Example file when targeting Wordpress version 4.8.2:
File name:
compose.yaml
Command to run that Docker compose image:
Verification
msfconsole
use unix/webapp/wp_admin_shell_upload
The target appears to be vulnerable.
and the creds are added to the DB via thecreds
commandThe target is not exploitable.