app/controllers/password_attack.rb in wpscan-3.8.2 vs app/controllers/password_attack.rb in wpscan-3.8.3
- old
+ new
@@ -21,31 +21,36 @@
choices: %w[wp-login xmlrpc xmlrpc-multicall],
normalize: %i[downcase underscore to_sym])
]
end
- def run
- return unless ParsedCli.passwords
-
- if user_interaction?
- output('@info',
- msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
- end
-
- attack_opts = {
+ def attack_opts
+ @attack_opts ||= {
show_progression: user_interaction?,
multicall_max_passwords: ParsedCli.multicall_max_passwords
}
+ end
+ def run
+ return unless ParsedCli.passwords
+
begin
found = []
- attacker.attack(users, passwords(ParsedCli.passwords), attack_opts) do |user|
+ if user_interaction?
+ output('@info',
+ msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
+ end
+
+ attacker.attack(users, ParsedCli.passwords, attack_opts) do |user|
found << user
attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
end
+ rescue Error::NoLoginInterfaceDetected => e
+ # TODO: Maybe output that in JSON as well.
+ output('@notice', msg: e.to_s) if user_interaction?
ensure
output('users', users: found)
end
end
@@ -63,10 +68,12 @@
def attacker_from_cli_options
return unless ParsedCli.password_attack
case ParsedCli.password_attack
when :wp_login
+ raise Error::NoLoginInterfaceDetected unless target.login_url
+
Finders::Passwords::WpLogin.new(target)
when :xmlrpc
raise Error::XMLRPCNotDetected unless xmlrpc
Finders::Passwords::XMLRPC.new(xmlrpc)
@@ -80,11 +87,11 @@
# @return [ Boolean ]
def xmlrpc_get_users_blogs_enabled?
if xmlrpc&.enabled? &&
xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
- .run.body !~ /XML\-RPC services are disabled/
+ .run.body !~ /XML-RPC services are disabled/
true
else
false
end
@@ -98,29 +105,22 @@
if wp_version && wp_version < '4.4'
Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
else
Finders::Passwords::XMLRPC.new(xmlrpc)
end
- else
+ elsif target.login_url
Finders::Passwords::WpLogin.new(target)
+ else
+ raise Error::NoLoginInterfaceDetected
end
end
# @return [ Array<Users> ] The users to brute force
def users
return target.users unless ParsedCli.usernames
ParsedCli.usernames.reduce([]) do |acc, elem|
acc << Model::User.new(elem.chomp)
- end
- end
-
- # @param [ String ] wordlist_path
- #
- # @return [ Array<String> ]
- def passwords(wordlist_path)
- @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
- acc << elem.chomp
end
end
end
end
end