wpxf 2.0.0a

data/lib/wpxf/payloads/socket_helper.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+# Provides common functionality for socket based payloads.
+module Wpxf::Payloads::SocketHelper
+  def start_socket_io_loop(socket, event_emitter)
+    read_thread = Thread.new { start_socket_read_loop(socket) }
+    execute_queued_commands(socket, event_emitter)
+    start_socket_write_loop(socket, read_thread)
+  rescue SignalException
+    puts
+    event_emitter.emit_warning 'Caught kill signal', true
+  rescue StandardError => e
+    puts
+    event_emitter.emit_error "Error encountered: #{e}"
+  end
+
+  def execute_queued_commands(socket, event_emitter)
+    queued_commands.each do |cmd|
+      socket.puts cmd
+      event_emitter.emit_success "Executed: #{cmd}"
+    end
+
+    puts
+  end
+
+  def start_socket_write_loop(socket, read_thread)
+    loop do
+      input = STDIN.gets
+      if input =~ /^(quit|exit)$/i
+        read_thread.exit
+        break
+      else
+        socket.puts input
+      end
+    end
+  end
+
+  def start_socket_read_loop(socket)
+    loop do
+      begin
+        print socket.read_nonblock(1024)
+      rescue IO::WaitReadable
+        retry
+      rescue StandardError => e
+        raise 'Connection lost' if e.is_a? EOFError
+        puts "SOCKET ERROR: #{e}"
+      end
+    end
+  end
+end

data/lib/wpxf/utility.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# The root namespace.
+module Wpxf
+  # The namespace for utility classes and modules.
+  module Utility
+  end
+end
+
+require 'wpxf/utility/body_builder'
+require 'wpxf/utility/text'
+require 'wpxf/utility/reference_inflater'

data/lib/wpxf/utility/body_builder.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module Wpxf
+  module Utility
+    # A super strong body builder capable of building formatted form bodies for
+    # use with the {Wpxf::Net::HttpClient} mixin.
+    class BodyBuilder
+      def initialize
+        @fields = {}
+        @temp_dir = File.join(Dir.tmpdir, "wpxf_#{object_id}")
+      end
+
+      # Add a key-value pair to the field list.
+      # @param name the name of the form item.
+      # @param value the value of the form item.
+      # @return [Hash] the newly added form item.
+      def add_field(name, value)
+        @fields[name] = { type: :normal, value: value }
+      end
+
+      # Add a file to the field list.
+      # @param name the name of the form item.
+      # @param path the local path of the file to be uploaded.
+      # @param [optional] remote_name the file name to transmit the file as.
+      # @return [Hash] the newly added form item.
+      def add_file(name, path, remote_name = nil)
+        @fields[name] = { type: :file, path: path, remote_name: remote_name }
+      end
+
+      # Add a file to the field list that will upload a specific string as its
+      # file contents, rather than reading from disk.
+      # @param name the name of the form item.
+      # @param value the contents of the file.
+      # @param remote_name the file name to transmit the file as.
+      # @return [Hash] the newly added form item.
+      def add_file_from_string(name, value, remote_name)
+        @fields[name] = {
+          type: :mem_file,
+          value: value,
+          remote_name: remote_name
+        }
+      end
+
+      # Generate a ZIP file and add it to the field list.
+      # @param name the name of the form item.
+      # @param files [Hash] a hash of file names as keys and their
+      #   content as values.
+      # @param remote_name [String] the file name to transmit the file as.
+      def add_zip_file(name, files, remote_name)
+        @fields[name] = {
+          type: :mem_zip,
+          value: files,
+          remote_name: remote_name
+        }
+      end
+
+      # Create the body string and pass it to the specified block.
+      # @yieldparam body the {Wpxf::Net::HttpClient} compatible body string.
+      # @return [Nil] nothing, the body must be accessed by using
+      #    a block when calling the method.
+      def create
+        body = _prepare_fields
+        yield(body)
+      ensure
+        _cleanup_temp_files(body)
+        nil
+      end
+
+      private
+
+      def _cleanup_temp_files(fields)
+        fields.each { |_k, v| v.close if v.is_a?(File) }
+        FileUtils.rm_rf @temp_dir.to_s
+      end
+
+      def _create_tmp_directory(name)
+        directory = File.join(@temp_dir, name)
+        FileUtils.mkdir_p(directory)
+      end
+
+      def _copy_file_to_temp_path(src, dest, parent_name)
+        directory = _create_tmp_directory(parent_name)
+        temp_path = File.join(directory, dest)
+        FileUtils.cp(src, temp_path)
+        temp_path
+      end
+
+      def _create_tmp_file_from_string(content, dest, parent_name)
+        path = File.join(_create_tmp_directory(parent_name), dest)
+        File.open(path, 'w') { |f| f.write(content) }
+        path
+      end
+
+      def _generate_zip_file(zip_name, field_name, fields)
+        path = File.join(_create_tmp_directory(field_name), zip_name)
+        Zip::File.open(path, Zip::File::CREATE) do |zipfile|
+          fields.each do |field, content|
+            zipfile.get_output_stream(field) do |os|
+              os.write content
+            end
+          end
+        end
+        path
+      end
+
+      def _prepare_zip_file_field(name, field)
+        zip = _generate_zip_file(field[:remote_name], name, field[:value])
+        File.open(zip, 'r')
+      end
+
+      def _prepare_mem_file_field(name, field)
+        path = _create_tmp_file_from_string(
+          field[:value],
+          field[:remote_name],
+          name
+        )
+        File.open(path, 'r')
+      end
+
+      def _prepare_file_field(name, field)
+        path = field[:path]
+        unless field[:remote_name].nil?
+          path = _copy_file_to_temp_path(field[:path], field[:remote_name], name)
+        end
+        File.open(path, 'r')
+      end
+
+      def _field_prep_map
+        {
+          file: :_prepare_file_field,
+          mem_file: :_prepare_mem_file_field,
+          mem_zip: :_prepare_zip_file_field
+        }
+      end
+
+      def _prepare_fields
+        fields = {}
+        @fields.each do |name, field|
+          if field[:type] == :normal
+            fields[name] = field[:value]
+          else
+            fields[name] = send(_field_prep_map[field[:type]], name, field)
+          end
+        end
+        fields
+      end
+    end
+  end
+end

data/lib/wpxf/utility/reference_inflater.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Wpxf
+  module Utility
+    # A URL inflater for module references.
+    class ReferenceInflater
+      # Initializes a new {ReferenceInflater}.
+      # @param type [String] the reference type identifier.
+      # @raise [ArgumentError] if the reference type identifier is not recognised.
+      def initialize(type)
+        raise ArgumentError, 'Unrecognised reference type' unless format_strings.key?(type)
+        @type = type
+      end
+
+      # Generate the full reference URL from its identifier.
+      # @param id [Object] the reference ID.
+      # @return [String] the reference URL.
+      def inflate(id)
+        format(format_strings[@type], id.to_s)
+      end
+
+      # @return [Hash] the format strings for each reference type identifier.
+      def format_strings
+        {
+          'WPVDB' => 'https://wpvulndb.com/vulnerabilities/%s',
+          'OSVDB' => 'http://www.osvdb.org/%s',
+          'CVE'   => 'http://www.cvedetails.com/cve/CVE-%s',
+          'EDB'   => 'https://www.exploit-db.com/exploits/%s',
+          'URL'   => '%s'
+        }
+      end
+    end
+  end
+end

data/lib/wpxf/utility/text.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'digest'
+
+module Wpxf
+  module Utility
+    # Provides helper methods for text based operations.
+    module Text
+      # Generate a random numeric string.
+      # @param length [Integer] the number of characters to include.
+      # @param allow_leading_zero [Boolean] if set to true, will allow a number starting with zero.
+      # @return [String] a random numeric string.
+      def self.rand_numeric(length, allow_leading_zero = false)
+        value = Array.new(length) { [*'0'..'9'].sample }.join
+        value[0] = [*'1'..'9'].sample unless allow_leading_zero
+        value
+      end
+
+      # Generate a random alphanumeric string.
+      # @param length [Integer] the number of characters to include.
+      # @param casing [Symbol] the casing to use for the alpha characters.
+      #   Possible values are :mixed, :upper and :lower.
+      # @return [String] a random alphanumeric string.
+      def self.rand_alphanumeric(length, casing = :mixed)
+        range = [*'0'..'9'] + alpha_ranges(casing)
+        Array.new(length) { range.sample }.join
+      end
+
+      # Generate a random alpha string.
+      # @param length [Integer] the number of characters to include.
+      # @param casing [Symbol] the casing to use for the alpha characters.
+      #   Possible values are :mixed, :upper and :lower.
+      # @return [String] a random alpha string.
+      def self.rand_alpha(length, casing = :mixed)
+        Array.new(length) { alpha_ranges(casing).sample }.join
+      end
+
+      # @param casing [Symbol] the casing to use for the alpha characters.
+      #   Possible values are :mixed, :upper and :lower.
+      # @return [Array] a range of alpha characters in the matching casing.
+      def self.alpha_ranges(casing)
+        if casing == :mixed
+          [*'A'..'Z', *'a'..'z']
+        elsif casing == :upper
+          [*'A'..'Z']
+        elsif casing == :lower
+          [*'a'..'z']
+        end
+      end
+
+      # Generate an MD5 hash of a string.
+      # @param value [String] the value to hash.
+      # @return [String] the MD5 hash.
+      def self.md5(value)
+        digest = Digest::MD5.new
+        digest.update(value)
+        digest.hexdigest
+      end
+
+      # Generate a random e-mail address.
+      # @return [String] the e-mail address.
+      def self.rand_email
+        "#{rand_alpha(rand(5..10))}@#{rand_alpha(rand(5..10))}.com"
+      end
+
+      # Generate a random month name.
+      # @return [String] the month name.
+      def self.rand_month
+        %w[january february march april june july august september october november december].sample
+      end
+
+      # Convert each byte of a string to its hexadecimal value and
+      # concantenate them together, to provide a hexadecimal string.
+      # @param value [String] the string to hexify.
+      # @return [String] the hexadecimal string.
+      def self.hexify_string(value)
+        value.each_byte.map { |b| b.to_s(16) }.join
+      end
+    end
+  end
+end

data/lib/wpxf/versioning.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# The root namespace.
+module Wpxf
+  # The namespace for version generation mixins and classes.
+  module Versioning
+  end
+end
+
+require 'wpxf/versioning/browser_versions'
+require 'wpxf/versioning/os_versions'

data/lib/wpxf/versioning/browser_versions.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Wpxf
+  module Versioning
+    # Provides functionality for generating random browser versions.
+    module BrowserVersions
+      # @return [String] a random IE version string.
+      def random_ie_version
+        "#{rand(7..9)}.0"
+      end
+
+      # @return [String] a random Trident version string.
+      def random_trident_version
+        "#{rand(3..5)}.#{rand(0..1)}"
+      end
+
+      # @return [String] a random Chrome version string.
+      def random_chrome_version
+        "#{rand(13..15)}.0.#{rand(800..899)}.0"
+      end
+
+      # @return [String] a random Presto version string.
+      def random_presto_version
+        "2.9.#{rand(160..190)}"
+      end
+
+      # @return [String] a random second part Presto version string.
+      def random_presto_version2
+        "#{rand(10..12)}.00"
+      end
+
+      # @return [String] a random Safari build number.
+      def random_safari_build_number
+        "#{rand(531..535)}.#{rand(1..50)}.#{rand(1..7)}"
+      end
+
+      # @return [String] a random Safari version number.
+      def random_safari_version
+        [
+          "#{rand(4..5)}.#{rand(0..1)}",
+          "#{rand(4..5)}.0.#{rand(1..5)}"
+        ].sample
+      end
+
+      # @return [String] a random Chrome build number.
+      def random_chrome_build_number
+        "#{rand(531..536)}.#{rand(0..2)}"
+      end
+
+      # @return [String] a random Opera version number.
+      def random_opera_version
+        "#{rand(8..9)}.#{rand(10..99)}"
+      end
+    end
+  end
+end

data/lib/wpxf/versioning/os_versions.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Wpxf
+  module Versioning
+    # Provides functionality for generating random OS versions.
+    module OSVersions
+      # @return [String] a random NT version string.
+      def random_nt_version
+        "#{rand(5..6)}.#{rand(0..1)}"
+      end
+
+      # @return [String] a random OSX version string.
+      def random_osx_version
+        "10_#{rand(5..7)}_#{rand(0..9)}"
+      end
+    end
+  end
+end

data/lib/wpxf/wordpress.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# The root namespace.
+module Wpxf
+  # The namespace for WordPress mixins and classes.
+  module WordPress
+  end
+end
+
+require 'wpxf/wordpress/options'
+require 'wpxf/wordpress/urls'
+require 'wpxf/wordpress/login'
+require 'wpxf/wordpress/fingerprint'
+require 'wpxf/wordpress/plugin'
+require 'wpxf/wordpress/posts'
+require 'wpxf/wordpress/user'
+require 'wpxf/wordpress/xss'
+require 'wpxf/wordpress/reflected_xss'
+require 'wpxf/wordpress/staged_reflected_xss'
+require 'wpxf/wordpress/stored_xss'
+require 'wpxf/wordpress/shell_upload'
+require 'wpxf/wordpress/file_download'
+require 'wpxf/wordpress/comments'
+require 'wpxf/wordpress/hash_dump'