wpxf 2.0.0a

data/lib/wpxf/wordpress/comments.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+# Provides functionality for gathering and posting comments.
+module Wpxf::WordPress::Comments
+  include Wpxf
+
+  # Initialises a new instance of {Comments}
+  def initialize
+    super
+
+    _register_comment_options if should_register_comment_posting_options
+  end
+
+  # @return [Boolean] a value indicating whether or not to register
+  #   the options required to post a WordPress comment.
+  def should_register_comment_posting_options
+    true
+  end
+
+  # Post a comment.
+  # @param post_id [Integer] the post ID to comment on.
+  # @param content [String] the content of the comment.
+  # @param author [String] the author's name.
+  # @param email [String] the author's e-mail address.
+  # @param website [String] the author's website.
+  # @return [Integer] the ID of the comment, or -1 if the comment failed to post.
+  def post_wordpress_comment(post_id, content, author, email, website)
+    comment_id = -1
+
+    scoped_option_change('follow_http_redirection', false) do
+      res = execute_post_request(
+        url: wordpress_url_comments_post,
+        cookie: session_cookie,
+        body: {
+          author: author,
+          comment: content,
+          email: email,
+          url: website,
+          submit: 'Post Comment',
+          comment_post_ID: post_id,
+          comment_parent: 0
+        }
+      )
+
+      if res&.code == 302
+        id = res.headers['Location'][/#comment-([0-9]+)/i, 1]
+        comment_id = id.to_i if id
+      end
+    end
+
+    comment_id
+  end
+
+  private
+
+  # Register the comment posting options.
+  def _register_comment_options
+    register_options([
+      StringOption.new(
+        name: 'comment_author',
+        desc: 'The author name to use when posting a comment',
+        default: Utility::Text.rand_alpha(5),
+        required: true
+      ),
+      StringOption.new(
+        name: 'comment_content',
+        desc: 'The static text to use as the comment content',
+        default: Utility::Text.rand_alpha(20),
+        required: true
+      ),
+      StringOption.new(
+        name: 'comment_email',
+        desc: 'The e-mail address to use when posting a comment',
+        default: Utility::Text.rand_email,
+        required: true
+      ),
+      StringOption.new(
+        name: 'comment_website',
+        desc: 'The website address to use when posting a comment',
+        required: false
+      ),
+      IntegerOption.new(
+        name: 'comment_post_id',
+        desc: 'The ID of the post to comment on',
+        required: true
+      )
+    ])
+  end
+end

data/lib/wpxf/wordpress/file_download.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'wpxf/helpers/export'
+
+# Provides reusable functionality for file download modules.
+module Wpxf::WordPress::FileDownload
+  include Wpxf
+  include Wpxf::Db::Loot
+  include Wpxf::Helpers::Export
+
+  # Initialize a new instance of {FileDownload}
+  def initialize
+    super
+    return unless register_remote_file_option?
+
+    _update_info_without_validation(
+      desc: %(
+        This module exploits a vulnerability which allows you to
+        download any arbitrary file (relative to #{working_directory})
+        accessible by the user the web server is running as.
+      )
+    )
+
+    register_option(
+      StringOption.new(
+        name: 'remote_file',
+        desc: 'The path to the remote file',
+        required: true,
+        default: default_remote_file_path
+      )
+    )
+  end
+
+  def register_remote_file_option?
+    true
+  end
+
+  # @return [String, nil] a custom description to use when storing the loot item.
+  def loot_description; end
+
+  # @return [String] the working directory of the vulnerable file.
+  def working_directory; end
+
+  # @return [String] the default remote file path.
+  def default_remote_file_path; end
+
+  # @return [String] the URL of the vulnerable file used to download remote files.
+  def downloader_url; end
+
+  # @return [Hash] the params to be used when requesting the download file.
+  def download_request_params; end
+
+  # @return [Hash, String] the body to be used when requesting the download file.
+  def download_request_body; end
+
+  # @return [Symbol] the HTTP method to use when requesting the download file.
+  def download_request_method
+    :get
+  end
+
+  # @return [String] the path to the remote file.
+  def remote_file
+    normalized_option_value('remote_file')
+  end
+
+  # Validate the contents of the requested file.
+  # @param content [String] the file contents.
+  # @return [Boolean] true if valid.
+  def validate_content(content)
+    true
+  end
+
+  # A task to run before the download starts.
+  # @return [Boolean] true if pre-download operations were successful.
+  def before_download
+    true
+  end
+
+  # @return [String] the file extension to use when downloading the file.
+  def file_extension
+    ''
+  end
+
+  # @return [Integer] the expected HTTP code for a successful download.
+  def expected_http_code
+    200
+  end
+
+  # Handles an occurrence of an unexpected result.
+  # @param [Integer] the returned HTTP code.
+  # @return [Boolean] true if the code should be ignored, false if the module should fail.
+  def handle_unexpected_http_code(code)
+    emit_error "Server responded with code #{code}"
+    false
+  end
+
+  # @return [String] the type of file downloaded by the module.
+  def file_category
+    'unknown'
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    _validate_implementation
+
+    return false unless super
+    return false unless before_download
+
+    @downloaded_filename = generate_unique_filename(file_extension)
+    emit_info 'Downloading file...'
+    res = download_file(_build_request_opts(@downloaded_filename))
+
+    return false unless _validate_result(res)
+    unless validate_content(res.body)
+      FileUtils.rm @downloaded_filename, force: true
+      return false
+    end
+
+    emit_success "Downloaded file to #{@downloaded_filename}"
+    _store_file_as_loot
+
+    true
+  end
+
+  # @return [String] returns the path the file was downloaded to.
+  attr_reader :downloaded_filename
+
+  private
+
+  def _store_file_as_loot
+    desc = loot_description
+
+    if desc.nil? && register_remote_file_option?
+      desc = "Remote file: #{File.basename(remote_file)[0..85]}"
+    end
+
+    desc = '' if desc.nil?
+    store_loot downloaded_filename, desc[0..99], file_category
+  end
+
+  def _validate_implementation
+    return unless register_remote_file_option?
+    raise 'A value must be specified for #working_directory' unless working_directory
+  end
+
+  def _validate_result(res)
+    if res.nil? || res.timed_out?
+      emit_error 'Request timed out, try increasing the http_client_timeout'
+      return false
+    end
+
+    return true unless res.code != expected_http_code
+    handle_unexpected_http_code(res.code)
+  end
+
+  def _build_request_opts(filename)
+    {
+      method: download_request_method,
+      url: downloader_url,
+      params: download_request_params,
+      body: download_request_body,
+      cookie: session_cookie,
+      local_filename: filename
+    }
+  end
+end

data/lib/wpxf/wordpress/fingerprint.rb

@@ -0,0 +1,238 @@
+# frozen_string_literal: true
+
+# Provides functionality for fingerprinting WordPress and its components.
+module Wpxf::WordPress::Fingerprint
+  # Check if the host is online and running WordPress.
+  # @return [Boolean] true if the host is online and running WordPress.
+  def wordpress_and_online?
+    res = execute_get_request(url: full_uri)
+    return false unless res && res.code == 200
+    return true if _wordpress_fingerprint_regexes.any? { |r| res.body =~ r }
+    false
+  end
+
+  # Extract the WordPress version information from various sources.
+  # @return [Version, nil] the version if found, nil otherwise.
+  def wordpress_version
+    _wordpress_version_fingerprint_sources.each do |url, pattern|
+      res = execute_get_request(url: url)
+      match = res.body.match(pattern) if res && res.code == 200
+      return Gem::Version.new(match[1]) if match
+    end
+    nil
+  end
+
+  # Checks the style.css file for a vulnerable version.
+  # @param name [String] the name of the theme.
+  # @param fixed [String] the version the vulnerability was fixed in.
+  # @param introduced [String] the version the vulnerability was introduced in.
+  # @return [Symbol] :unknown, :vulnerable or :safe.
+  def check_theme_version_from_style(name, fixed = nil, introduced = nil)
+    style_uri = normalize_uri(wordpress_url_themes, name, 'style.css')
+    res = execute_get_request(url: style_uri)
+
+    # No style.css file present
+    return :unknown if res.nil? || res.code != 200
+
+    pattern = _extension_version_pattern(:style)
+    _extract_and_check_version(res.body, pattern, fixed, introduced)
+  end
+
+  # Checks a theme's readme for a vulnerable version.
+  # @param name [String] the name of the theme.
+  # @param fixed [String] the version the vulnerability was fixed in.
+  # @param introduced [String] the version the vulnerability was introduced in.
+  # @return [Symbol] :unknown, :vulnerable or :safe.
+  def check_theme_version_from_readme(name, fixed = nil, introduced = nil)
+    _check_version_from_readme(:theme, name, fixed, introduced)
+  end
+
+  # Checks a plugin's readme for a vulnerable version.
+  # @param name [String] the name of the plugin.
+  # @param fixed [String] the version the vulnerability was fixed in.
+  # @param introduced [String] the version the vulnerability was introduced in.
+  # @return [Symbol] :unknown, :vulnerable or :safe.
+  def check_plugin_version_from_readme(name, fixed = nil, introduced = nil)
+    _check_version_from_readme(:plugin, name, fixed, introduced)
+  end
+
+  # Checks a plugin's changelog for a vulnerable version.
+  # @param plugin_name [String] the name of the plugin.
+  # @param file_name [String] the name of the file that contains the changelog.
+  # @param fixed [String] the version the vulnerability was fixed in.
+  # @param introduced [String] the version the vulnerability was introduced in.
+  # @return [Symbol] :unknown, :vulnerable or :safe.
+  def check_plugin_version_from_changelog(plugin_name, file_name, fixed = nil, introduced = nil)
+    changelog = normalize_uri(wordpress_url_plugins, plugin_name, file_name)
+    check_version_from_custom_file(changelog, /=\s([\d\.]+)\s=/, fixed, introduced)
+  end
+
+  # Checks a custom file for a vulnerable version.
+  # @param url [String] the relative path of the file.
+  # @param regex [Regexp] the regular expression to extract the version.
+  # @param fixed [String] the version the vulnerability was fixed in.
+  # @param introduced [String] the version the vulnerability was introduced.
+  # @return [Symbol] :unknown, :vulnerable or :safe.
+  def check_version_from_custom_file(url, regex, fixed = nil, introduced = nil)
+    res = execute_get_request(url: url)
+    return :unknown unless res && res.code == 200
+    _extract_and_check_version(res.body, regex, fixed, introduced)
+  end
+
+  private
+
+  WORDPRESS_VERSION_PATTERN = '(\d+\.\d+(?:\.\d+)*)'
+
+  WORDPRESS_GENERATOR_VERSION_PATTERN = %r{<meta\sname="generator"\s
+    content="WordPress\s#{WORDPRESS_VERSION_PATTERN}"\s\/>}xi
+
+  WORDPRESS_README_VERSION_PATTERN = %r{<br\s\/>\sversion\s
+    #{WORDPRESS_VERSION_PATTERN}}xi
+
+  WORDPRESS_RSS_VERSION_PATTERN = %r{<generator>http:\/\/wordpress\.org\/\?v=
+    #{WORDPRESS_VERSION_PATTERN}<\/generator>}xi
+
+  WORDPRESS_RDF_VERSION_PATTERN = %r{<admin:generatorAgent\srdf:resource="http:
+    \/\/wordpress\.org\/\?v=#{WORDPRESS_VERSION_PATTERN}"\s\/>}xi
+
+  WORDPRESS_ATOM_VERSION_PATTERN = %r{<generator\suri="http:\/\/wordpress\.org
+    \/"\sversion="#{WORDPRESS_VERSION_PATTERN}">WordPress<\/generator>}xi
+
+  WORDPRESS_SITEMAP_VERSION_PATTERN = %r{generator="wordpress\/
+    #{WORDPRESS_VERSION_PATTERN}"}xi
+
+  WORDPRESS_OPML_VERSION_PATTERN = %r{generator="wordpress\/
+    #{WORDPRESS_VERSION_PATTERN}"}xi
+
+  def _wordpress_version_fingerprint_sources
+    {
+      full_uri => WORDPRESS_GENERATOR_VERSION_PATTERN,
+      wordpress_url_readme => WORDPRESS_README_VERSION_PATTERN,
+      wordpress_url_rss => WORDPRESS_RSS_VERSION_PATTERN,
+      wordpress_url_rdf => WORDPRESS_RDF_VERSION_PATTERN,
+      wordpress_url_atom => WORDPRESS_ATOM_VERSION_PATTERN,
+      wordpress_url_sitemap => WORDPRESS_SITEMAP_VERSION_PATTERN,
+      wordpress_url_opml => WORDPRESS_OPML_VERSION_PATTERN
+    }
+  end
+
+  def _wordpress_fingerprint_regexes
+    [
+      %r{["'][^"']*\/#{Regexp.escape(wp_content_dir)}\/[^"']*["']}i,
+      %r{<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/
+        wlwmanifest\.xml["'] \/>}i,
+      %r{<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'](?: \/)*>}i
+    ]
+  end
+
+  def _check_version_from_readme(type, name, fixed = nil, introduced = nil)
+    readme = _get_first_readme(name, type)
+    if readme.nil?
+      # No readme present for plugin
+      return :unknown if type == :plugin
+
+      # Try again using the style.css file, if it is a theme.
+      return check_theme_version_from_style(name, fixed, introduced) if type == :theme
+    end
+
+    # If all versions are vulnerable and we found a file, end the process here
+    # and return a vulnerable state, as some readmes will not have a version.
+    return :vulnerable if fixed.nil? && introduced.nil?
+
+    state = _extension_is_vulnerable(type, readme, fixed, introduced)
+    if state == :no_version_found
+      # If no version could be found in readme.txt for a theme, try style.css
+      return check_theme_version_from_style(name, fixed, introduced)
+    end
+
+    state
+  end
+
+  def _extension_is_vulnerable(type, readme, fixed, introduced)
+    pattern = _extension_version_pattern(:readme)
+    vuln = _extract_and_check_version(readme, pattern, fixed, introduced)
+    return :no_version_found if vuln == :unknown && type == :theme
+    vuln
+  end
+
+  def _get_first_readme(name, type)
+    res = nil
+    folder = _content_directory_name(type)
+    readmes = ['readme.txt', 'Readme.txt', 'README.txt']
+    readmes.each do |readme|
+      readme_url = normalize_uri(wordpress_url_wp_content, folder, name, readme)
+      res = execute_get_request(url: readme_url)
+      break if res && res.code == 200
+    end
+
+    return res.body if res && res.code == 200
+    nil
+  end
+
+  def _version_vulnerable?(version, fixed, introduced)
+    return :vulnerable if fixed.nil? && introduced.nil?
+
+    if fixed && !introduced
+      return :vulnerable if version < fixed
+    end
+
+    if !fixed && introduced
+      return :vulnerable if version >= introduced
+    end
+
+    if fixed && introduced
+      return :vulnerable if version >= introduced && version < fixed
+    end
+
+    :safe
+  end
+
+  def _content_directory_name(type)
+    case type
+    when :plugin
+      'plugins'
+    when :theme
+      'themes'
+    else
+      raise("Unknown readme type #{type}")
+    end
+  end
+
+  def _extract_highest_version(body, pattern)
+    version = nil
+
+    body.scan(pattern) do |match|
+      match_version = Gem::Version.new(match[0])
+      version = match_version if version.nil? || match_version > version
+    end
+
+    version
+  end
+
+  def _extract_and_check_version(body, pattern, fixed = nil, introduced = nil)
+    version = _extract_highest_version(body, pattern)
+    return :unknown if version.nil?
+
+    version = Gem::Version.new(version)
+    fixed = Gem::Version.new(fixed) unless fixed.nil?
+    introduced = Gem::Version.new(introduced) unless introduced.nil?
+
+    emit_info "Found version #{version}", true
+    _version_vulnerable?(version, fixed, introduced)
+  end
+
+  def _extension_version_pattern(type)
+    case type
+    when :readme
+      # Example line:
+      # Stable tag: 2.6.6
+      /(?:stable tag):\s*(?!trunk)([0-9a-z.-]+)/i
+    when :style
+      # Example line:
+      # Version: 1.5.2
+      /(?:Version):\s*([0-9a-z.-]+)/i
+    else
+      raise("Unknown file type #{type}")
+    end
+  end
+end