Merged development into master

Author: rastating

.rubocop.yml

@@ -48,3 +48,7 @@ Lint/UnusedMethodArgument:
   Description: 'A number of classes will contain unused parameters for documentation purposes.'
   Exclude:
     - 'lib/wpxf/**/*'
+
+Style/ClassVars:
+  Enabled: false
+  Description: 'There are genuine use cases for using class vars.'

.yardopts

@@ -1,4 +1,6 @@
 --exclude lib/wpxf/net/typhoeus_helper.rb
 --exclude lib/wpxf/net/http_options.rb
 --exclude payloads/socket_helper.rb
+--exclude lib/wpxf/core.rb
+
 lib/wpxf/**/*.rb

data/json/commands.json

@@ -0,0 +1,72 @@
+{
+  "data": [
+    {
+      "cmd": "back",
+      "desc": "Change the context of the session back to it was before loading the current module."
+    },
+    {
+      "cmd": "check",
+      "desc": "Check if the currently loaded module can be used against the specified target."
+    },
+    {
+      "cmd": "clear",
+      "desc": "Clear the screen."
+    },
+    {
+      "cmd": "gset [option] [value]",
+      "desc": "Set the [value] of [option] globally, so it is used by the current and future modules."
+    },
+    {
+      "cmd": "gunset [option]",
+      "desc": "Unset a global [option] set with the gset command."
+    },
+    {
+      "cmd": "help",
+      "desc": "Shows this information."
+    },
+    {
+      "cmd": "info",
+      "desc": "Display information about the currently loaded module."
+    },
+    {
+      "cmd": "quit",
+      "desc": "Exit the WordPress Exploit Framework prompt."
+    },
+    {
+      "cmd": "run",
+      "desc": "Run the currently loaded module."
+    },
+    {
+      "cmd": "set [option] [value]",
+      "desc": "Set the [value] of [option] for the currently loaded module."
+    },
+    {
+      "cmd": "search [keywords]",
+      "desc": "Search for modules that contain one or more of the specified [keywords]"
+    },
+    {
+      "cmd": "show advanced",
+      "desc": "Show the advanced options of the currently loaded module."
+    },
+    {
+      "cmd": "show auxiliary",
+      "desc": "Show the list of available auxiliary modules."
+    },
+    {
+      "cmd": "show exploits",
+      "desc": "Show the list of available exploits."
+    },
+    {
+      "cmd": "show options",
+      "desc": "Show the basic options of the currently loaded module."
+    },
+    {
+      "cmd": "unset [option]",
+      "desc": "Unset an [option] set with the set command."
+    },
+    {
+      "cmd": "use [module_path]",
+      "desc": "Loads the specified module into the current context."
+    }
+  ]
+}

env.rb

@@ -1,3 +1,11 @@
+require 'colorize'
+require 'date'
+require 'json'
+require 'require_all'
+require 'time'
+require 'typhoeus'
+require 'zip'
+
 wpxfbase = __FILE__
 
 while File.symlink?(wpxfbase)
@@ -9,45 +17,11 @@
 $LOAD_PATH.unshift(File.join(app_path, 'lib'))
 $LOAD_PATH.unshift(File.join(app_path, 'modules'))
 
-require 'colorize'
-require 'date'
-require 'json'
-require 'require_all'
-require 'time'
-require 'typhoeus'
-require 'zip'
-
 require 'wpxf/core'
 require 'wpxf/utility/body_builder'
 require 'wpxf/utility/text'
 require 'wpxf/utility/reference_inflater'
-
 require_relative 'github_updater'
 
-module Wpxf
-  def self.data_directory=(val)
-    @@data_directory = val
-  end
-
-  def self.data_directory
-    @@data_directory
-  end
-
-  def self.app_path=(val)
-    @@app_path = val
-  end
-
-  def self.app_path
-    @@app_path
-  end
-
-  def self.change_stdout_sync(enabled)
-    original_setting = STDOUT.sync
-    STDOUT.sync = true
-    yield(enabled)
-    STDOUT.sync = original_setting
-  end
-end
-
 Wpxf.app_path = app_path
 Wpxf.data_directory = File.join(app_path, 'data/')

lib/cli/auto_complete.rb

@@ -41,7 +41,12 @@ def build_cmd_list
       permitted_commands.each { |c| cmds[c] = {} }
       Wpxf::Auxiliary.module_list.each { |m| cmds['use'][m] = {} }
       Wpxf::Exploit.module_list.each { |m| cmds['use'][m] = {} }
-      cmds['show'] = { 'options' => {}, 'advanced' => {} }
+      cmds['show'] = {
+        'options' => {},
+        'advanced' => {},
+        'exploits' => {},
+        'auxiliary' => {}
+      }
       cmds
     end
 

lib/cli/console.rb

@@ -26,7 +26,7 @@ def commands_without_output
 
     def permitted_commands
       %w(use back set show quit run unset check info gset gunset search clear
-         reload)
+         reload help)
     end
 
     def initialize
@@ -90,15 +90,15 @@ def correct_number_of_args?(command, args)
     end
 
     def on_event_emitted(event)
-      if !event[:verbose] || context.verbose?
-        if event[:type] == :table
-          indent_cursor(2) do
-            print_table event[:rows], true
-          end
-        else
-          handlers = { error: 'print_bad', success: 'print_good', info: 'print_info', warning: 'print_warning' }
-          send(handlers[event[:type]], event[:msg])
+      return unless !event[:verbose] || context.verbose?
+
+      if event[:type] == :table
+        indent_cursor(2) do
+          print_table event[:rows], true
         end
+      else
+        handlers = { error: 'print_bad', success: 'print_good', info: 'print_info', warning: 'print_warning' }
+        send(handlers[event[:type]], event[:msg])
       end
     end
 

lib/cli/help.rb

@@ -52,11 +52,37 @@ def show_advanced_options
       end
     end
 
+    def help
+      commands_file = Wpxf::DataFile.new('json', 'commands.json')
+      data = JSON.parse(commands_file.content)['data']
+      data.unshift('cmd' => 'Command', 'desc' => 'Description')
+      indent_cursor 2 do
+        print_table data
+      end
+    end
+
+    def show_exploits
+      results = search_modules(['exploit/'])
+      print_good "#{results.length} Exploits"
+      print_module_table results
+    end
+
+    def show_auxiliary
+      results = search_modules(['auxiliary/'])
+      print_good "#{results.length} Auxiliary Modules"
+      print_module_table results
+    end
+
     def show(target)
-      if target.eql?('options')
-        show_options
-      elsif target.eql?('advanced')
-        show_advanced_options
+      handlers = {
+        'options' => 'show_options',
+        'advanced' => 'show_advanced_options',
+        'exploits' => 'show_exploits',
+        'auxiliary' => 'show_auxiliary'
+      }
+
+      if handlers[target]
+        send(handlers[target])
       else
         print_bad("\"#{target}\" is not a valid argument")
       end

lib/cli/module_info.rb

@@ -24,12 +24,11 @@ def print_module_summary
     end
 
     def print_references
-      if context.module.module_references
-        print_std('References:')
-        indent_cursor do
-          context.module.module_references.each do |ref|
-            print_std Wpxf::Utility::ReferenceInflater.new(ref[0]).inflate(ref[1])
-          end
+      return unless context.module.module_references
+      print_std('References:')
+      indent_cursor do
+        context.module.module_references.each do |ref|
+          print_std Wpxf::Utility::ReferenceInflater.new(ref[0]).inflate(ref[1])
         end
       end
     end

lib/cli/modules.rb

@@ -54,17 +54,21 @@ def search_modules(args)
       results
     end
 
+    def print_module_table(modules)
+      modules = modules.sort_by { |k| k[:path] }
+      modules.unshift(path: 'Module', title: 'Title')
+      puts
+      indent_cursor 2 do
+        print_table(modules)
+      end
+    end
+
     def search(*args)
       results = search_modules(args)
 
       if !results.empty?
         print_good "#{results.length} Results for \"#{args.join(' ')}\""
-        results = results.sort_by { |k| k[:path] }
-        results.unshift(path: 'Module', title: 'Title')
-        puts
-        indent_cursor 2 do
-          print_table(results)
-        end
+        print_module_table results
       else
         print_bad "No results for \"#{args.join(' ')}\""
       end

lib/wpxf/core.rb

@@ -1,4 +1,44 @@
-require 'wpxf/namespaces'
+# The root namespace.
+module Wpxf
+  # The namespace for WordPress mixins and classes.
+  module WordPress
+  end
+
+  # The namespace for network related mixins and classes.
+  module Net
+  end
+
+  # The namespace for version generation mixins and classes.
+  module Versioning
+  end
+
+  # The namespace for utility classes and modules.
+  module Utility
+  end
+
+  def self.data_directory=(val)
+    @@data_directory = val
+  end
+
+  def self.data_directory
+    @@data_directory
+  end
+
+  def self.app_path=(val)
+    @@app_path = val
+  end
+
+  def self.app_path
+    @@app_path
+  end
+
+  def self.change_stdout_sync(enabled)
+    original_setting = STDOUT.sync
+    STDOUT.sync = true
+    yield(enabled)
+    STDOUT.sync = original_setting
+  end
+end
 
 require 'wpxf/core/data_file'
 require 'wpxf/core/options'

lib/wpxf/core/payload.rb

@@ -36,7 +36,7 @@ def escape_single_quotes(val)
     end
 
     # Generate a random variable name.
-    # @return [String] a random name beetween 1 and 9 alpha characters.
+    # @return [String] a random name beetween 5 and 20 alpha characters.
     def random_var_name
       Utility::Text.rand_alpha(rand(5..20))
     end

lib/wpxf/namespaces.rb

@@ -2,8 +2,6 @@ module Wpxf
   module Net
     # Provides access to various HTTP based options.
     module HttpOptions
-      private
-
       HTTP_OPTION_HOST = StringOption.new(
         name: 'host',
         desc: 'Address of the target host.',

lib/wpxf/net/http_options.rb

@@ -41,7 +41,11 @@ def http_server_bind_port
   # @param path [String] the path requested.
   # @param params [Hash] the query string parameters.
   # @param headers [Hash] the HTTP headers.
-  # @return [String] the response body to send to the client.
+  # @return [String, Hash] if a string is returned, it will be used as the response body
+  #  to send to the client. If a {Hash} is returned, it should contain the keys:
+  #  * +:body+ - the body text of the response.
+  #  * +:type+ - the MIME type of the response.
+  #  * +:headers+ - a {Hash} of header keys and values.
   def on_http_request(path, params, headers)
   end