@rastating rastating released this Oct 6, 2018

Assets 2

Changes

  • Add bypass for admin shell uploads when write permissions are not present on the plugins directory
  • Update dependencies

@rastating rastating released this Aug 4, 2018 · 11 commits to master since this release

Assets 2

WordPress Exploit Framework 2.0 is here! 🎉

This version is NOT compatible with 1.x. To upgrade to 2.0, remove your previous installation and install the gem by running gem install wpxf.

New Features

  • Loot is now stored into a .wpxf directory inside your home directory
  • A data store (by default sqlite3) is now used to store information gathered by modules
  • Harvested credentials can be viewed using the creds command
  • Gathered loot can be viewed using the loot command
  • Support for workspaces is now available and can be utilised using the workspace command
  • Numerous improvements to the API have been introduced
  • Custom modules can now be added to the .wpxf directory

Using Custom Modules

If you have a custom module you wish to use, you can now place it within the ~/.wpxf/modules/ directory and then load it in the CLI using the normal use {exploit_path} syntax.

@rastating rastating released this Apr 14, 2018 · 144 commits to master since this release

Assets 2

Bug Fixes

  • Fix HTTP server not shutting down properly after unexpected errors
  • Fix indentation issue when an error is thrown whilst yielding in an indent block
  • Increase password complexity used by XSS stager to prevent failures in non-default setups

Dependencies

  • Upgrade Ruby to 2.5.1

General Changes

  • Add setg and unsetg commands to the CLI
  • Improve test coverage
  • Add some missing documentation

New Modules

  • Add AccessPress Anonymous Post Pro < 3.2.0 shell upload
  • Add Affiliate Ads for Clickbank Products <= 1.5 reflected XSS shell upload
  • Add Caldera Forms <= 1.5.4 reflected XSS shell upload
  • Add CSV Import-Export <= 1.1 reflected XSS shell upload
  • Add Custom Map <= 1.1 reflected XSS shell upload
  • Add Custom Permalinks <= 1.1 reflected XSS shell upload
  • Add Duplicator <= 1.2.32 reflected XSS shell upload
  • Add Emag Marketplace Connector 1.0 reflected XSS shell upload
  • Add Email Subscribers & Newsletters <= 3.4.7 user list disclosure
  • Add File Manager <= 5.0.0 database credentials disclosure
  • Add flickrRSS <= 5.3.1 reflected XSS shell upload
  • Add GD Rating System <= 2.3 reflected XSS shell upload
  • Add ImageInject <= 1.15 CSRF stored XSS shell upload
  • Add Instagram Feed <= 1.5.1 reflected XSS shell upload
  • Add iThemes Security <= 6.9.0 stored XSS shell upload
  • Add Photo Gallery by WD <= 1.3.66 reflected XSS shell upload
  • Add Pinterest Feed <= 1.1.1 reflected XSS shell upload
  • Add PopCash.Net Code Integration Tool <= 1.0 reflected XSS shell upload
  • Add PropertyHive <= 1.4.14 reflected XSS shell upload
  • Add Site Editor <= 1.1.1 file download
  • Add Smart Google Code Inserter <= 3.4 stored XSS shell upload
  • Add Smart Marketing SMS and Newsletters Forms <= 1.1.1 reflected XSS shell upload
  • Add Social Media Widget <= 3.2.5 CSRF stored XSS shell upload
  • Add srbtranslatin 1.46 CSRF stored XSS shell upload
  • Add Super Socializer <= 7.10.6 authentication bypass
  • Add Super Socializer <= 7.10.6 unauthenticated shell upload
  • Add User Login History <= 1.5 reflected XSS shell upload
  • Add WordPress <= 4.9.2 - Application Denial of Service auxiliary module
  • Add WordPress Concours <= 1.1 reflected XSS shell upload
  • Add WP Background Takeover <= 4.1.4 file download
  • Add WP Retina 2x <= 5.2.0 reflected XSS shell upload
  • Add Yoast SEO < 5.8.0 reflected XSS shell upload
  • Add Z-URL Preview <= 1.6.2 reflected XSS shell upload

@rastating rastating released this Mar 31, 2018 · 196 commits to master since this release

Assets 2

Bug Fixes

  • Using the custom payload now verifies the file exists before executing

Dependencies

  • Upgrade nokogiri to 1.8.2
  • Upgrade require_all to 2.0
  • Upgrade Ruby to 2.4.3
  • Upgrade slop to 4.6.2

API Changes

  • Add new method to the text utility mixin to hexify strings

General Changes

  • msfvenom is no longer required to use the Meterpreter payloads
  • Modules are now placed in categorised folders for better organisation

New Modules

  • Add Participants Database <= 1.5.4.8 shell upload
  • Add Participants Database <= 1.7.5.9 stored XSS shell upload
  • Add Splashing Images <= 2.1 reflected XSS shell upload

@rastating rastating released this Mar 31, 2018 · 197 commits to master since this release

Assets 2

Bug Fixes

  • Using the custom payload now verifies the file exists before executing

Dependencies

  • Upgrade require_all to 2.0
  • Upgrade Ruby to 2.4.3

API Changes

  • Add new method to the text utility mixin to hexify strings

General Changes

  • msfvenom is no longer required to use the Meterpreter payloads
  • Modules are now placed in categorised folders for better organisation

New Modules

  • Add Participants Database <= 1.5.4.8 shell upload
  • Add Participants Database <= 1.7.5.9 stored XSS shell upload
  • Add Splashing Images <= 2.1 reflected XSS shell upload

@rastating rastating released this Jan 13, 2018 · 218 commits to master since this release

Assets 2

API Changes

  • Add ability to specify default field values in hash dump union statement

New Modules

  • Add 2kb Amazon Affiliates Store <= 2.1.0 reflected XSS shell upload
  • Add BackupGuard <= 1.1.46 reflected XSS shell upload
  • Add Content Audit <= 1.9.1 CSRF stored XSS shell upload
  • Add RegistrationMagic - Custom Registration Forms <= 3.7.9.2 hash dump
  • Add RegistrationMagic - Custom Registration Forms <= 3.7.9.2 reflected XSS shell upload
  • Add UserPro <= 4.9.17 shell upload
  • Add WP Mailster <= 1.5.4 reflected XSS shell upload

@rastating rastating released this Nov 19, 2017 · 237 commits to master since this release

Assets 2

Bug Fixes

  • Fix API compatibility in Estatik 2.2.5 shell upload

Dependencies

  • Upgrade required Ruby version to 2.4.2
  • Upgrade Nokogiri to 1.8.1
  • Upgrade rubyzip to 1.2.1
  • Upgrade Slop to 4.5.0
  • Upgrade Typhoeus to 1.3.0
  • Upgrade RSpec to 3.7

API Changes

  • Add new mixin to provide comment posting functionality
  • Add new mixin for creating hash dump auxiliary modules
  • Add support for multiple potential upload locations in the ShellUpload mixin

New Modules

  • Add Responsive Image Gallery <= 1.2.0 hash dump
  • Add SQL Shortcode <= 1.1 hash dump
  • Add JTRT Responsive Tables <= 4.1 hash dump
  • Add Simple Events Calendar <= 1.3.5 hash dump
  • Add Pootle Button < 1.2 reflected XSS shell upload
  • Add Embed Images in Comments <= 0.5 stored XSS shell upload
  • Add Qards local port scan
  • Add WP Support Plus Responsive Ticket System < 8.0.8 shell upload
  • Add Events <= 2.3.4 hash dump

@rastating rastating released this Aug 18, 2017 · 272 commits to master since this release

Assets 2

Bug Fixes

  • Fix cookie parsing error when parsing authentication responses

API Changes

  • Add new method for executing tasks before storing a script using the StoredXss mixin

New Modules

  • Add All-in-One WP Migration <= 6.45 reflected XSS shell upload
  • Add Arabic Font CSRF XSS shell upload
  • Add Popup Maker <= 1.6.4 reflected XSS shell upload
  • Add Responsive Lightbox <= 1.7.1 reflected XSS shell upload
  • Add Ultimate Product Catalogue <= 4.2.2 hash dump
  • Add WP Hide & Security Enhancer <= 1.3.9.2 file download
  • Add WP Live Chat Support <= 7.1.04 stored XSS shell upload
  • Add WP Statistics <= 12.0.8.1 reflected XSS shell upload
  • Add WP Statistics <= 12.0.9 reflected XSS shell upload
  • Add WP-Members <= 3.1.7 reflected XSS shell upload
  • Add WordPress Download Manager <= 2.9.51 reflected XSS shell upload

@rastating rastating released this Jun 17, 2017 · 289 commits to master since this release

Assets 2

Bug Fixes

  • Add better handling when trying to bind to an occupied port when using the reverse_tcp payload
  • Fix major bug preventing the --update switch updating hidden files

Dependencies

  • Upgrade Nokogiri to ~>1.8
  • Upgrade supported Ruby version to >= 2.4.1

API Changes

  • Add new method for generating random month names in Utility::Text
  • Add method in HttpClient for normalising relative paths to absolute URLs

New Payloads

  • Add meterpreter_bind_tcp payload (requires msfvenom)
  • Add meterpreter_reverse_tcp payload (requires msfvenom)

New Modules

  • Add AffiliateWP <= 2.0.9 reflected XSS shell upload
  • Add All In One Schema.org Rich Snippets <= 1.4.4 reflected XSS shell upload
  • Add Max Buttons <= 6.18 reflected XSS shell upload
  • Add Newsletter by Supsystic CSRF stored XSS shell upload
  • Add Simple Slideshow Manager <= 2.3 reflected XSS shell upload
  • Add Spiffy Calendar <= 3.2.0 reflected XSS shell upload
  • Add Tribulant Newsletters <= 4.6.4.2 reflected XSS shell upload
  • Add WP Live Chat Support <= 7.0.06 reflected XSS shell upload
  • Add WP No External Links <= 3.5.18 reflected XSS shell upload

@rastating rastating released this Jun 17, 2017 · 291 commits to master since this release

Assets 2

Bug Fixes

  • Add better handling when trying to bind to an occupied port when using the reverse_tcp payload

Dependencies

  • Upgrade Nokogiri to ~>1.8
  • Upgrade supported Ruby version to >= 2.4.1

API Changes

  • Add new method for generating random month names in Utility::Text
  • Add method in HttpClient for normalising relative paths to absolute URLs

New Payloads

  • Add meterpreter_bind_tcp payload (requires msfvenom)
  • Add meterpreter_reverse_tcp payload (requires msfvenom)

New Modules

  • Add AffiliateWP <= 2.0.9 reflected XSS shell upload
  • Add All In One Schema.org Rich Snippets <= 1.4.4 reflected XSS shell upload
  • Add Max Buttons <= 6.18 reflected XSS shell upload
  • Add Newsletter by Supsystic CSRF stored XSS shell upload
  • Add Simple Slideshow Manager <= 2.3 reflected XSS shell upload
  • Add Spiffy Calendar <= 3.2.0 reflected XSS shell upload
  • Add Tribulant Newsletters <= 4.6.4.2 reflected XSS shell upload
  • Add WP Live Chat Support <= 7.0.06 reflected XSS shell upload
  • Add WP No External Links <= 3.5.18 reflected XSS shell upload