UPDATE: WordPress Exploit Framework v1.8!

2017-12-15T03:30:30
ID PENTESTIT:0199ED181AABAE251E2674DA59D61F43
Type pentestit
Reporter Black
Modified 2017-12-15T03:30:30

Description

PenTestIT RSS Feed

Good news guys! We now have the WordPress Exploit Framework v1.8 amongst us! This new version fixes API compatibility with a shell upload module, updates multiple dependencies, introduces multiple API changes and adds multiple new modules and payloads!

WordPress Exploit Framework v1.8WordPress Exploit Framework

What is WPXF or WordPress Exploit Framework?

> WordPress Exploit Framework is a Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

WordPress Exploit Framework v1.8 Changelog:

Bug Fixes:

  • Fix API compatibility in Estatik 2.2.5 shell upload

Dependencies:

  • Upgrade required Ruby version to 2.4.2
  • Upgrade Nokogiri to 1.8.1
  • Upgrade rubyzip to 1.2.1
  • Upgrade Slop to 4.5.0
  • Upgrade Typhoeus to 1.3.0
  • Upgrade RSpec to 3.7

API Changes:

  • Add new mixin to provide comment posting functionality
  • Add new mixin for creating hash dump auxiliary modules
  • Add support for multiple potential upload locations in the ShellUpload mixin

New Modules:

  • Add Responsive Image Gallery <= 1.2.0 hash dump
  • Add SQL Shortcode <= 1.1 hash dump
  • Add JTRT Responsive Tables <= 4.1 hash dump
  • Add Simple Events Calendar <= 1.3.5 hash dump
  • Add Pootle Button < 1.2 reflected XSS shell upload
  • Add Embed Images in Comments <= 0.5 stored XSS shell upload
  • Add Qards local port scan
  • Add WP Support Plus Responsive Ticket System < 8.0.8 shell upload
  • Add Events <= 2.3.4 hash dump

Older versions than WordPress Exploit Framework v1.8 which I missed posting about, most importantly include a new method for executing tasks before storing a script using the StoredXSS mixin, among other module additions, such as the famous WP Statistics cross-site scripting vulnerabilities and the Arabic font cross-site request forgery/cross-site scripting shell upload. This open source framework is fast becoming one of my favourite tools for performing tests against WordPress installations.

Download WordPress Exploit Framework v1.8:

You can follow the installation instructions mentioned in my first post that can be found here and upgrade to this latest WPXF version. If you are unable to do so, simply download wordpress-exploit-framework-1.8.zip or wordpress-exploit-framework-1.8.tar.gz from it's official download directory here.

The post UPDATE: WordPress Exploit Framework v1.8! appeared first on PenTestIT.