Ruby Framework for penetration testing WordPress websites and systems: WordPress Exploit Framework

Ruby Framework for penetration testing WordPress websites and systems: WordPress Exploit Framework

This Ruby framework contains some modules that can penetration test WordPress websites and systems. Users can also develop their own modules to expand their functions.
What are the conditions for running it?
Make sure Ruby 2.2.x is installed on the system. Open a command line window, switch the current directory to the WPXF folder, and run the command "bundle install". If no bundler is installed on your system, run the "gem install bundler" command to install the SDK.
How to use it?
Open a command line window, switch to the current directory, and download and save the WordPress Exploit Framework path. Run the "ruby wpxf. rb" command to start it.
Once the wpxf is loaded, A wpxf prompt will appear. You can use the "search" command to search for the module and use the "use" command to load the module.
After the module is loaded into the program running environment, you can use the "set" command to set the option parameters, and use the "info" command to view information about the module.
The following is an example. Load the "symposium_shell_upload" vulnerability exploitation module, set the module and load parameters, and finally execute this vulnerability to exploit the module to attack the target.
Wpxf> use exploit/symposium_shell_upload
[+] Loaded module :#
Wpxf [exploit/symposium_shell_upload]> set host wp-sandbox
[+] Set host => wp-sandbox
Wpxf [exploit/symposium_shell_upload]> set target_uri/wordpress/
[+] Set target_uri =>/wordpress/
Wpxf [exploit/symposium_shell_upload]> set payload exec
[+] Loaded payload :#
Wpxf [exploit/symposium_shell_upload]> set cmd echo "Hello, world! "
[+] Set cmd => echo "Hello, world! "
Wpxf [exploit/symposium_shell_upload]> run
[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully
You can obtain a list of all commands on github.
What are the differences between the auxiliary module and the vulnerability exploitation module?
The auxiliary module does not allow you to run attack loads on the target machine. However, it can parse the target information, improve permissions, or provide denial-of-service functions.
The vulnerability exploitation module requires you to specify an attack load, which will be executed on the target machine. You can execute any code on the target machine to extract information, create a remote shell or other things you want to do on the Web server.
What are the available loads?
Bind_php: Upload a script to listen on a specific port and allow WPXF to establish a remote shell;
Custom: Upload and execute a customized PHP script;
Download_exec: download and run a remote executable file;
Exec: run a shell command on the remote server and return the result to the WPXF session;
Reverse_tcp: Upload a script that can establish anti-TCP shell;
Except for "custom", all these loads will be deleted after execution to avoid being left on the target machine after use or failure to establish a shell connection.
How to write your own modules and loads?
You can find the compiling module and Loading Method on Github. All the API documents are in Getwpxf.
You can download Wordpress-Exploit-Framework from github.