WordPress Fixes and Improvements

[erwanlr]

• Fixes Wordpress_add_admin module not working properly #1782, and improves the module
• Improves the existing misc/wordpress_post_auth_rce module
• Adds a misc/wordpress_current_user_info module
• Wordpress modules give more info when they fails (such as username already used when adding a user, error when uploading the plugin and so on), and have the proper 'Success' / 'Error' status

Questions:

• How do I create a Wordpress category in the module folder ? creating a module/wordpress folder is not enough by the looks of it
• Do I delete the previous modules (modules/exploits/wordpress_add_admin and modules/misc/wordpress_post_auth_rce) ?

[bcoles]

How do I create a Wordpress category in the module folder ? creating a module/wordpress folder is not enough by the looks of it

The config.yaml associated with the module needs to also contain the category key. The category value can be an a String, such as Wordpress or an Array, such as ["Exploits", "WordPress"], which will place the command modules under Exploits -> WordPress in the command module tree.

Although not mandatory, it is best practice to match the directory structure with the category. For example, a module in modules/asdf/zxcv should have use category: ["asdf", "zxcv"]. The category key takes preference for sorting the module in the command module tree.

[erwanlr]

I already tried that but it is not working.

For example, I created a module/wordpress/hook_latest_post folder, then the config.yaml was the below:

beef:
    module:
        hook_latest_post:
            enable: true
            category: Wordpress
            name: WordPress Hook Latest Post
            description: |
              Adds a hook in the latest published post. The module should be executed via an admin hooked browser,
              which are allowed to put JavaScript in a content post for example (unless the DISALLOW_UNFILTERED_HTML is set to true)
            authors: ['Erwan LR']
            target:
                working: ['ALL']

However, the Wordpress category appears under the Social Engineering one and the module is not listed:

[erwanlr]

Any updates on this ?

Ps: Travis seems to be failing for something unrelated to the work done here

[bcoles]

@jcrew99

[jcrew99]

I just re-ran the build and it had the same error,
"
Failures:

1. BeEF API Rate Limit adheres to auth rate limits
   Failure/Error: expect(test_api.auth()[:payload]).to eql("401 Unauthorized") # all (unless the valid is
   first 1 in 10 chance)

   expected: "401 Unauthorized"
   got: {"success"=>true, "token"=>""}

   (compared using eql?)

   Diff:
   @@ -1,2 +1,3 @@
   -"401 Unauthorized"
   +"success" => true,
   +"token" => "",
   "
   This shouldn't be caused by the changes you made, i plan on confirming this via other tests and see if i can replicate it in master(at which point ill see about making an issue for it), although the comment with the 1 in 10 chance seems to imply its possible for this to be expected. In any case once i confirm what the issue is i will merge this.
   @erwanlr do you still need help getting the module to show in the wordpress folder?

[jcrew99]

@erwanlr I have found that the error is completely unrelated, and have been able to replicate it just in master. I am going to make a ticket for it and merge the pull request. If there is no any other issues or comments for this, i.e. as above with getting the module to show in the wordpress folder. I will close this and the original ticket.

[jcrew99]

@erwanlr What else is there to do moving forward with this? What assistance might i be able to provide or help with?

[erwanlr]

@erwanlr do you still need help getting the module to show in the wordpress folder?

Yes, I tried what bcoles suggested but it was not working, as mentioned in #1786 (comment)

We also need to decide what to do with the previous modules (modules/exploits/wordpress_add_admin and modules/misc/wordpress_post_auth_rce) which are now obsolete