ExKit is a convenience library for proof of concept code developed by Wordfence. It includes common actions such as logging in as a user with a specific role, returning the path for an endpoint (e.g., admin-ajax.php), grabbing WP nonces, and so on., (*1)
Most proofs of concept will require some degree of customization for the host being targeted. Each PoC will automatically prompt as needed for these values, but for repeated testing it may be useful to create a configuration file to pass in to avoid extra typing., (*2)
The configuration file is a simple, one-level JSON file. All of the common fields are defined in the file config-sample.json
, but PoCs may define their own as needed. Using this file when executing a PoC is done with the --config
command line option. The syntax is proofofconcept.php --config=/path/to/config.json
., (*3)
This is just a broad overview of the available functions. For any additional details, consult the source code for the documentation and syntax., (*4)
The Cli
class defines a number of convenience functions for getting and sending information via the console., (*5)
Returns a pre-parsed associative array of all options provided when the script was invoked., (*6)
Writes to the console, optionally with coloring., (*7)
Prompts the user for a value, optionally providing a default., (*8)
The Config
class provides a unified interface for getting and storing environment-dependent values. This includes things like user credentials, host URLs, and so on., (*9)
Merges the given file with the stored value array., (*10)
Returns the value for the desired key, optionally prompting for it or returning a default value., (*11)
Stores the value for the given key., (*12)
The Endpoint
class provides a unified interface for getting the URLs for the common endpoints for PoCs. It causes a prompt for these values if they have not been provided., (*13)
The base URL to the site., (*14)
The login URL for the site. This defaults to the baseURL
+ /wp-login.php
if not yet known., (*15)
The admin URL for the site. This defaults to the baseURL
+ /wp-admin/admin.php
if not yet known., (*16)
The admin AJAX URL for the site. This defaults to the baseURL
+ /wp-admin/admin-ajax.php
if not yet known., (*17)
The admin post URL for the site. This defaults to the baseURL
+ /wp-admin/admin-post.php
if not yet known., (*18)
The uploads URL for the site. This defaults to the baseURL
+ /wp-content/uploads
if not yet known., (*19)
Checks the config for the given URL and prompts the user for it if needed., (*20)
Defines several exit codes to ensure PoCs use a common set of values., (*21)
Use if displaying some information only and not running the exploit (e.g., displaying the help message)., (*22)
Use if the exploit fails., (*23)
Use if the exploit succeeds., (*24)
Use if some precondition for running the exploit fails (e.g., invalid login credentials)., (*25)
Use if a test for a valid request fails., (*26)
Provides convenience functions to interface with a page., (*27)
Loads the given page and applies the regex to the response, returning any matches., (*28)
Provides login capabilities. This may be for a specific user or for a user with the desired role., (*29)
Logs in as a user with the desired role (calls logInAsUser
). If no user is found in the configuration cache, it will prompt for the user's credentials., (*30)
Logs in as the user with the given credentials. If logging in fails, it will write out an error and exit with the code EXIT_CODE_FAILED_PRECONDITION
., (*31)
Convience class for finding nonces., (*32)
Loads the given page and searches it for a nonce. Currently this is just done by applying a regex, but future versions may use a smarter approach., (*33)