Hacking Book | Free Online Hacking Learning

Home

3.92 storage xss add administrator & get shell script

Posted by graebner at 2020-04-05
all

2014-11-27 19:08:21 reading: 0 times collection source: 360 safety broadcast

Yesterday, the broadcasting platform released the XSS vulnerability of WordPress. The following is a detailed analysis:

The flaw lies in the wptexturize() function in / WP includes / formatting.php

When we leave a message in WordPress, the message will be first divided into multiple segments to be processed, and the function is completed by this function.

/(<. * > | \ [. * \] / us this regular expression will match everything in [] and < > but in lazy mode, that is, to the right bracket closest to the left bracket. After the regular matching, the message will be divided into several segments. The following picture:

The content in WordPress square brackets will not be escaped, so if we add angle brackets in square brackets and insert malicious script, XSS will be caused.

POC:

Add administrator's JS script (by 0x):

An administrator will be added

Account No.: 0x Jin

Password: fuckxssq

Script for getshell (by 0x):

But getshell

Until now, the detailed analysis and utilization of the storage XSS caused by the lax filtering rarely seen in WordPress are completely displayed in front of everyone. Welcome to the discussion and further exploration.

This article is originally published by security guest. If you need to reprint it, please indicate the source and address of this article. Address: http://bobao.360.cn/learning/detail/112.html