Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Wordpress 3-8-1-stored-xss
1. #####################################################################
#
# Wordpress <= 3.8.1 Stored XSS (Requires Admin Privileges)
#
# Author : Mehmet Dursun INCE - mehmet.ince@intelrad.com
# Job : Pentest Leader at IntelRAD.
# Twitter: @mmetince
# Found : 9 Feb
# Tested on: Wordpress 3.8.1 on CentOS.
#
#####################################################################
Vulnerability Discover:
First of all, i want to remind that you need a privileges to upload new theme at wordpress server
side via ftp/sftp or wordpress gui.
1 - Wordpress checks themes for compatibility. if it's not compatible then wordpress will warn
you under the "Broken Themes" segment at theme management page.
2 - "test" is the folder name of the theme that you wanna add to wordpress. But also it means
that you can inject XSS payload via folder name.
As you know, we can use <,>," or other character in folder name -only if you are using linux.3 – Lets create a “broken theme”. That is easy to create because we know that Wordpress
need to see Stylesheet file.
4 - Let's upload that folder to under /[wordpress_full_path]/wp-content/themes.
2. 5 - I uploaded that folder via sftp.
mince@rootlab:/tmp$ scp xss.zip root@mehmetince.net:/[wp-full-path]/wp-content/themes
xss.zip
100% 194 0.2KB/s 00:00
mince@rootlab:/tmp$
6 – See our malformed theme under the themes folder.
7 - Decompress it.