Your SlideShare is downloading. ×
Wordpress 3-8-1-stored-xss
Wordpress 3-8-1-stored-xss
Wordpress 3-8-1-stored-xss
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wordpress 3-8-1-stored-xss

1,106

Published on

wordpress 3.8.1 stored xss.

wordpress 3.8.1 stored xss.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,106
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ##################################################################### # # Wordpress <= 3.8.1 Stored XSS (Requires Admin Privileges) # # Author : Mehmet Dursun INCE - mehmet.ince@intelrad.com # Job : Pentest Leader at IntelRAD. # Twitter: @mmetince # Found : 9 Feb # Tested on: Wordpress 3.8.1 on CentOS. # ##################################################################### Vulnerability Discover: First of all, i want to remind that you need a privileges to upload new theme at wordpress server side via ftp/sftp or wordpress gui. 1 - Wordpress checks themes for compatibility. if it's not compatible then wordpress will warn you under the "Broken Themes" segment at theme management page. 2 - "test" is the folder name of the theme that you wanna add to wordpress. But also it means that you can inject XSS payload via folder name. As you know, we can use <,>," or other character in folder name -only if you are using linux.3 – Lets create a “broken theme”. That is easy to create because we know that Wordpress need to see Stylesheet file. 4 - Let's upload that folder to under /[wordpress_full_path]/wp-content/themes.
  • 2. 5 - I uploaded that folder via sftp. mince@rootlab:/tmp$ scp xss.zip root@mehmetince.net:/[wp-full-path]/wp-content/themes xss.zip 100% 194 0.2KB/s 00:00 mince@rootlab:/tmp$ 6 – See our malformed theme under the themes folder. 7 - Decompress it.
  • 3. 8 – Lets refresh theme page. 9 – EOF!

×