漏洞分析
Wordpress官方发布了最新补丁,升级到了4.4.1版本,其中修复了一个xss漏洞:
“WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.”
通过diff补丁我们找到了漏洞位置:
wp-includes/class-wp-theme.php 240

wp4112

在新版本中,对于$this->stylesheet,$this->template等变量,增加了通过esc_html来实现的过滤


$this->errors = new WP_Error( 'theme_not_found', sprintf( __( 'The theme directory "%s" does not exist.' ), $this->stylesheet ) );

通过该行代码,很明显,我们可以看出并未进行过滤,而后通过WP_Error,实现了输出,形成了xss漏洞

根据变量名称$this->stylesheet,我们找到了后台主题相关操作的功能,通过不存在的主题名称,来触发 theme_not_found 这个错误

构造poc


http://192.168.152.130/wp44/wp-admin/customize.php?theme="><script>alert(/[X-team]Stefanie/)</script>&return=/wp44/wp-admin/themes.php

wp411

相关链接
[1]https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87

wordpress <4.4.1 xss