3

INTRO

I was reading a report on hackerone.com and someone submitted an XSS bug, which uses Wordpress stream function, to Uber. First he displayed a simple alert box, but later he displayed custom php code, phpinfo();, which gets executed.

Question

I can not comprehend how someone could use XSS to execute php, I thought that was impossible. Or is it just a special case because the stream function is able to overwrite some php scripts? If so, is the BeEF framework / XSS-Shell one of the most powerful things of XSS or could one accomplish more in normal cases (like, XSS on a forum or something).

THE POC

See this hackerone report.

OUTRO

Could someone please explain this to me? Thanks!

mroWsymaS
  • 196
  • 12
  • 2
    In the wordpress admin you can modify PHP files as an admin. So, the JS code get exucted as admin so it is possible to just call some JS apis that modify the files (as the admin itself could do). Basically the XSS can do everything what an admin can do, so if wordpress offers a way in the interface so that the admin can modify files, the XSS attacker can also do. – Brain Foo Long Jul 07 '17 at 13:44

1 Answers1

2

The attack stores javascript as unauthenticated user. Later, this javascript is loaded when an administrator clicks a certain tab of the stream plugin, thus, the injected code gets executed with administrator rights. Wordpress has some code editing functions (e.g. theme- and plugin editor) which allow editing of php files on the server. This can be done by the injected javascript, leaving you with a compromised server and injected php-code.

Jojo
  • 2,720
  • 1
  • 17
  • 24