Wordpress pdfjs-viewer-shortcode Plugins Xss / Code Execution Vulnerability

2017.04.13
ir Ashiyane Digital Security Team (IR) ir
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:"/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/"

########################################################### # Exploit Title : Wordpress pdfjs-viewer-shortcode Plugins Xss / Code Execution Vulnerability # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: http://byterevel.com/ # Date : 2017 12 April # Category : Web App # Version : 2.0 #Test on : HackBar + Windows + Mozila # Dork :inurl:"/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/" # Software Link : https://downloads.wordpress.org/plugin/pdfjs-viewer-shortcode.1.3.zip ########################################################### ### Target Location Vulnerability localhost:/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/viewer.php?file=[URL Vulnerability] ########################################################### ### Code Execution Vulnerability ### Vulnerability Code : viewer.php <!DOCTYPE html> <!-- Copyright 2012 Mozilla Foundation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Adobe CMap resources are covered by their own copyright but the same license: Copyright 1990-2015 Adobe Systems Incorporated. See https://github.com/adobe-type-tools/cmap-resources --> <html dir="ltr" mozdisallowselectionprint moznomarginboxes> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="google" content="notranslate"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>PDF.js viewer</title> <link rel="stylesheet" href="viewer.css"/> <script src="compatibility.js"></script> <!-- This snippet is used in production (included from viewer.html) --> <link rel="resource" type="application/l10n" href="locale/locale.properties"/> <script src="l10n.js"></script> <script src="../build/pdf.js"></script> <script src="debugger.js"></script> <script src="viewer.js"></script> </head> <body tabindex="1" class="loadingInProgress"> <div id="outerContainer"> <div id="sidebarContainer"> <div id="toolbarSidebar"> <div class="splitToolbarButton toggled"> <button id="viewThumbnail" class="toolbarButton group toggled" title="Show Thumbnails" tabindex="2" data-l10n-id="thumbs"> <span data-l10n-id="thumbs_label">Thumbnails</span> </button> <button id="viewOutline" class="toolbarButton group" title="Show Document Outline" tabindex="3" data-l10n-id="outline"> <span data-l10n-id="outline_label">Document Outline</span> </button> </div> </div> <div id="sidebarContent"> <div id="thumbnailView"> </div> <div id="outlineView" class="hidden"> </div> </div> </div> <!-- sidebarContainer --> <div id="mainContainer"> <div class="findbar hidden doorHanger hiddenSmallView" id="findbar"> <label for="findInput" class="toolbarLabel" data-l10n-id="find_label">Find:</label> <input id="findInput" class="toolbarField" tabindex="91"> <div class="splitToolbarButton"> <button class="toolbarButton findPrevious" title="" id="findPrevious" tabindex="92" data-l10n-id="find_previous"> <span data-l10n-id="find_previous_label">Previous</span> </button> <div class="splitToolbarButtonSeparator"></div> <button class="toolbarButton findNext" title="" id="findNext" tabindex="93" data-l10n-id="find_next"> <span data-l10n-id="find_next_label">Next</span> </button> </div> <input type="checkbox" id="findHighlightAll" class="toolbarField" tabindex="94"> <label for="findHighlightAll" class="toolbarLabel" data-l10n-id="find_highlight">Highlight all</label> <input type="checkbox" id="findMatchCase" class="toolbarField" tabindex="95"> <label for="findMatchCase" class="toolbarLabel" data-l10n-id="find_match_case_label">Match case</label> <span id="findResultsCount" class="toolbarLabel hidden"></span> <span id="findMsg" class="toolbarLabel"></span> </div> <!-- findbar --> <div id="secondaryToolbar" class="secondaryToolbar hidden doorHangerRight"> <div id="secondaryToolbarButtonContainer"> <button id="secondaryPresentationMode" class="secondaryToolbarButton presentationMode visibleLargeView" title="Switch to Presentation Mode" tabindex="51" data-l10n-id="presentation_mode"> <span data-l10n-id="presentation_mode_label">Presentation Mode</span> </button> <button id="secondaryPrint" class="secondaryToolbarButton print visibleMediumView" <?php if ($_GET["print"] != "true") { echo 'style="display:none;"'; }?> title="Print" tabindex="53" data-l10n-id="print"> <span data-l10n-id="print_label">Print</span> </button> <button id="secondaryDownload" class="secondaryToolbarButton download visibleMediumView" <?php if ($_GET["download"] != "true") { echo 'style="display:none;"'; }?>title="Download" tabindex="54" data-l10n-id="download"> <span data-l10n-id="download_label">Download</span> </button> <div class="horizontalToolbarSeparator visibleLargeView" <?php if ($_GET["print"] != "true" && $_GET["download"] != "true") { echo 'style="display:none;"'; }?>></div> <button id="firstPage" class="secondaryToolbarButton firstPage" title="Go to First Page" tabindex="56" data-l10n-id="first_page"> <span data-l10n-id="first_page_label">Go to First Page</span> </button> <button id="lastPage" class="secondaryToolbarButton lastPage" title="Go to Last Page" tabindex="57" data-l10n-id="last_page"> <span data-l10n-id="last_page_label">Go to Last Page</span> </button> <div class="horizontalToolbarSeparator"></div> <button id="pageRotateCw" class="secondaryToolbarButton rotateCw" title="Rotate Clockwise" tabindex="58" data-l10n-id="page_rotate_cw"> <span data-l10n-id="page_rotate_cw_label">Rotate Clockwise</span> </button> <button id="pageRotateCcw" class="secondaryToolbarButton rotateCcw" title="Rotate Counterclockwise" tabindex="59" data-l10n-id="page_rotate_ccw"> <span data-l10n-id="page_rotate_ccw_label">Rotate Counterclockwise</span> </button> <div class="horizontalToolbarSeparator"></div> <button id="toggleHandTool" class="secondaryToolbarButton handTool" title="Enable hand tool" tabindex="60" data-l10n-id="hand_tool_enable"> <span data-l10n-id="hand_tool_enable_label">Enable hand tool</span> </button> </div> </div> <!-- secondaryToolbar --> <div class="toolbar"> <div id="toolbarContainer"> <div id="toolbarViewer"> <div id="toolbarViewerLeft"> <button id="sidebarToggle" class="toolbarButton" title="Toggle Sidebar" tabindex="11" data-l10n-id="toggle_sidebar"> <span data-l10n-id="toggle_sidebar_label">Toggle Sidebar</span> </button> <div class="toolbarButtonSpacer"></div> <button id="viewFind" class="toolbarButton group hiddenSmallView" title="Find in Document" tabindex="12" data-l10n-id="findbar"> <span data-l10n-id="findbar_label">Find</span> </button> <div class="splitToolbarButton"> <button class="toolbarButton pageUp" title="Previous Page" id="previous" tabindex="13" data-l10n-id="previous"> <span data-l10n-id="previous_label">Previous</span> </button> <div class="splitToolbarButtonSeparator"></div> <button class="toolbarButton pageDown" title="Next Page" id="next" tabindex="14" data-l10n-id="next"> <span data-l10n-id="next_label">Next</span> </button> </div> <label id="pageNumberLabel" class="toolbarLabel" for="pageNumber" data-l10n-id="page_label">Page: </label> <input type="number" id="pageNumber" class="toolbarField pageNumber" value="1" size="4" min="1" tabindex="15"> <span id="numPages" class="toolbarLabel"></span> </div> <div id="toolbarViewerRight"> <button id="presentationMode" class="toolbarButton presentationMode hiddenLargeView" title="Switch to Presentation Mode" tabindex="31" data-l10n-id="presentation_mode"> <span data-l10n-id="presentation_mode_label">Presentation Mode</span> </button> <button id="print" class="toolbarButton print hiddenMediumView" <?php if ($_GET["print"] != "true") { echo 'style="display:none;"'; }?> title="Print" tabindex="33" data-l10n-id="print"> <span data-l10n-id="print_label">Print</span> </button> <button id="download" class="toolbarButton download hiddenMediumView" <?php if ($_GET["download"] != "true") { echo 'style="display:none;"'; } ?> title="Download" tabindex="34" data-l10n-id="download"> <span data-l10n-id="download_label">Download</span> </button> <div class="verticalToolbarSeparator hiddenSmallView"></div> <button id="secondaryToolbarToggle" class="toolbarButton" title="Tools" tabindex="36" data-l10n-id="tools"> <span data-l10n-id="tools_label">Tools</span> </button> </div> <div class="outerCenter"> <div class="innerCenter" id="toolbarViewerMiddle"> <div class="splitToolbarButton"> <button id="zoomOut" class="toolbarButton zoomOut" title="Zoom Out" tabindex="21" data-l10n-id="zoom_out"> <span data-l10n-id="zoom_out_label">Zoom Out</span> </button> <div class="splitToolbarButtonSeparator"></div> <button id="zoomIn" class="toolbarButton zoomIn" title="Zoom In" tabindex="22" data-l10n-id="zoom_in"> <span data-l10n-id="zoom_in_label">Zoom In</span> </button> </div> <span id="scaleSelectContainer" class="dropdownToolbarButton"> <select id="scaleSelect" title="Zoom" tabindex="23" data-l10n-id="zoom"> <option id="pageAutoOption" title="" value="auto" selected="selected" data-l10n-id="page_scale_auto">Automatic Zoom</option> <option id="pageActualOption" title="" value="page-actual" data-l10n-id="page_scale_actual">Actual Size</option> <option id="pageFitOption" title="" value="page-fit" data-l10n-id="page_scale_fit">Fit Page</option> <option id="pageWidthOption" title="" value="page-width" data-l10n-id="page_scale_width">Full Width</option> <option id="customScaleOption" title="" value="custom"></option> <option title="" value="0.5" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 50 }'>50%</option> <option title="" value="0.75" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 75 }'>75%</option> <option title="" value="1" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 100 }'>100%</option> <option title="" value="1.25" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 125 }'>125%</option> <option title="" value="1.5" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 150 }'>150%</option> <option title="" value="2" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 200 }'>200%</option> <option title="" value="3" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 300 }'>300%</option> <option title="" value="4" data-l10n-id="page_scale_percent" data-l10n-args='{ "scale": 400 }'>400%</option> </select> </span> </div> </div> </div> <div id="loadingBar"> <div class="progress"> <div class="glimmer"> </div> </div> </div> </div> </div> <menu type="context" id="viewerContextMenu"> <menuitem id="contextFirstPage" label="First Page" data-l10n-id="first_page"></menuitem> <menuitem id="contextLastPage" label="Last Page" data-l10n-id="last_page"></menuitem> <menuitem id="contextPageRotateCw" label="Rotate Clockwise" data-l10n-id="page_rotate_cw"></menuitem> <menuitem id="contextPageRotateCcw" label="Rotate Counter-Clockwise" data-l10n-id="page_rotate_ccw"></menuitem> </menu> <div id="viewerContainer" tabindex="0"> <div id="viewer" class="pdfViewer"></div> </div> <div id="errorWrapper" hidden='true'> <div id="errorMessageLeft"> <span id="errorMessage"></span> <button id="errorShowMore" data-l10n-id="error_more_info"> More Information </button> <button id="errorShowLess" data-l10n-id="error_less_info" hidden='true'> Less Information </button> </div> <div id="errorMessageRight"> <button id="errorClose" data-l10n-id="error_close"> Close </button> </div> <div class="clearBoth"></div> <textarea id="errorMoreInfo" hidden='true' readonly="readonly"></textarea> </div> </div> <!-- mainContainer --> <div id="overlayContainer" class="hidden"> <div id="passwordOverlay" class="container hidden"> <div class="dialog"> <div class="row"> <p id="passwordText" data-l10n-id="password_label">Enter the password to open this PDF file:</p> </div> <div class="row"> <!-- The type="password" attribute is set via script, to prevent warnings in Firefox for all http:// documents. --> <input id="password" class="toolbarField" /> </div> <div class="buttonRow"> <button id="passwordCancel" class="overlayButton"><span data-l10n-id="password_cancel">Cancel</span></button> <button id="passwordSubmit" class="overlayButton"><span data-l10n-id="password_ok">OK</span></button> </div> </div> </div> </div> <!-- overlayContainer --> </div> <!-- outerContainer --> <div id="printContainer"></div> <div id="mozPrintCallback-shim" hidden> <style> @media print { #printContainer div { page-break-after: always; page-break-inside: avoid; } } </style> <style scoped> #mozPrintCallback-shim { position: fixed; top: 0; left: 0; height: 100%; width: 100%; z-index: 9999999; display: block; text-align: center; background-color: rgba(0, 0, 0, 0.5); } #mozPrintCallback-shim[hidden] { display: none; } @media print { #mozPrintCallback-shim { display: none; } } #mozPrintCallback-shim .mozPrintCallback-dialog-box { display: inline-block; margin: -50px auto 0; position: relative; top: 45%; left: 0; min-width: 220px; max-width: 400px; padding: 9px; border: 1px solid hsla(0, 0%, 0%, .5); border-radius: 2px; box-shadow: 0 1px 4px rgba(0, 0, 0, 0.3); background-color: #474747; color: hsl(0, 0%, 85%); font-size: 16px; line-height: 20px; } #mozPrintCallback-shim .progress-row { clear: both; padding: 1em 0; } #mozPrintCallback-shim progress { width: 100%; } #mozPrintCallback-shim .relative-progress { clear: both; float: right; } #mozPrintCallback-shim .progress-actions { clear: both; } </style> <div class="mozPrintCallback-dialog-box"> <!-- TODO: Localise the following strings --> Preparing document for printing... <div class="progress-row"> <progress value="0" max="100"></progress> <span class="relative-progress">0%</span> </div> <div class="progress-actions"> <input type="button" value="Cancel" class="mozPrintCallback-cancel"> </div> </div> </div> </body> </html> ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top