0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch
Posted by xssworm on November 13th, 2007
0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]
There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.’
Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;
Proof of concept:
http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>
This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.
We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:
–snips:
C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;
–snips
With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.
Exploit code for perl whitehats included here:
# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#
#use Net::DNS:Simple;
#use Math;
use Socket;
print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#
Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.
Many thanks for your comments on this vulnerability in wordpress 2.4
Thanks vaj
November 14th, 2007 at 5:01 am
Andrew submits some comments! We have reply below:
– andrews message –
On 13 Nov 07, at 18:08, XSS Worm XSS Security Information Portal wrote:
> We have looked at coding for wp-slimstat but we cannot see any
> problem with
> input validating. Maybe some of the xssworm.com readers can show us
> where
> problem is in the php code because we cannot see any porblem here:
OK, I’ll bite…
> href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset
> filters’, ‘wp-slimstat’).’‘:”).’
>
>
> ‘;
Those all look like you could escape from the tag attribute with a
well-placed double quote, assuming that there’s no preprocessing on
$_GET.
– snip –
Yes that is perfect answer, thank you
we cannot tell for certain but there is no preprocessing on $_GET variable in this php instance
November 14th, 2007 at 5:05 am
Reply to daves post above is below.
thank u for reply dave it is appreciated and plesae subscribe! we need more of this insight here at xssworm
On Nov 14, 2007 10:51 AM, dave-san wrote:
Comments inline..
XSS Worm XSS Security Information Portal wrote:
> *0day XSS Exploit for Wordpress 2.3* – wp-slimstat 0.92 – [xssworm.com ]
>
> Source:
> http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/
>
> There is a serious holes in wordpress 2.3 that can be used with XSS by a
> blackhat hacker to attack the wordpress administrator and steal cookies from
> blogmins. This attack is known as 0day because it has just been reported to
> public and this is first day of public vulnerability, and *0day means
> ‘published.*’
> Proof of concept:
>
> http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft= shellcode>
>
Hmm.. XSS shellcode? That’s a new one for me. I’ll take this to mean the
injected script. From your post, I don’t think you mean “shellcode” in
the traditional sense.
> This attack to be used against wordpress web blog blogmin to steal
> blogosphere token to hack blogs. Of course we have included exploit code for
> this bug at the below.
>
> We have looked at coding for wp-slimstat but we cannot see any problem with
> input validating. Maybe some of the xssworm.com readers can show us where
> problem is in the php code because we cannot see any porblem here:
>
> –snips:
>
> C:\temp>findstr GET wp-slimstat.php
> $myFilterField = intval( $_GET[’ff’] );
> $myFilterType = intval( $_GET[’ft’] );
> $myFilterString = $_GET[’fi’];
> $myFilterInterval = $_GET[’fd’];
> $myFilterField = intval( $_GET[’ff’] );
> $myFilterType = intval( $_GET[’ft’] );
> $myFilterString = $_GET[’fi’];
> $myFilterInterval = $_GET[’fd’];
> ‘.(!empty($myFilterString)?’— ..a> href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset
> filters’, ‘wp-slimstat’).’‘:”).’
>
>
> ‘;
>
It’s late, and I might have missed something, but from the above, I
don’t see where the vulnerable parameter is being written back to the
HTML response. Therefore, I don’t think there is enough code in the
lines above to locate the entire issue (though it looks like other
parameters are vulnerable too). You mentioned:
ft=
So, in this example, “ft” is the vulnerable parameter. Trace what
happens in code with that parameter after it receives input. I’d guess
that there is something like..
echo ”. $myFilterType .’ more…
or
echo ”.$_GET[”ft”].’..
Perhaps take a look at where they missed the output formatting/encoding
for HTML. I may be so bold as to suggest that the lack of output
encoding is the major reason that XSS exists.
> –snips
>
> With programmor using $_GET variable from user into echo into html output
> maybe php automatic GET validation filtering is not working for security? We
> are not programmers of php so we cannot see any porblems here as bug are too
> complex to understand.
> Many thanks for your comments on this vulnerability in wordpress 2.4
..edit
– snip –
Thank you for these points Dave, I am replying:
With the XSS we can say it is shellcode because shellcode is the code injected into process or programme that contain bad validation of input - we say shellcode because it contains system call to execute shell commands - i think so?
XSS vulnerability is bad validation of input also (and output as you said in bold)
and with injected code and web 2.0 and fat rich clients (like in the USA) we can make java scripts with reverse shell to desktop with XSS
& get interactive control over fat clients and make them do things and we can write interpreter and make it ’shell’ if you want it easy (-;
So XSS is input validation bug just like buffer overflow and we inject code that will be interactive ’shell’ and execute action or command on behalf of user so XSS injection code = shellcode. Only differences in what you consider ’shell’, ‘command’, ‘action’, ‘user’, no?
With the code is posted we cannot see any bugs either but as you say maybe fundamentals
output $_GET[’variable’]
is this a vulnerability? I am not programmer but I have heard said that input validation is sometimes maybe the cause of vulnerabilities.
Thanks vaj.
April 17th, 2008 at 9:36 pm
Submit Links to Social Bookmarking Websites Automatically! Get Thousands of Visitors! Increase Website Traffic and Income with Automatic Social Bookmarks Submitter. Prepare to upgrade your servers today
May 2nd, 2008 at 11:18 am
I am not sure that I can completely understand your comments. Would you be so kind as to expand on your reasoning a little more before I comment.
May 14th, 2008 at 11:49 pm
found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later ..
May 17th, 2008 at 6:38 pm
Are you interested about website promotion in different way? About online marketing use white, black and grey methods? Would like to discover latest methods? Well, it’s for memebers only…
June 3rd, 2008 at 5:25 am
I couldn
June 13th, 2008 at 7:59 pm
Hey, I was looking around for a while searching for information system security and I happened upon this site and your post regarding 0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch, I will definitely this to my information system security bookmarks!
June 15th, 2008 at 7:47 am
I found your site on faves.com bookmarking site.. I like it ..gave it a fave for you..ill be checking back later
June 17th, 2008 at 6:40 am
I found your blog via Google while searching for free classifieds submitter and your post regarding 0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch looks very interesting to me. All I can say is WOW! Extremely nice layouts, awesome graphics and great articles. No matter how many times I come here, I am still impressed by the very professional appearance. Congratulations on a job well done.
June 21st, 2008 at 5:10 am
I read similar article also named 0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch, and it was completely different. Personally, I agree with you more, because this article makes a little bit more sense for me
June 21st, 2008 at 10:30 am
Interesting but outdated, theres better choices around now
June 29th, 2008 at 12:22 am
Saturday I was searching for blogs related to Web Promotion and specifically tutorial website promotion and I found your related blog.
July 14th, 2008 at 1:16 am
Good site I \”Stumbledupon\” it today and gave it a stumble for you.. looking forward to seeing what else you have..later
July 22nd, 2008 at 7:55 pm
found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later ..
July 23rd, 2008 at 2:45 am
Tuesday In searching for sites related to web hosting and specifically free web hosting perl cgi, your site came up.
July 28th, 2008 at 7:27 am
This article sounds well, but how everything is related together?
July 28th, 2008 at 2:32 pm
Hi - just wanted to say good design and blog -
August 3rd, 2008 at 11:29 pm
It is a quite interesting post but quite difficult to understand for me -
August 7th, 2008 at 4:46 am
I enjoyed reading the 0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch post, although I did not think it was entirely the best approach … there are alternatives which would provide more positive results ..
August 26th, 2008 at 9:20 am
I found your site on faves.com bookmarking site.. I like it ..gave it a fave for you..ill be checking back later