<p><strong>0day XSS Exploit for Wordpress 2.3</strong> – wp-slimstat 0.92 – [<a href="http://xssworm.com">xssworm.com</a>]</p><br>Source: <a href="http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/">
http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/</a><br>
<p>There is a serious holes in wordpress 2.3 that can be used with XSS
by a blackhat hacker to attack the wordpress administrator and steal
cookies from blogmins. This attack is known as 0day because it has just
been reported to public and this is first day of public vulnerability,
and <em>0day means 'published.</em>'</p>Proof of concept:
<p><a href="http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=">http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=
</a><xss
shellcode></p>
<p>This attack to be used against wordpress web blog blogmin to steal
blogosphere token to hack blogs. Of course we have included exploit
code for this bug at the below.</p>
<p>We have looked at coding for wp-slimstat but we cannot see any
problem with input validating. Maybe some of the <a href="http://xssworm.com">xssworm.com</a> readers
can show us where problem is in the php code because we cannot see any
porblem here:</p>
<p>–snips:</p>
<blockquote><p>C:\temp>findstr GET wp-slimstat.php<br>
$myFilterField = intval( $_GET['ff'] );<br>
$myFilterType = intval( $_GET['ft'] );<br>
$myFilterString = $_GET['fi'];<br>
$myFilterInterval = $_GET['fd'];<br>
$myFilterField = intval( $_GET['ff'] );<br>
$myFilterType = intval( $_GET['ft'] );<br>
$myFilterString = $_GET['fi'];<br>
$myFilterInterval = $_GET['fd'];<br>
'.(!empty($myFilterString)?'— <a
href="?page='.$_GET['page'].'&panel='.$_GET["panel"].'">'.__('Reset
filters', 'wp-slimstat').'</a>':").'<br>
<input type="hidden" name="page" value="'.$_GET['page'].'" /><br>
<input type="hidden" name="panel" value="'.$_GET["panel"].'" /><br>
<input type="hidden" name="fd" value="'.$_GET["fd"].'" /></form>';</p></blockquote>
<p>–snips</p>
<p>With programmor using $_GET variable from user into echo into html
output maybe php automatic GET validation filtering is not working for
security? We are not programmers of php so we cannot see any porblems
here as bug are too complex to understand.</p>
<p>Exploit code for perl whitehats included here:</p>
<p># Wordpress 2.3 0day exploit – <a href="http://xssworm.com">http://xssworm.com</a><br>
#<br>
# A bug exist in wordpress 2.3 that allow hacker to<br>
# steal blog cookie from wordpress blogmin.<br>
#<br>
# To exploit scripting bug the attacker make link<br>
# to URL of slimstat with XSS shellcode and force<br>
# blog admin to hit link by embedding into fish<br>
# email or making blogmin follow interesting links.<br>
# Also hacker can embed into refer or trackback<br>
# to inject scripting into wordpress dashboard or<br>
# make blogmin visit malicious resource when viewing<br>
# he's blog.<br>
#<br>
#<br>
# Status: not patched published 0day vulnerability<br>
# Vendor: <a href="http://wordpress.org">wordpress.org</a><br>
# Credit: <a href="http://xssworm.com">http://xssworm.com</a><br>
# Discovery: 1st November 2007<br>
# Exploit developer: Fracesco Vaj (<a href="mailto:vaj@xssworm.com">vaj@xssworm.com</a>)<br>
#<br>
# Instruction:<br>
# To execute exploit for wordpress you will need perl or linux<br>
#<br>
# Usage:<br>
#<br>
# Execute with perl or linux as:<br>
# perl <a href="http://wordpress-2.3-0day-xss-injection-bug.pl">wordpress-2.3-0day-xss-injection-bug.pl</a><br>
#<br>
# Hacker will get prompts for target information.<br>
# Please do not use for irresponsible hacking or to make money.<br>
# Disclaimer: <a href="http://XSSWORM.COM">XSSWORM.COM</a> is not responsible.<br>
#<br>
#</p>
<p>#use Net::DNS:Simple;<br>
#use Math;<br>
use Socket;</p>
<p>print "Welcome. What is target email address of wordpress blog admin : \n";<br>
my $target = <STDIN>;<br>
print "ok target is $target\n";<br>
sleep(3);<br>
print "ok What is address of wordpress blog : \n";<br>
sleep(5); my $address = <STDIN>;<br>
print "ok target is $target\n";<br>
sleep(6);<br>
# print "testing"<br>
print "ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n";<br>
print "\n\n — CUT OUTPUT HERE — \n\n";<br>
print "HELO xssworm.com\n";<br>
print "RSET\n";<br>
PRINT "MAIL FROM: <<a href="mailto:xssworm@hotmail.com">xssworm@hotmail.com</a>>\n";<br>
print "RCPT TO: <$target>\n";<br>
print "DATA\n"; print "Free x pciture and movies at $address\n";<br>
print "\r\n.\r\nquit\r\n";<br>
print "\n\n — END OF OUTPUT CUT HERE –\n";<br>
print "";<br>
print "Ok now you neeed to cut the exploit above and paste it to:\n";<br>
print "$address : 25 \n";<br>
print "Shellcode by <a href="mailto:vaj@xssworm.com">vaj@xssworm.com</a> c. 2007\n";<br>
print "End of attack.\n";<br>
print "";<br>
#print "Debug mode on"<br>
#print "XSS initialized"<br>
#payload<br>
sleep(1); return(0);<br>
# snips<br>
#</p>
<p>Please note that this wp-slimstat does not contain any code
injection or mysql injection bug vector that is opened to blackkhat
attack via transport of xss.</p>
<p>Many thanks for your comments on this vulnerability in wordpress 2.4</p>
<p>Thanks vaj</p><br>-- <br>Francesco Vaj [CISSP - GIAC]<br>CSS Security Researcher<br>mailto:<a href="mailto:vaj@nospam.xssworm.com">vaj@nospam.xssworm.com</a><br>aim: XSS Cross Site <br>------<br>XSS Cross Site Scripting Attacks
<br>Web 2.0 Application Security Information Blog (tm) 2007<br><a href="http://www.XSSworm.com/">http://www.XSSworm.com/</a><br>------<br>"Vaj, bella vaj."